diff --git a/doc/XXL-JOB官方文档.md b/doc/XXL-JOB官方文档.md index 4a4dcd8a..3ea55bdc 100644 --- a/doc/XXL-JOB官方文档.md +++ b/doc/XXL-JOB官方文档.md @@ -1101,7 +1101,7 @@ Tips: 历史版本(V1.3.x)目前已经Release至稳定版本, 进入维护阶段 - 24、Log地址格式兼容,支持非"/"结尾路径配置; - 25、底层系统日志级别规范调整,清理遗留代码; - 26、建表SQL优化,支持同步创建制定编码的库和表; -- 27、系统安全性优化,登陆Token写Cookie时进行MD5加密; +- 27、系统安全性优化,登陆Token写Cookie时进行MD5加密,同时Cookie启用HttpOnly; ### TODO LIST diff --git a/xxl-job-admin/src/main/java/com/xxl/job/admin/controller/interceptor/PermissionInterceptor.java b/xxl-job-admin/src/main/java/com/xxl/job/admin/controller/interceptor/PermissionInterceptor.java index da7f699f..1d6facf5 100644 --- a/xxl-job-admin/src/main/java/com/xxl/job/admin/controller/interceptor/PermissionInterceptor.java +++ b/xxl-job-admin/src/main/java/com/xxl/job/admin/controller/interceptor/PermissionInterceptor.java @@ -17,7 +17,8 @@ import java.math.BigInteger; * @author xuxueli 2015-12-12 18:09:04 */ public class PermissionInterceptor extends HandlerInterceptorAdapter { - + + public static final String LOGIN_IDENTITY_KEY = "XXL_JOB_LOGIN_IDENTITY"; public static final String LOGIN_IDENTITY_TOKEN; static { @@ -30,7 +31,9 @@ public class PermissionInterceptor extends HandlerInterceptorAdapter { LOGIN_IDENTITY_TOKEN = tokenTmp; } - + + + public static boolean login(HttpServletResponse response, String username, String password, boolean ifRemember){ // login token @@ -56,6 +59,8 @@ public class PermissionInterceptor extends HandlerInterceptorAdapter { return true; } + + @Override public boolean preHandle(HttpServletRequest request, HttpServletResponse response, Object handler) throws Exception { diff --git a/xxl-job-admin/src/main/java/com/xxl/job/admin/core/util/CookieUtil.java b/xxl-job-admin/src/main/java/com/xxl/job/admin/core/util/CookieUtil.java index 28baa214..31f30ee3 100644 --- a/xxl-job-admin/src/main/java/com/xxl/job/admin/core/util/CookieUtil.java +++ b/xxl-job-admin/src/main/java/com/xxl/job/admin/core/util/CookieUtil.java @@ -6,9 +6,11 @@ import javax.servlet.http.HttpServletResponse; /** * Cookie.Util + * * @author xuxueli 2015-12-12 18:01:06 */ public class CookieUtil { + // 默认缓存时间,单位/秒, 2H private static final int COOKIE_MAX_AGE = 60 * 60 * 2; // 保存路径,根路径 @@ -16,43 +18,39 @@ public class CookieUtil { /** * 保存 + * * @param response * @param key * @param value * @param ifRemember */ public static void set(HttpServletResponse response, String key, String value, boolean ifRemember) { - - int age = COOKIE_MAX_AGE; - if (ifRemember) { - age = COOKIE_MAX_AGE; - } else { - age = -1; - } - - Cookie cookie = new Cookie(key, value); - cookie.setMaxAge(age); // Cookie过期时间,单位/秒 - cookie.setPath(COOKIE_PATH); // Cookie适用的路径 - response.addCookie(cookie); + int age = ifRemember?COOKIE_MAX_AGE:-1; + set(response, key, value, null, COOKIE_PATH, age, true); } /** * 保存 + * * @param response * @param key * @param value * @param maxAge */ - private static void set(HttpServletResponse response, - String key, String value, int maxAge, String path) { + private static void set(HttpServletResponse response, String key, String value, String domain, String path, int maxAge, boolean isHttpOnly) { Cookie cookie = new Cookie(key, value); - cookie.setMaxAge(maxAge); // Cookie过期时间,单位/秒 - cookie.setPath(path); // Cookie适用的路径 + if (domain != null) { + cookie.setDomain(domain); + } + cookie.setPath(path); + cookie.setMaxAge(maxAge); + cookie.setHttpOnly(isHttpOnly); response.addCookie(cookie); } /** * 查询value + * * @param request * @param key * @return @@ -67,6 +65,7 @@ public class CookieUtil { /** * 查询Cookie + * * @param request * @param key */ @@ -84,6 +83,7 @@ public class CookieUtil { /** * 删除Cookie + * * @param request * @param response * @param key @@ -91,7 +91,7 @@ public class CookieUtil { public static void remove(HttpServletRequest request, HttpServletResponse response, String key) { Cookie cookie = get(request, key); if (cookie != null) { - set(response, key, "", 0, COOKIE_PATH); + set(response, key, "", null, COOKIE_PATH, 0, true); } }