Merge pull request #84 from lawrencehj/wvp-28181-2.0

修改用户密码前先验证旧密码，增加安全性

Merge pull request #84 from lawrencehj/wvp-28181-2.0
修改用户密码前先验证旧密码，增加安全性
648540858 · GitHub
2 parents 8bd962c0 a70e327a
Showing 8 changed files with 41 additions and 31 deletions
src/main/java/com/genersoft/iot/vmp/conf/security/AnonymousAuthenticationEntryPoint.java
src/main/java/com/genersoft/iot/vmp/conf/security/DefaultUserDetailsServiceImpl.java
src/main/java/com/genersoft/iot/vmp/conf/security/SecurityUtils.java
src/main/java/com/genersoft/iot/vmp/storager/dao/UserMapper.java
src/main/java/com/genersoft/iot/vmp/vmanager/user/UserController.java
src/main/java/com/genersoft/iot/vmp/web/AuthController.java
web_src/src/components/Login.vue
web_src/src/components/dialog/changePassword.vue
@@ -7,7 +7,6 @@ import org.springframework.security.core.AuthenticationException;
 import org.springframework.security.web.AuthenticationEntryPoint;
 import org.springframework.stereotype.Component;
-import javax.servlet.ServletException;
 import javax.servlet.http.HttpServletRequest;
 import javax.servlet.http.HttpServletResponse;
 import java.io.IOException;
@@ -7,17 +7,12 @@ import com.github.xiaoymin.knife4j.core.util.StrUtil;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 import org.springframework.beans.factory.annotation.Autowired;
-import org.springframework.security.core.CredentialsContainer;
-import org.springframework.security.core.GrantedAuthority;
-import org.springframework.security.core.SpringSecurityCoreVersion;
 import org.springframework.security.core.userdetails.UserDetails;
 import org.springframework.security.core.userdetails.UserDetailsService;
 import org.springframework.security.core.userdetails.UsernameNotFoundException;
 import org.springframework.stereotype.Component;
-import org.springframework.stereotype.Service;
 import java.time.LocalDateTime;
-import java.util.Collection;
 /**
  * 用户登录认证逻辑
@@ -39,12 +34,12 @@ public class DefaultUserDetailsServiceImpl implements UserDetailsService {
         // 查出密码
         User user = userService.getUserByUsername(username);
-        String password = SecurityUtils.encryptPassword(user.getPassword());
-        user.setPassword(password);
         if (user == null) {
             logger.info("登录用户：{} 不存在", username);
             throw new UsernameNotFoundException("登录用户：" + username + " 不存在");
         }
+        String password = SecurityUtils.encryptPassword(user.getPassword());
+        user.setPassword(password);
         return new LoginUser(user, LocalDateTime.now());
     }
 package com.genersoft.iot.vmp.conf.security;
 import com.genersoft.iot.vmp.conf.security.dto.LoginUser;
-import com.genersoft.iot.vmp.storager.dao.dto.User;
-import gov.nist.javax.sip.address.UserInfo;
 import org.springframework.security.authentication.AuthenticationManager;
 import org.springframework.security.authentication.UsernamePasswordAuthenticationToken;
 import org.springframework.security.core.Authentication;
 package com.genersoft.iot.vmp.storager.dao;
-import com.genersoft.iot.vmp.gb28181.bean.GbStream;
 import com.genersoft.iot.vmp.storager.dao.dto.User;
 import org.apache.ibatis.annotations.*;
 import org.springframework.stereotype.Repository;
@@ -3,16 +3,13 @@ package com.genersoft.iot.vmp.vmanager.user;
 import com.genersoft.iot.vmp.conf.security.SecurityUtils;
 import com.genersoft.iot.vmp.conf.security.dto.LoginUser;
 import com.genersoft.iot.vmp.service.IUserService;
-import com.genersoft.iot.vmp.storager.dao.dto.User;
 import io.swagger.annotations.Api;
 import io.swagger.annotations.ApiImplicitParam;
 import io.swagger.annotations.ApiImplicitParams;
 import io.swagger.annotations.ApiOperation;
 import org.springframework.beans.factory.annotation.Autowired;
-import org.springframework.beans.factory.annotation.Value;
 import org.springframework.security.authentication.AuthenticationManager;
 import org.springframework.util.DigestUtils;
-import org.springframework.util.StringUtils;
 import org.springframework.web.bind.annotation.*;
 import javax.security.sasl.AuthenticationException;
@@ -53,17 +50,26 @@ public class UserController {
     @ApiOperation("修改密码")
     @ApiImplicitParams({
             @ApiImplicitParam(name = "username", value = "用户名", dataTypeClass = String.class),
-            @ApiImplicitParam(name = "password", value = "密码（未md5加密的密码）", dataTypeClass = String.class),
+            @ApiImplicitParam(name = "oldpassword", value = "旧密码（已md5加密的密码）", dataTypeClass = String.class),
