1.加入越权和sql注入防御机制

王通
1 parent daf25afc
Showing 13 changed files with 792 additions and 338 deletions
src/main/java/com/bsth/common/Constants.java
src/main/java/com/bsth/common/SystemParamKeys.java
src/main/java/com/bsth/controller/realcontrol/AdminUtilsController.java
src/main/java/com/bsth/data/SystemParamCache.java
src/main/java/com/bsth/data/directive/GatewayHttpUtils.java
src/main/java/com/bsth/data/gpsdata_v2/load/GatewayHttpLoader.java
src/main/java/com/bsth/data/gpsdata_v2/load/SocketClientLoader.java
src/main/java/com/bsth/entity/sys/SysUser.java
src/main/java/com/bsth/filter/AuthorityFilter.java
src/main/java/com/bsth/filter/SQLInjectFilter.java
src/main/java/com/bsth/security/WebSecurityConfig.java
src/main/java/com/bsth/service/SystemParamService.java
src/main/java/com/bsth/service/impl/SystemParamServiceImpl.java
-package com.bsth.common;
-
-/**
- * 
- * @ClassName: Constants 
- * @Description: TODO(常量类) 
- * @author PanZhao 
- * @date 2016年3月18日 下午11:06:53 
- *
- */
-public class Constants {
-	
-	/**
-	 * 不需要拦截的资源
-	 */
-	public static final String LOGIN = "/user/login/**";
-	public static final String LOGIN_PAGE = "/login.html";
-	public static final String ASSETS_URL = "/assets/**";
-	public static final String FAVICON_URL = "/favicon.ico";
-	public static final String METRONIC_URL = "/metronic_v4.5.4/**";
-	public static final String LOGIN_FAILURE = "/user/loginFailure";
-	public static final String CAPTCHA = "/captcha.jpg";
-	//免登录白名单
-	public static final String XD_PAGE = "/pages/control/lineallot_v3/**";
-	public static final String FREE_URL="/freeLogin/**";
-	public static final String FREE_XD_CHILD_PAGES = "/real_control_v3/**";
-
-	//对外的营运数据接口
-	public static final String SERVICE_INTERFACE = "/companyService/**";
-
-	/**
-	 * 线调部分子页面不做拦截，便于浏览器缓存
-	 */
-	public static final String XD_CHILD_PAGES = "/real_control_v2/**";
-	public static final String XD_REAL_GPS = "/gps/real/line";
-	//public static final String XD_TEMPS = "/pages/control/line/temps/**";
-	
-	//车载网关上行接口
-	public static final String UPSTREAM_URL = "/control/upstream";
-	//站点道闸上传入口
-	public static final String STATIONSIGNO_URL = "/control/stationSigno";
-	//rfid 上传入口
-	public static final String UP_RFID_URL = "/rfid/**";
-	
-	public static final String SESSION_USERNAME = "sessionUserName";
-	public static final String COMPANY_AUTHORITYS = "cmyAuths";
-	public static final String STATION_AND_SECTION_COUNT = "/station/updateStationAndSectionCode";
-
-	/**
-	 * 解除调度指令和班次的外键约束
-	 */
-	public static final String REMOVE_DIRECTIVE_SCH_FK = "update bsth_v_directive_60 set sch=NULL where sch=?";
-
-	/**
-	 * 批量解除调度指令和班次的外键约束
-	 */
-	public static final String MULTI_REMOVE_DIRECTIVE_SCH_FK = "update bsth_v_directive_60 set sch=NULL where sch in ";
-}
+package com.bsth.common;
+
+/**
+ * 
+ * @ClassName: Constants 
+ * @Description: TODO(常量类) 
+ * @author PanZhao 
+ * @date 2016年3月18日 下午11:06:53 
+ *
+ */
+public class Constants {
+	
+	/**
+	 * 不需要拦截的资源
+	 */
+	public static final String LOGIN = "/user/login/**";
+	public static final String LOGIN_PAGE = "/login.html";
+	public static final String ASSETS_URL = "/assets/**";
+	public static final String FAVICON_URL = "/favicon.ico";
+	public static final String METRONIC_URL = "/metronic_v4.5.4/**";
+	public static final String LOGIN_FAILURE = "/user/loginFailure";
