From 74e563da7fa6886449fd2be5933e2d4ca5c85f48 Mon Sep 17 00:00:00 2001
From: jack <jack.su@pollex.com.tw>
Date: 星期二, 12 九月 2023 11:25:52 +0800
Subject: [PATCH] [UPDATE] 解決弱點Se: Incorrect definition of Serializable class [UPDATE] 解決弱點Information exposure to log file [UPDATE] 解決弱點Use of hard-coded password
---
pamapi/src/main/java/com/pollex/pam/web/rest/EServiceResource.java | 47 +++++++++++++++++++++++++++++------------------
1 files changed, 29 insertions(+), 18 deletions(-)
diff --git a/pamapi/src/main/java/com/pollex/pam/web/rest/EServiceResource.java b/pamapi/src/main/java/com/pollex/pam/web/rest/EServiceResource.java
index b12ae2d..6bb5f5e 100644
--- a/pamapi/src/main/java/com/pollex/pam/web/rest/EServiceResource.java
+++ b/pamapi/src/main/java/com/pollex/pam/web/rest/EServiceResource.java
@@ -1,11 +1,10 @@
package com.pollex.pam.web.rest;
-import com.pollex.pam.business.aop.logging.audit.AuditLoggingInject;
-import com.pollex.pam.business.service.ConsultantService;
-import com.pollex.pam.security.jwt.JWTFilter;
-import com.pollex.pam.security.jwt.TokenProvider;
-import com.pollex.pam.business.security.token.EServiceAuthenticationToken;
-import com.pollex.pam.business.web.vm.EServiceLoginVM;
+import static com.pollex.pam.business.aop.logging.audit.AuditLoggingType.CONSULTANT_LOGIN;
+
+import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletResponse;
+import javax.servlet.http.HttpSession;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
@@ -23,11 +22,14 @@
import org.springframework.web.bind.annotation.RequestMapping;
import org.springframework.web.bind.annotation.RestController;
-import static com.pollex.pam.business.aop.logging.audit.AuditLoggingType.CONSULTANT_LOGIN;
-
-import javax.servlet.http.HttpServletRequest;
-import javax.servlet.http.HttpServletResponse;
-import javax.servlet.http.HttpSession;
+import com.pollex.pam.business.aop.logging.audit.AuditLoggingInject;
+import com.pollex.pam.business.security.token.EServiceAuthenticationToken;
+import com.pollex.pam.business.service.ConsultantService;
+import com.pollex.pam.business.service.util.AesUtil;
+import com.pollex.pam.business.web.errors.OtpLoginFailException;
+import com.pollex.pam.business.web.vm.EServiceLoginVM;
+import com.pollex.pam.security.jwt.JWTFilter;
+import com.pollex.pam.security.jwt.TokenProvider;
@RestController
@RequestMapping("/api/eService")
@@ -44,30 +46,39 @@
@Autowired
ConsultantService consultantService;
+
+ @Autowired
+ AesUtil aesUtil;
@AuditLoggingInject(type = CONSULTANT_LOGIN)
@PostMapping("/authenticate/{imgCode}")
public ResponseEntity<UserJWTController.JWTToken> authorize(
@RequestBody EServiceLoginVM eServiceLoginVM
, HttpServletResponse response, HttpServletRequest request,
- @PathVariable String imgCode) {
- log.debug("imgCode:::::::"+imgCode);
+ @PathVariable String imgCode) throws Exception{
+
+
+ String paswword = aesUtil.aesDecode(eServiceLoginVM.getPassword());
+ if(!StringUtils.hasText(paswword)) {
+ throw new OtpLoginFailException("撖Ⅳ閫�撖仃���");
+ }
+
HttpSession session = request.getSession();
String sessionImpCode = (String) session.getAttribute("img_code");
if (!StringUtils.hasText(sessionImpCode)
|| !StringUtils.hasText(imgCode)) {
- return ResponseEntity.status(HttpStatus.UNAUTHORIZED).build();
+ throw new OtpLoginFailException("撽�Ⅳ頛詨�隤�");
}
if(!imgCode.equals(sessionImpCode)) {
- return ResponseEntity.status(HttpStatus.BAD_REQUEST).build();
+ throw new OtpLoginFailException("撽�Ⅳ頛詨�隤�");
}
-
- EServiceAuthenticationToken authenticationToken = new EServiceAuthenticationToken(
+ session.setAttribute("img_code", null);
+ EServiceAuthenticationToken authenticationToken = new EServiceAuthenticationToken(
eServiceLoginVM.getUsername(),
- eServiceLoginVM.getPassword()
+ paswword
);
Authentication authentication = authenticationManagerBuilder.getObject().authenticate(authenticationToken);
--
Gitblit v1.8.0