解决安全策略设置不足-账号密码暴力破解

6e56921d · zengtianlai3 · f8633e15 · 6e56921d · 6e56921d
Commit 6e56921d authored Aug 05, 2022 by zengtianlai3
Hide whitespace changes
Inline Side-by-side

Showing with 70 additions and 37 deletions

LoginController.java .../java/iot/sixiang/license/controller/LoginController.java +40 -14

UserUtils.java license/src/main/java/iot/sixiang/license/jwt/UserUtils.java +30 -23

No files found.
--- a/license/src/main/java/iot/sixiang/license/controller/LoginController.java
+++ b/license/src/main/java/iot/sixiang/license/controller/LoginController.java
@@ -17,6 +17,7 @@ import org.springframework.util.DigestUtils;
 import org.springframework.web.bind.annotation.*;
 import springfox.documentation.annotations.ApiIgnore;

+import java.util.Date;
 import java.util.HashMap;
 import java.util.Map;

@@ -53,25 +54,50 @@ public class LoginController {
            String account = dbUser.getUserName();
            String psw = account + dbUser.getPassword();
            if (DigestUtils.md5DigestAsHex(account.getBytes()).equals(userName) && DigestUtils.md5DigestAsHex(psw.getBytes()).equals(password)) {
-                log.info("登录成功！生成token！");
-                String token = JwtUtil.createToken(dbUser);
-                LoginVo loginVo = new LoginVo();
-                loginVo.setAuthorization(token);
-                UserUtils.setToken(dbUser.getUserId(),token);
-                UserUtils.setTokenExp(dbUser.getUserId(), JwtUtil.getTokenExp());
-                return ResResult.success().goRecord(loginVo);
+                // 登录错误次数
+                Integer errCnt = UserUtils.getErrCnt(userName);
+                Date countFreezeDate = UserUtils.getCountFreezeDate(userName);
+                Date curDate = new Date();
+                if (errCnt != null && errCnt >= 3 && countFreezeDate != null && curDate.before(countFreezeDate)) {
+                    return ResResult.failed().setMsgValue("用户名或密码错误次数达到三次，请三分钟后再重试");
+                } else {
+                    String token = JwtUtil.createToken(dbUser);
+                    LoginVo loginVo = new LoginVo();
+                    loginVo.setAuthorization(token);
+                    UserUtils.setToken(dbUser.getUserId(),token);
+                    UserUtils.setTokenExp(dbUser.getUserId(), JwtUtil.getTokenExp());
+                    UserUtils.removeErrCnt(userName);
+                    UserUtils.removeCountFreezeDate(userName);
+                    log.info("登录成功！生成token！");
+                    return ResResult.success().goRecord(loginVo);
+                }
+            }
+        }
+        Integer errCnt = UserUtils.getErrCnt(userName);
+        if (errCnt == null) {
+            UserUtils.setErrCnt(userName, 1);
+        } else {
+            if (errCnt == 1) {
+                UserUtils.setErrCnt(userName, ++errCnt);
+            } else if (errCnt == 2) {
+                UserUtils.setErrCnt(userName, ++errCnt);
+                Date freezeDate = new Date(System.currentTimeMillis() + 3 * 60 * 1000);
+                UserUtils.setCountFreezeDate(userName, freezeDate);
+            } else {
+                Date countFreezeDate = UserUtils.getCountFreezeDate(userName);
+                Date curDate = new Date();
+                if (curDate.before(countFreezeDate)) {
+                    return ResResult.failed().setMsgValue("用户名或密码错误次数达到三次，请三分钟后再重试");
+                } else {
+                    UserUtils.setErrCnt(userName, 1);
+                    Date freezeDate = new Date(System.currentTimeMillis() + 3 * 60 * 1000);
+                    UserUtils.setCountFreezeDate(userName, freezeDate);
+                }
            }
        }
        return ResResult.failed().setMsgValue("用户名或密码错误");
    }