+            @ApiImplicitParam(name = "password", value = "新密码（未md5加密的密码）", dataTypeClass = String.class),
     })
     @PostMapping("/changePassword")
-    public String changePassword(String password){
+    public String changePassword(String oldpassword, String password){
         // 获取当前登录用户id
-        int userId = SecurityUtils.getUserId();
-        boolean result = userService.changePassword(userId, DigestUtils.md5DigestAsHex(password.getBytes()));
-        if (result) {
-            return "success";
-        }else {
-            return "fail";
+        String username = SecurityUtils.getUserInfo().getUsername();
+        LoginUser user = null;
+        try {
+            user = SecurityUtils.login(username, oldpassword, authenticationManager);
+            if (user != null) {
+                int userId = SecurityUtils.getUserId();
+                boolean result = userService.changePassword(userId, DigestUtils.md5DigestAsHex(password.getBytes()));
+                if (result) {
+                    return "success";
+                }
+            }
+        } catch (AuthenticationException e) {
+            e.printStackTrace();
         }
+        return "fail";
     }
 }
@@ -3,8 +3,6 @@ package com.genersoft.iot.vmp.web;
 import com.genersoft.iot.vmp.service.IUserService;
 import com.genersoft.iot.vmp.storager.dao.dto.User;
 import org.springframework.beans.factory.annotation.Autowired;
-import org.springframework.beans.factory.annotation.Value;
-import org.springframework.util.StringUtils;
 import org.springframework.web.bind.annotation.*;
 @CrossOrigin
@@ -63,7 +63,7 @@ export default {
       this.$axios({
       	method: 'get',
-	      url:"/api/user/login",
+	url:"/api/user/login",
         params: loginParam
       }).then(function (res) {
         console.log(JSON.stringify(res));
@@ -11,6 +11,9 @@
     >
       <div id="shared" style="margin-right: 20px;">
         <el-form ref="passwordForm" :rules="rules" status-icon label-width="80px">
+              <el-form-item label="旧密码" prop="oldPassword" >
+                <el-input v-model="oldPassword" autocomplete="off"></el-input>
+              </el-form-item>
               <el-form-item label="新密码" prop="newPassword" >
                 <el-input v-model="newPassword" autocomplete="off"></el-input>
               </el-form-item>
@@ -31,15 +34,23 @@
 </template>
 <script>
+import crypto from 'crypto'
 export default {
   name: "changePassword",
   props: {},
   computed: {},
   created() {},
   data() {
-    let validatePass = (rule, value, callback) => {
+    let validatePass0 = (rule, value, callback) => {
+      if (value === '') {
+        callback(new Error('请输入旧密码'));
+      } else {
+        callback();
+      }
+    };
+    let validatePass1 = (rule, value, callback) => {
       if (value === '') {
-        callback(new Error('请输入密码'));
+        callback(new Error('请输入新密码'));
       } else {
         if (this.confirmPassword !== '') {
           this.$refs.passwordForm.validateField('confirmPassword');
@@ -57,12 +68,14 @@ export default {
       }
     };
     return {
+      oldPassword: null,
       newPassword: null,
       confirmPassword: null,
       showDialog: false,
       isLoging: false,
       rules: {
-        newPassword: [{ required: true, validator: validatePass, trigger: "blur" }],
+        oldPassword: [{ required: true, validator: validatePass0, trigger: "blur" }],
+        newPassword: [{ required: true, validator: validatePass1, trigger: "blur" }],
         confirmPassword: [{ required: true, validator: validatePass2, trigger: "blur" }],
       },
     };
@@ -76,13 +89,14 @@ export default {
         method: 'post',
         url:"/api/user/changePassword",
         params: {
+          oldpassword: crypto.createHash('md5').update(this.oldPassword, "utf8").digest('hex'),
           password: this.newPassword
         }
       }).then((res)=> {
         if (res.data === "success"){
           this.$message({
             showClose: true,
-            message: '修改成功，请重新登陆',
+            message: '修改成功，请重新登录',
             type: 'success'
           });
           this.showDialog = false;
@@ -99,8 +113,9 @@ export default {
     },
     close: function () {
       this.showDialog = false;
-      this.newPassword= null;
-      this.confirmPassword=null;
+      this.oldPassword = null;
+      this.newPassword = null;
+      this.confirmPassword = null;
     },
   },
 };