From a70e327a8efaf38d74911ea568419a087fbd235a Mon Sep 17 00:00:00 2001
From: lawrencehj <1934378145@qq.com>
Date: 星期四, 15 四月 2021 11:42:05 +0800
Subject: [PATCH] 修改用户密码前先验证旧密码,增加安全性

---
 web_src/src/components/Login.vue                                                         |    2 
 src/main/java/com/genersoft/iot/vmp/conf/security/AnonymousAuthenticationEntryPoint.java |    1 
 web_src/src/components/dialog/changePassword.vue                                         |   27 ++++++++++---
 src/main/java/com/genersoft/iot/vmp/web/AuthController.java                              |    2 -
 src/main/java/com/genersoft/iot/vmp/conf/security/SecurityUtils.java                     |    2 -
 src/main/java/com/genersoft/iot/vmp/storager/dao/UserMapper.java                         |    1 
 src/main/java/com/genersoft/iot/vmp/conf/security/DefaultUserDetailsServiceImpl.java     |    9 +---
 src/main/java/com/genersoft/iot/vmp/vmanager/user/UserController.java                    |   28 ++++++++-----
 8 files changed, 41 insertions(+), 31 deletions(-)

diff --git a/src/main/java/com/genersoft/iot/vmp/conf/security/AnonymousAuthenticationEntryPoint.java b/src/main/java/com/genersoft/iot/vmp/conf/security/AnonymousAuthenticationEntryPoint.java
index 2064470..d4e25e3 100644
--- a/src/main/java/com/genersoft/iot/vmp/conf/security/AnonymousAuthenticationEntryPoint.java
+++ b/src/main/java/com/genersoft/iot/vmp/conf/security/AnonymousAuthenticationEntryPoint.java
@@ -7,7 +7,6 @@
 import org.springframework.security.web.AuthenticationEntryPoint;
 import org.springframework.stereotype.Component;
 
-import javax.servlet.ServletException;
 import javax.servlet.http.HttpServletRequest;
 import javax.servlet.http.HttpServletResponse;
 import java.io.IOException;
diff --git a/src/main/java/com/genersoft/iot/vmp/conf/security/DefaultUserDetailsServiceImpl.java b/src/main/java/com/genersoft/iot/vmp/conf/security/DefaultUserDetailsServiceImpl.java
index c010335..63569ef 100644
--- a/src/main/java/com/genersoft/iot/vmp/conf/security/DefaultUserDetailsServiceImpl.java
+++ b/src/main/java/com/genersoft/iot/vmp/conf/security/DefaultUserDetailsServiceImpl.java
@@ -7,17 +7,12 @@
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 import org.springframework.beans.factory.annotation.Autowired;
-import org.springframework.security.core.CredentialsContainer;
-import org.springframework.security.core.GrantedAuthority;
-import org.springframework.security.core.SpringSecurityCoreVersion;
 import org.springframework.security.core.userdetails.UserDetails;
 import org.springframework.security.core.userdetails.UserDetailsService;
 import org.springframework.security.core.userdetails.UsernameNotFoundException;
 import org.springframework.stereotype.Component;
-import org.springframework.stereotype.Service;
 
 import java.time.LocalDateTime;
-import java.util.Collection;
 
 /**
  * 鐢ㄦ埛鐧诲綍璁よ瘉閫昏緫
@@ -39,12 +34,12 @@
 
         // 鏌ュ嚭瀵嗙爜
         User user = userService.getUserByUsername(username);
-        String password = SecurityUtils.encryptPassword(user.getPassword());
-        user.setPassword(password);
         if (user == null) {
             logger.info("鐧诲綍鐢ㄦ埛锛歿} 涓嶅瓨鍦�", username);
             throw new UsernameNotFoundException("鐧诲綍鐢ㄦ埛锛�" + username + " 涓嶅瓨鍦�");
         }
+        String password = SecurityUtils.encryptPassword(user.getPassword());
+        user.setPassword(password);
         return new LoginUser(user, LocalDateTime.now());
     }
 
diff --git a/src/main/java/com/genersoft/iot/vmp/conf/security/SecurityUtils.java b/src/main/java/com/genersoft/iot/vmp/conf/security/SecurityUtils.java
index d186d84..81b3408 100644
--- a/src/main/java/com/genersoft/iot/vmp/conf/security/SecurityUtils.java
+++ b/src/main/java/com/genersoft/iot/vmp/conf/security/SecurityUtils.java
@@ -1,8 +1,6 @@
 package com.genersoft.iot.vmp.conf.security;
 
