From 74e563da7fa6886449fd2be5933e2d4ca5c85f48 Mon Sep 17 00:00:00 2001
From: jack <jack.su@pollex.com.tw>
Date: 星期二, 12 九月 2023 11:25:52 +0800
Subject: [PATCH] [UPDATE] 解決弱點Se: Incorrect definition of Serializable class [UPDATE] 解決弱點Information exposure to log file [UPDATE] 解決弱點Use of hard-coded password
---
pamapi/src/main/java/com/pollex/pam/web/rest/EServiceResource.java | 14 ++++++++++++--
1 files changed, 12 insertions(+), 2 deletions(-)
diff --git a/pamapi/src/main/java/com/pollex/pam/web/rest/EServiceResource.java b/pamapi/src/main/java/com/pollex/pam/web/rest/EServiceResource.java
index fc49c7d..6bb5f5e 100644
--- a/pamapi/src/main/java/com/pollex/pam/web/rest/EServiceResource.java
+++ b/pamapi/src/main/java/com/pollex/pam/web/rest/EServiceResource.java
@@ -46,13 +46,22 @@
@Autowired
ConsultantService consultantService;
+
+ @Autowired
+ AesUtil aesUtil;
@AuditLoggingInject(type = CONSULTANT_LOGIN)
@PostMapping("/authenticate/{imgCode}")
public ResponseEntity<UserJWTController.JWTToken> authorize(
@RequestBody EServiceLoginVM eServiceLoginVM
, HttpServletResponse response, HttpServletRequest request,
- @PathVariable String imgCode){
+ @PathVariable String imgCode) throws Exception{
+
+
+ String paswword = aesUtil.aesDecode(eServiceLoginVM.getPassword());
+ if(!StringUtils.hasText(paswword)) {
+ throw new OtpLoginFailException("撖Ⅳ閫�撖仃���");
+ }
HttpSession session = request.getSession();
String sessionImpCode = (String) session.getAttribute("img_code");
@@ -65,10 +74,11 @@
if(!imgCode.equals(sessionImpCode)) {
throw new OtpLoginFailException("撽�Ⅳ頛詨�隤�");
}
+
session.setAttribute("img_code", null);
EServiceAuthenticationToken authenticationToken = new EServiceAuthenticationToken(
eServiceLoginVM.getUsername(),
- AesUtil.aesDecode(eServiceLoginVM.getPassword())
+ paswword
);
Authentication authentication = authenticationManagerBuilder.getObject().authenticate(authenticationToken);
--
Gitblit v1.8.0