修改用户密码前先验证旧密码，增加安全性

4 years ago · a70e327a8e
8 changed files with 41 additions and 31 deletions
--- a/src/main/java/com/genersoft/iot/vmp/conf/security/AnonymousAuthenticationEntryPoint.java
+++ b/src/main/java/com/genersoft/iot/vmp/conf/security/AnonymousAuthenticationEntryPoint.java
@ -7,7 +7,6 @@ import org.springframework.security.core.AuthenticationException;
 import org.springframework.security.web.AuthenticationEntryPoint;
 import org.springframework.stereotype.Component;

-import javax.servlet.ServletException;
 import javax.servlet.http.HttpServletRequest;
 import javax.servlet.http.HttpServletResponse;
 import java.io.IOException;
--- a/src/main/java/com/genersoft/iot/vmp/conf/security/DefaultUserDetailsServiceImpl.java
+++ b/src/main/java/com/genersoft/iot/vmp/conf/security/DefaultUserDetailsServiceImpl.java
@ -7,17 +7,12 @@ import com.github.xiaoymin.knife4j.core.util.StrUtil;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 import org.springframework.beans.factory.annotation.Autowired;
-import org.springframework.security.core.CredentialsContainer;
-import org.springframework.security.core.GrantedAuthority;
-import org.springframework.security.core.SpringSecurityCoreVersion;
 import org.springframework.security.core.userdetails.UserDetails;
 import org.springframework.security.core.userdetails.UserDetailsService;
 import org.springframework.security.core.userdetails.UsernameNotFoundException;
 import org.springframework.stereotype.Component;
-import org.springframework.stereotype.Service;

 import java.time.LocalDateTime;
-import java.util.Collection;

 /**
 * 用户登录认证逻辑
@ -39,12 +34,12 @@ public class DefaultUserDetailsServiceImpl implements UserDetailsService {

        // 查出密码
        User user = userService.getUserByUsername(username);
-        String password = SecurityUtils.encryptPassword(user.getPassword());
-        user.setPassword(password);
        if (user == null) {
            logger.info("登录用户：{} 不存在", username);
            throw new UsernameNotFoundException("登录用户：" + username + " 不存在");
        }
+        String password = SecurityUtils.encryptPassword(user.getPassword());
+        user.setPassword(password);
        return new LoginUser(user, LocalDateTime.now());
    }

--- a/src/main/java/com/genersoft/iot/vmp/conf/security/SecurityUtils.java
+++ b/src/main/java/com/genersoft/iot/vmp/conf/security/SecurityUtils.java
@ -1,8 +1,6 @@
 package com.genersoft.iot.vmp.conf.security;

 import com.genersoft.iot.vmp.conf.security.dto.LoginUser;
-import com.genersoft.iot.vmp.storager.dao.dto.User;
-import gov.nist.javax.sip.address.UserInfo;
 import org.springframework.security.authentication.AuthenticationManager;
 import org.springframework.security.authentication.UsernamePasswordAuthenticationToken;
 import org.springframework.security.core.Authentication;
--- a/src/main/java/com/genersoft/iot/vmp/storager/dao/UserMapper.java
+++ b/src/main/java/com/genersoft/iot/vmp/storager/dao/UserMapper.java
@ -1,6 +1,5 @@
 package com.genersoft.iot.vmp.storager.dao;

-import com.genersoft.iot.vmp.gb28181.bean.GbStream;
 import com.genersoft.iot.vmp.storager.dao.dto.User;
 import org.apache.ibatis.annotations.*;
 import org.springframework.stereotype.Repository;
--- a/src/main/java/com/genersoft/iot/vmp/vmanager/user/UserController.java
+++ b/src/main/java/com/genersoft/iot/vmp/vmanager/user/UserController.java
@ -3,16 +3,13 @@ package com.genersoft.iot.vmp.vmanager.user;
 import com.genersoft.iot.vmp.conf.security.SecurityUtils;
 import com.genersoft.iot.vmp.conf.security.dto.LoginUser;
 import com.genersoft.iot.vmp.service.IUserService;
-import com.genersoft.iot.vmp.storager.dao.dto.User;
 import io.swagger.annotations.Api;
 import io.swagger.annotations.ApiImplicitParam;
 import io.swagger.annotations.ApiImplicitParams;
 import io.swagger.annotations.ApiOperation;
 import org.springframework.beans.factory.annotation.Autowired;
-import org.springframework.beans.factory.annotation.Value;
 import org.springframework.security.authentication.AuthenticationManager;
 import org.springframework.util.DigestUtils;
-import org.springframework.util.StringUtils;
 import org.springframework.web.bind.annotation.*;