 import com.genersoft.iot.vmp.conf.security.dto.LoginUser;
-import com.genersoft.iot.vmp.storager.dao.dto.User;
-import gov.nist.javax.sip.address.UserInfo;
 import org.springframework.security.authentication.AuthenticationManager;
 import org.springframework.security.authentication.UsernamePasswordAuthenticationToken;
 import org.springframework.security.core.Authentication;
diff --git a/src/main/java/com/genersoft/iot/vmp/storager/dao/UserMapper.java b/src/main/java/com/genersoft/iot/vmp/storager/dao/UserMapper.java
index e16cadc..f8507cb 100644
--- a/src/main/java/com/genersoft/iot/vmp/storager/dao/UserMapper.java
+++ b/src/main/java/com/genersoft/iot/vmp/storager/dao/UserMapper.java
@@ -1,6 +1,5 @@
 package com.genersoft.iot.vmp.storager.dao;
 
-import com.genersoft.iot.vmp.gb28181.bean.GbStream;
 import com.genersoft.iot.vmp.storager.dao.dto.User;
 import org.apache.ibatis.annotations.*;
 import org.springframework.stereotype.Repository;
diff --git a/src/main/java/com/genersoft/iot/vmp/vmanager/user/UserController.java b/src/main/java/com/genersoft/iot/vmp/vmanager/user/UserController.java
index 4fd7b96..706f97e 100644
--- a/src/main/java/com/genersoft/iot/vmp/vmanager/user/UserController.java
+++ b/src/main/java/com/genersoft/iot/vmp/vmanager/user/UserController.java
@@ -3,16 +3,13 @@
 import com.genersoft.iot.vmp.conf.security.SecurityUtils;
 import com.genersoft.iot.vmp.conf.security.dto.LoginUser;
 import com.genersoft.iot.vmp.service.IUserService;
-import com.genersoft.iot.vmp.storager.dao.dto.User;
 import io.swagger.annotations.Api;
 import io.swagger.annotations.ApiImplicitParam;
 import io.swagger.annotations.ApiImplicitParams;
 import io.swagger.annotations.ApiOperation;
 import org.springframework.beans.factory.annotation.Autowired;
-import org.springframework.beans.factory.annotation.Value;
 import org.springframework.security.authentication.AuthenticationManager;
 import org.springframework.util.DigestUtils;
-import org.springframework.util.StringUtils;
 import org.springframework.web.bind.annotation.*;
 
 import javax.security.sasl.AuthenticationException;
@@ -53,17 +50,26 @@
     @ApiOperation("淇敼瀵嗙爜")
     @ApiImplicitParams({
             @ApiImplicitParam(name = "username", value = "鐢ㄦ埛鍚�", dataTypeClass = String.class),
-            @ApiImplicitParam(name = "password", value = "瀵嗙爜锛堟湭md5鍔犲瘑鐨勫瘑鐮侊級", dataTypeClass = String.class),
+            @ApiImplicitParam(name = "oldpassword", value = "鏃у瘑鐮侊紙宸瞞d5鍔犲瘑鐨勫瘑鐮侊級", dataTypeClass = String.class),
+            @ApiImplicitParam(name = "password", value = "鏂板瘑鐮侊紙鏈猰d5鍔犲瘑鐨勫瘑鐮侊級", dataTypeClass = String.class),
     })
     @PostMapping("/changePassword")
-    public String changePassword(String password){
+    public String changePassword(String oldpassword, String password){
         // 鑾峰彇褰撳墠鐧诲綍鐢ㄦ埛id
-        int userId = SecurityUtils.getUserId();
-        boolean result = userService.changePassword(userId, DigestUtils.md5DigestAsHex(password.getBytes()));
-        if (result) {
-            return "success";
-        }else {
-            return "fail";
+        String username = SecurityUtils.getUserInfo().getUsername();
+        LoginUser user = null;
+        try {
+            user = SecurityUtils.login(username, oldpassword, authenticationManager);
+            if (user != null) {
+                int userId = SecurityUtils.getUserId();
+                boolean result = userService.changePassword(userId, DigestUtils.md5DigestAsHex(password.getBytes()));
+                if (result) {
+                    return "success";
+                }
+            }
+        } catch (AuthenticationException e) {
+            e.printStackTrace();
         }
+        return "fail";
     }
 }
diff --git a/src/main/java/com/genersoft/iot/vmp/web/AuthController.java b/src/main/java/com/genersoft/iot/vmp/web/AuthController.java
index 1a02c1e..f4a2af8 100644
--- a/src/main/java/com/genersoft/iot/vmp/web/AuthController.java
+++ b/src/main/java/com/genersoft/iot/vmp/web/AuthController.java
@@ -3,8 +3,6 @@
 import com.genersoft.iot.vmp.service.IUserService;
 import com.genersoft.iot.vmp.storager.dao.dto.User;
 import org.springframework.beans.factory.annotation.Autowired;
-import org.springframework.beans.factory.annotation.Value;
-import org.springframework.util.StringUtils;
 import org.springframework.web.bind.annotation.*;
 