+	public static final String CAPTCHA = "/captcha.jpg";
+	//免登录白名单
+	public static final String XD_PAGE = "/pages/control/lineallot_v3/**";
+	public static final String FREE_URL="/freeLogin/**";
+	public static final String FREE_XD_CHILD_PAGES = "/real_control_v3/**";
+
+	//对外的营运数据接口
+	public static final String SERVICE_INTERFACE = "/companyService/**";
+
+	/**
+	 * 线调部分子页面不做拦截，便于浏览器缓存
+	 */
+	public static final String XD_CHILD_PAGES = "/real_control_v2/**";
+	public static final String XD_REAL_GPS = "/gps/real/line";
+	//public static final String XD_TEMPS = "/pages/control/line/temps/**";
+	
+	//车载网关上行接口
+	public static final String UPSTREAM_URL = "/control/upstream";
+	//站点道闸上传入口
+	public static final String STATIONSIGNO_URL = "/control/stationSigno";
+	//rfid 上传入口
+	public static final String UP_RFID_URL = "/rfid/**";
+	
+	public static final String SESSION_USERNAME = "sessionUserName";
+	public static final String COMPANY_AUTHORITYS = "cmyAuths";
+	public static final String STATION_AND_SECTION_COUNT = "/station/updateStationAndSectionCode";
+
+	/**
+	 * 解除调度指令和班次的外键约束
+	 */
+	public static final String REMOVE_DIRECTIVE_SCH_FK = "update bsth_v_directive_60 set sch=NULL where sch=?";
+
+	/**
+	 * 批量解除调度指令和班次的外键约束
+	 */
+	public static final String MULTI_REMOVE_DIRECTIVE_SCH_FK = "update bsth_v_directive_60 set sch=NULL where sch in ";
+
+	public static final String RESOURCE_AUTHORITYS = "resourceAuthoritys";
+}
+package com.bsth.common;
+
+/**
+ * @author Hill
+ */
+public class SystemParamKeys {
+
+    public static final String SPECIAL_ROLES = "special.roles";
+
+    public static final String SPECIAL_DAYS = "special.days";
+
+    public static final String URL_HTTP_GPS_REAL_CACHE = "url.http.gps.real.cache";
+
+    public static final String URL_HTTP_GPS_REAL = "url.http.gps.real";
+
+    public static final String URL_HTTP_DIRECTIVE = "url.http.directive";
+
+    public static final String URL_HTTP_RFID = "url.http.rfid";
+
+    public static final String URL_HTTP_REPORT = "url.http.report.%s";
+
+    public static final String URL_HTTP_TICKETING = "url.http.ticketing";
+
+    public static final String URL_HTTP_DSM_ACK = "url.http.dsm.ack";
+
+    public static final String URL_HTTP_CP_ACK = "url.http.cp.ack";
+
+    public static final String MAIL_ADMIN = "mail.admin";
+
+    public static final String MAIL_WAYBILL = "mail.waybill";
+
+    public static final String ENABLED_FIRST_LAST_GENERATION = "enabled.first.last.generation";
+
+    public static final String ENABLED_FILTER_SQL_INJECTION = "enabled.filter.sql.injection";
+
+    public static final String ENABLED_SSO = "enabled.sso";
+
+    public static final String SSO_SYSTEM_CODE = "sso.system.code";
+
+    public static final String URL_HTTP_SSO_LOGIN = "url.http.sso.login";
+
+    public static final String URL_HTTP_SSO_LOGOUT = "url.http.sso.logout";
+
+    public static final String URL_HTTP_SSO_AUTH = "url.http.sso.auth";
+
+    public static final String URL_HTTP_MAINTENANCE = "url.http.maintenance";
+
+    public static final String ENABLED_WHITE_IP = "enabled.white.ip";
+
+    public static final String ENABLED_FILTER_AUTHORITY = "enabled.filter.authority";
+}
@@ -5,14 +5,21 @@ import ch.qos.logback.classic.LoggerContext;
 import com.bsth.data.BasicData;