 import javax.security.sasl.AuthenticationException;
@ -53,17 +50,26 @@ public class UserController {
    @ApiOperation("修改密码")
    @ApiImplicitParams({
            @ApiImplicitParam(name = "username", value = "用户名", dataTypeClass = String.class),
-            @ApiImplicitParam(name = "password", value = "密码（未md5加密的密码）", dataTypeClass = String.class),
+            @ApiImplicitParam(name = "oldpassword", value = "旧密码（已md5加密的密码）", dataTypeClass = String.class),
+            @ApiImplicitParam(name = "password", value = "新密码（未md5加密的密码）", dataTypeClass = String.class),
    })
    @PostMapping("/changePassword")
-    public String changePassword(String password){
+    public String changePassword(String oldpassword, String password){
        // 获取当前登录用户id
-        int userId = SecurityUtils.getUserId();
-        boolean result = userService.changePassword(userId, DigestUtils.md5DigestAsHex(password.getBytes()));
-        if (result) {
-            return "success";
-        }else {
-            return "fail";
+        String username = SecurityUtils.getUserInfo().getUsername();
+        LoginUser user = null;
+        try {
+            user = SecurityUtils.login(username, oldpassword, authenticationManager);
+            if (user != null) {
+                int userId = SecurityUtils.getUserId();
+                boolean result = userService.changePassword(userId, DigestUtils.md5DigestAsHex(password.getBytes()));
+                if (result) {
+                    return "success";
+                }
+            }
+        } catch (AuthenticationException e) {
+            e.printStackTrace();
        }
+        return "fail";
    }
 }
--- a/src/main/java/com/genersoft/iot/vmp/web/AuthController.java
+++ b/src/main/java/com/genersoft/iot/vmp/web/AuthController.java
@ -3,8 +3,6 @@ package com.genersoft.iot.vmp.web;
 import com.genersoft.iot.vmp.service.IUserService;
 import com.genersoft.iot.vmp.storager.dao.dto.User;
 import org.springframework.beans.factory.annotation.Autowired;
-import org.springframework.beans.factory.annotation.Value;
-import org.springframework.util.StringUtils;
 import org.springframework.web.bind.annotation.*;

@CrossOrigin
--- a/web_src/src/components/Login.vue
+++ b/web_src/src/components/Login.vue
@ -63,7 +63,7 @@ export default {

      this.$axios({
      	method: 'get',
-	      url:"/api/user/login",
+	url:"/api/user/login",
        params: loginParam
      }).then(function (res) {
        console.log(JSON.stringify(res));
--- a/web_src/src/components/dialog/changePassword.vue
+++ b/web_src/src/components/dialog/changePassword.vue
@ -11,6 +11,9 @@
    >
      <div id="shared" style="margin-right: 20px;">
        <el-form ref="passwordForm" :rules="rules" status-icon label-width="80px">
+              <el-form-item label="旧密码" prop="oldPassword" >
+                <el-input v-model="oldPassword" autocomplete="off"></el-input>
+              </el-form-item>
              <el-form-item label="新密码" prop="newPassword" >
                <el-input v-model="newPassword" autocomplete="off"></el-input>
              </el-form-item>
@ -31,15 +34,23 @@
 </template>

 <script>
+import crypto from 'crypto'
 export default {
  name: "changePassword",
  props: {},
  computed: {},
  created() {},
  data() {
-    let validatePass = (rule, value, callback) => {
+    let validatePass0 = (rule, value, callback) => {
+      if (value === '') {
+        callback(new Error('请输入旧密码'));
+      } else {
+        callback();
+      }
+    };
+    let validatePass1 = (rule, value, callback) => {
      if (value === '') {
-        callback(new Error('请输入密码'));
+        callback(new Error('请输入新密码'));
      } else {
        if (this.confirmPassword !== '') {
          this.$refs.passwordForm.validateField('confirmPassword');
@ -57,12 +68,14 @@ export default {
      }
    };
    return {
+      oldPassword: null,
      newPassword: null,
      confirmPassword: null,
      showDialog: false,
      isLoging: false,
      rules: {
-        newPassword: [{ required: true, validator: validatePass, trigger: "blur" }],
+        oldPassword: [{ required: true, validator: validatePass0, trigger: "blur" }],
+        newPassword: [{ required: true, validator: validatePass1, trigger: "blur" }],
        confirmPassword: [{ required: true, validator: validatePass2, trigger: "blur" }],
      },
    };
@ -76,13 +89,14 @@ export default {
        method: 'post',
        url:"/api/user/changePassword",
        params: {
+          oldpassword: crypto.createHash('md5').update(this.oldPassword, "utf8").digest('hex'),
          password: this.newPassword
        }
      }).then((res)=> {
        if (res.data === "success"){
          this.$message({
            showClose: true,
-            message: '修改成功，请重新登陆',
+            message: '修改成功，请重新登录',
            type: 'success'
          });
          this.showDialog = false;
@ -99,8 +113,9 @@ export default {
    },
    close: function () {
      this.showDialog = false;
-      this.newPassword= null;
-      this.confirmPassword=null;
+      this.oldPassword = null;
+      this.newPassword = null;
+      this.confirmPassword = null;
    },
  },
 };