 @CrossOrigin
diff --git a/web_src/src/components/Login.vue b/web_src/src/components/Login.vue
index 65c27f6..6adf4a8 100644
--- a/web_src/src/components/Login.vue
+++ b/web_src/src/components/Login.vue
@@ -63,7 +63,7 @@
 
       this.$axios({
       	method: 'get',
-	      url:"/api/user/login",
+	url:"/api/user/login",
         params: loginParam
       }).then(function (res) {
         console.log(JSON.stringify(res));
diff --git a/web_src/src/components/dialog/changePassword.vue b/web_src/src/components/dialog/changePassword.vue
index 5842df0..39aba8d 100644
--- a/web_src/src/components/dialog/changePassword.vue
+++ b/web_src/src/components/dialog/changePassword.vue
@@ -11,6 +11,9 @@
     >
       <div id="shared" style="margin-right: 20px;">
         <el-form ref="passwordForm" :rules="rules" status-icon label-width="80px">
+              <el-form-item label="鏃у瘑鐮�" prop="oldPassword" >
+                <el-input v-model="oldPassword" autocomplete="off"></el-input>
+              </el-form-item>
               <el-form-item label="鏂板瘑鐮�" prop="newPassword" >
                 <el-input v-model="newPassword" autocomplete="off"></el-input>
               </el-form-item>
@@ -31,15 +34,23 @@
 </template>
 
 <script>
+import crypto from 'crypto'
 export default {
   name: "changePassword",
   props: {},
   computed: {},
   created() {},
   data() {
-    let validatePass = (rule, value, callback) => {
+    let validatePass0 = (rule, value, callback) => {
       if (value === '') {
-        callback(new Error('璇疯緭鍏ュ瘑鐮�'));
+        callback(new Error('璇疯緭鍏ユ棫瀵嗙爜'));
+      } else {
+        callback();
+      }
+    };
+    let validatePass1 = (rule, value, callback) => {
+      if (value === '') {
+        callback(new Error('璇疯緭鍏ユ柊瀵嗙爜'));
       } else {
         if (this.confirmPassword !== '') {
           this.$refs.passwordForm.validateField('confirmPassword');
@@ -57,12 +68,14 @@
       }
     };
     return {
+      oldPassword: null,
       newPassword: null,
       confirmPassword: null,
       showDialog: false,
       isLoging: false,
       rules: {
-        newPassword: [{ required: true, validator: validatePass, trigger: "blur" }],
+        oldPassword: [{ required: true, validator: validatePass0, trigger: "blur" }],
+        newPassword: [{ required: true, validator: validatePass1, trigger: "blur" }],
         confirmPassword: [{ required: true, validator: validatePass2, trigger: "blur" }],
       },
     };
@@ -76,13 +89,14 @@
         method: 'post',
         url:"/api/user/changePassword",
         params: {
+          oldpassword: crypto.createHash('md5').update(this.oldPassword, "utf8").digest('hex'),
           password: this.newPassword
         }
       }).then((res)=> {
         if (res.data === "success"){
           this.$message({
             showClose: true,
-            message: '淇敼鎴愬姛锛岃閲嶆柊鐧婚檰',
+            message: '淇敼鎴愬姛锛岃閲嶆柊鐧诲綍',
             type: 'success'
           });
           this.showDialog = false;
@@ -99,8 +113,9 @@
     },
     close: function () {
       this.showDialog = false;
-      this.newPassword= null;
-      this.confirmPassword=null;
+      this.oldPassword = null;
+      this.newPassword = null;
+      this.confirmPassword = null;
     },
   },
 };

--
Gitblit v1.8.0