 import com.bsth.data.directive.DayOfDirectives;
 import com.bsth.data.directive.DirectivesPstThread;
+import com.bsth.data.directive.GatewayHttpUtils;
 import com.bsth.data.gpsdata_v2.cache.GeoCacheData;
 import com.bsth.data.gpsdata_v2.handlers.overspeed.OverspeedProcess;
+import com.bsth.data.gpsdata_v2.load.GatewayHttpLoader;
+import com.bsth.data.gpsdata_v2.load.SocketClientLoader;
 import com.bsth.data.gpsdata_v2.thread.GpsDataLoaderThread;
 import com.bsth.data.msg_queue.DirectivePushQueue;
 import com.bsth.data.msg_queue.WebSocketPushQueue;
 import com.bsth.data.pilot80.PilotReport;
 import com.bsth.data.schedule.DayOfSchedule;
 import com.bsth.entity.realcontrol.ScheduleRealInfo;
+import com.bsth.filter.SQLInjectFilter;
+import com.bsth.service.SectionService;
+import com.bsth.service.StationService;
+import com.bsth.service.SystemParamService;
 import com.bsth.websocket.handler.SendUtils;
 import com.fasterxml.jackson.databind.ObjectMapper;
 import org.slf4j.Logger;
@@ -58,6 +65,18 @@ public class AdminUtilsController {
     @Autowired
     private BasicData.BasicDataLoader basicDataLoader;
  
+    @Autowired
+    private SystemParamService systemParamService;
+
+    @Autowired
+    private SocketClientLoader socketClientLoader;
+
+    @Autowired
+    private GatewayHttpLoader gatewayHttpLoader;
+
+    @Autowired
+    private GatewayHttpUtils gatewayHttpUtils;
+
     /**
      * 出现重复班次的车辆
      *
@@ -216,11 +235,56 @@ public class AdminUtilsController {
         return "error";
     }
  
+    @RequestMapping("/setInjectStr")
+    public String setInjectStr(@RequestParam String injectStr) {
+        Map<String, Object> result = new HashMap<>();
+        try {
+            SQLInjectFilter.setInjStr(injectStr);
+            return "success";
+        } catch (Exception e) {
+            e.printStackTrace();
+        }
+
+        return "error";
+    }
+
     @RequestMapping("/reloadSystemParam")
     public String reloadSystemParam() {
-        Map<String, Object> result = new HashMap<>();
         try {
-            basicDataLoader.loadSystemParam();
+            systemParamService.refresh();
+
+            return "success";
+        } catch (Exception e) {
+            e.printStackTrace();
+        }
+
+        return "error";
+    }
+
+    @RequestMapping("/applySystemParam")
+    public String applySystemParam() {
+        try {
+            socketClientLoader.afterPropertiesSet();
+            gatewayHttpLoader.afterPropertiesSet();
+            gatewayHttpUtils.afterPropertiesSet();
+
+            return "success";
+        } catch (Exception e) {
+            e.printStackTrace();
+        }
+
+        return "error";
+    }
+
+    @RequestMapping("/reloadAndApplySystemParam")
+    public String reloadAndApplySystemParam() {
+        try {
+            systemParamService.refresh();
+
+            socketClientLoader.afterPropertiesSet();
+            gatewayHttpLoader.afterPropertiesSet();
+            gatewayHttpUtils.afterPropertiesSet();
+
             return "success";
         } catch (Exception e) {
             e.printStackTrace();
+package com.bsth.data;
+
+import com.bsth.common.SystemParamKeys;
+import com.bsth.service.SystemParamService;
+import org.springframework.beans.factory.InitializingBean;
+import org.springframework.beans.factory.annotation.Autowired;