-    public static void main(String[] args) {
-        String account = "root";
-        String password = "root123456";
-        System.out.println(DigestUtils.md5DigestAsHex(account.getBytes()));
-        System.out.println(DigestUtils.md5DigestAsHex(password.getBytes()));
-    }
-
    @ApiOperation(value = "注销接口", notes = "注销接口")
    @GetMapping("logout")
    @MyLog(title = "注销", businessType = BusinessType.OTHER)

--- a/license/src/main/java/iot/sixiang/license/jwt/UserUtils.java
+++ b/license/src/main/java/iot/sixiang/license/jwt/UserUtils.java
@@ -12,12 +12,15 @@ public abstract class UserUtils {

    static Map<String, String> tokenMap = new HashMap<>();
    static Map<String, Date> tokenExpTimeMap = new HashMap<>();
-    //线程变量，存放user实体类信息，即使是静态的与其他线程也是隔离的
+    static Map<String, Integer> errCntMap = new HashMap<>();
+    static Map<String, Date> countFreezeDateMap = new HashMap<>();
+    /**
+     * 线程变量，存放user实体类信息，即使是静态的也与其他线程也是隔离的
+     */
    private static ThreadLocal<LoginUser> userThreadLocal = new ThreadLocal<>();
-    //线程变量，存放uri，即使是静态的与其他线程也是隔离的
    private static ThreadLocal<String> uriThreadLocal = new ThreadLocal<>();

-    //从当前线程变量中获取用户信息
+
    public static LoginUser getLoginUser() {
        LoginUser user = userThreadLocal.get();
        return user;
@@ -37,44 +40,31 @@ public abstract class UserUtils {
        return null;
    }

-    //为当前的线程变量赋值上用户信息
    public static void setLoginUser(LoginUser user) {
        userThreadLocal.set(user);
    }

-    //清除userThreadLocal线程变量
    public static void removeUser() {
        userThreadLocal.remove();
    }

-    //为当前的线程变量赋值上uri信息
    public static void setUri(String uri) {
        uriThreadLocal.set(uri);
    }

-    /**
-     * 获取当前访问方法的uri
-     * @return
-     */
    public static String getUri() {
        String uri = uriThreadLocal.get();
        return uri;
    }

-    //清除uriThreadLocal线程变量
    public static void removeUri() {
        uriThreadLocal.remove();
    }

-    //为当前的线程变量赋值上token信息
    public static void setToken(String uId, String token) {
        tokenMap.put(uId, token);
    }

-    /**
-     * 获取当前访问方法的token
-     * @return
-     */
    public static String getToken(String uId) {
        System.out.println("---");
        String s = tokenMap.get(uId);
@@ -82,27 +72,44 @@ public abstract class UserUtils {
        return tokenMap.get(uId);
    }

-    //清除tokenThreadLocal线程变量
    public static void removeToken(String uId) {
        tokenMap.remove(uId);
    }


-    //为当前的线程变量赋值上token信息
    public static void setTokenExp(String uId, Date tokenExpTime) {
        tokenExpTimeMap.put(uId, tokenExpTime);
    }

-    /**
-     * 获取当前访问方法的token
-     * @return
-     */
    public static Date getTokenExp(String uId) {
        return tokenExpTimeMap.get(uId);
    }

-    //清除tokenThreadLocal线程变量
    public static void removeTokenExp(String uId) {
        tokenExpTimeMap.remove(uId);
    }
+
+    public static void setErrCnt(String uId, Integer count) {
+        errCntMap.put(uId, count);
+    }
+
+    public static Integer getErrCnt(String uId) {
+        return errCntMap.get(uId);
+    }
+
+    public static void removeErrCnt(String uId) {
+        errCntMap.remove(uId);
+    }
+
+    public static void setCountFreezeDate(String uId, Date freezeDate) {
+        countFreezeDateMap.put(uId, freezeDate);
+    }
+
+    public static Date getCountFreezeDate(String uId) {
+        return countFreezeDateMap.get(uId);
+    }
+
+    public static void removeCountFreezeDate(String uId) {
+        countFreezeDateMap.remove(uId);
+    }
 }