ruoyi/RuoYi
1
0
Fork 0
mirror of https://github.com/yangzongzhuan/RuoYi.git synced 2025-10-15 01:58:29 +00:00
Code Issues Packages Projects Releases Wiki Activity

新增CSRF防护功能

Browse Source
This commit is contained in:
RuoYi
2025-04-15 16:24:42 +08:00
parent 407f9f46d8
commit ea9976575a
11 changed files with 175 additions and 9 deletions
Download Patch File Download Diff File Expand all files Collapse all files

5
ruoyi-admin/src/main/java/com/ruoyi/web/controller/system/SysIndexController.java
View File

@@ -3,6 +3,7 @@ package com.ruoyi.web.controller.system;
import java.util.Date;
import java.util.List;
import javax.servlet.http.Cookie;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.stereotype.Controller;
@@ -45,7 +46,7 @@ public class SysIndexController extends BaseController
// 系统首页
@GetMapping("/index")
public String index(ModelMap mmap)
public String index(ModelMap mmap, HttpServletRequest request)
{
// 取身份信息
SysUser user = getSysUser();
@@ -82,6 +83,8 @@ public class SysIndexController extends BaseController
}
}
String webIndex = "topnav".equalsIgnoreCase(indexStyle) ? "index-topnav" : "index";
// CSRF Token
request.getSession().setAttribute(ShiroConstants.CSRF_TOKEN, ServletUtils.generateToken());
return webIndex;
}

7
ruoyi-admin/src/main/resources/application.yml
View File

@@ -136,6 +136,13 @@ xss:
# 匹配链接
urlPatterns: /system/*,/monitor/*,/tool/*
# 防止csrf攻击
csrf:
# 过滤开关
enabled: true
# 白名单(多个用逗号分隔)
whites:
# Swagger配置
swagger:
# 是否开启swagger

6
ruoyi-admin/src/main/resources/static/ruoyi/js/common.js
View File

@@ -573,6 +573,12 @@ function _stopIt(e) {
/** 设置全局ajax处理 */
$.ajaxSetup({
beforeSend: function (xhr, settings) {
var csrftoken = $('meta[name=csrf-token]').attr('content')
if (($.common.equalsIgnoreCase(settings.type, "POST"))) {
xhr.setRequestHeader("csrf_token", csrftoken)
}
},
complete: function(XMLHttpRequest, textStatus) {
if (textStatus == 'timeout') {
$.modal.alertWarning("服务器超时,请稍后再试!");

25
ruoyi-admin/src/main/resources/static/ruoyi/js/ry-ui.js
View File

@@ -277,6 +277,7 @@ var table = {
} else if ($.common.equals("open", target)) {
top.layer.alert(input.val(), {
title: "信息内容",
area: ['400px', ''],
shadeClose: true,
btn: ['确认'],
btnclass: ['btn btn-primary'],
@@ -1049,7 +1050,11 @@ var table = {
type: type,
dataType: dataType,
data: data,
beforeSend: function () {
beforeSend: function (xhr, settings) {
var csrftoken = $('meta[name=csrf-token]').attr('content');
if ($.common.equalsIgnoreCase(settings.type, "POST")) {
xhr.setRequestHeader("csrf_token", csrftoken);
}
$.modal.loading("正在处理中,请稍候...");
},
success: function(result) {
@@ -1229,7 +1234,11 @@ var table = {
type: "post",
dataType: "json",
data: data,
beforeSend: function () {
beforeSend: function (xhr, settings) {
var csrftoken = $('meta[name=csrf-token]').attr('content');
if (($.common.equalsIgnoreCase(settings.type, "POST"))) {
xhr.setRequestHeader("csrf_token", csrftoken);
}
$.modal.loading("正在处理中,请稍候...");
$.modal.disable();
},
@@ -1249,7 +1258,11 @@ var table = {
type: "post",
dataType: "json",
data: data,
beforeSend: function () {
beforeSend: function (xhr, settings) {
var csrftoken = $('meta[name=csrf-token]').attr('content');
if (($.common.equalsIgnoreCase(settings.type, "POST"))) {
xhr.setRequestHeader("csrf_token", csrftoken);
}
$.modal.loading("正在处理中,请稍候...");
},
success: function(result) {
@@ -1275,7 +1288,11 @@ var table = {
type: "post",
dataType: "json",
data: data,
beforeSend: function () {
beforeSend: function (xhr, settings) {
var csrftoken = $('meta[name=csrf-token]').attr('content');
if (($.common.equalsIgnoreCase(settings.type, "POST"))) {
xhr.setRequestHeader("csrf_token", csrftoken);
}
$.modal.loading("正在处理中,请稍候...");
},
success: function(result) {

1
ruoyi-admin/src/main/resources/templates/include.html
View File

@@ -5,6 +5,7 @@
<meta http-equiv="X-UA-Compatible" content="IE=edge">
<meta name="keywords" content="">
<meta name="description" content="">
<meta th:content="${session.csrf_token}" name="csrf-token"/>
<title th:text="${title}"></title>
<link th:href="@{/css/bootstrap.min.css?v=3.3.7}" rel="stylesheet"/>
<link th:href="@{/css/font-awesome.min.css?v=4.7.0}" rel="stylesheet"/>

5
ruoyi-admin/src/main/resources/templates/lock.html
View File

@@ -3,6 +3,7 @@
<head>
<meta charset="utf-8">
<meta name="viewport" content="width=device-width, initial-scale=1.0">
<meta th:content="${session.csrf_token}" name="csrf-token"/>
<!--360浏览器优先以webkit内核解析-->
<title>锁定屏幕</title>
<link th:href="@{favicon.ico}" rel="shortcut icon"/>
@@ -94,7 +95,9 @@
type: "post",
dataType: "json",
data: { password: password },
beforeSend: function() {
beforeSend: function(xhr) {
var csrftoken = $('meta[name=csrf-token]').attr('content');
xhr.setRequestHeader("csrf_token", csrftoken);
index = layer.load(2, {shade: false});
},
success: function(result) {