+import org.springframework.stereotype.Component;
+
+/**
+ * @author Hill
+ */
+@Component
+public class SystemParamCache implements InitializingBean {
+
+    @Autowired
+    private SystemParamService systemParamService;
+
+    private static SystemParamService systemParamService1;
+
+    public static String getSpecialRoles() {
+        return systemParamService1.getValue(SystemParamKeys.SPECIAL_ROLES);
+    }
+
+    public static String getSpecialDays() {
+        return systemParamService1.getValue(SystemParamKeys.SPECIAL_DAYS);
+    }
+
+    public static String getUrlHttpGpsRealCache() {
+        return systemParamService1.getValue(SystemParamKeys.URL_HTTP_GPS_REAL_CACHE);
+    }
+
+    public static String getUrlHttpGpsReal() {
+        return systemParamService1.getValue(SystemParamKeys.URL_HTTP_GPS_REAL);
+    }
+
+    public static String getUrlHttpDirective() {
+        return systemParamService1.getValue(SystemParamKeys.URL_HTTP_DIRECTIVE);
+    }
+
+    public static String getUrlHttpRfid() {
+        return systemParamService1.getValue(SystemParamKeys.URL_HTTP_RFID);
+    }
+
+    public static String getUrlHttpReport(String param) {
+        return systemParamService1.getValue(String.format(SystemParamKeys.URL_HTTP_REPORT, param));
+    }
+
+    public static String getUrlHttpTicketing() {
+        return systemParamService1.getValue(SystemParamKeys.URL_HTTP_TICKETING);
+    }
+
+    public static String getUrlHttpDsmAck() {
+        return systemParamService1.getValue(SystemParamKeys.URL_HTTP_DSM_ACK);
+    }
+
+    public static String getUrlHttpCpAck() {
+        return systemParamService1.getValue(SystemParamKeys.URL_HTTP_CP_ACK);
+    }
+
+    public static String getMailAdmin() {
+        return systemParamService1.getValue(SystemParamKeys.MAIL_ADMIN);
+    }
+
+    public static String getMailWaybill() {
+        return systemParamService1.getValue(SystemParamKeys.MAIL_WAYBILL);
+    }
+
+    public static boolean getEnabledFirstLastGeneration() {
+        return Boolean.parseBoolean(systemParamService1.getValue(SystemParamKeys.ENABLED_FIRST_LAST_GENERATION));
+    }
+
+    public static boolean getEnabledFilterSqlInjection() {
+        return Boolean.parseBoolean(systemParamService1.getValue(SystemParamKeys.ENABLED_FILTER_SQL_INJECTION));
+    }
+
+    public static boolean getEnabledSso() {
+        return Boolean.parseBoolean(systemParamService1.getValue(SystemParamKeys.ENABLED_SSO));
+    }
+
+    public static String getSsoSystemCode() {
+        return systemParamService1.getValue(SystemParamKeys.SSO_SYSTEM_CODE);
+    }
+
+    public static String getUrlHttpSsoLogin() {
+        return systemParamService1.getValue(SystemParamKeys.URL_HTTP_SSO_LOGIN);
+    }
+
+    public static String getUrlHttpSsoLogout() {
+        return systemParamService1.getValue(SystemParamKeys.URL_HTTP_SSO_LOGOUT);
+    }
+
+    public static String getUrlHttpSsoAuth() {
+        return systemParamService1.getValue(SystemParamKeys.URL_HTTP_SSO_AUTH);
+    }
+
+    public static String getUrlHttpMaintenance() {
+        return systemParamService1.getValue(SystemParamKeys.URL_HTTP_MAINTENANCE);
+    }
+
+    public static boolean getEnabledWhiteIp() {
+        return Boolean.parseBoolean(systemParamService1.getValue(SystemParamKeys.ENABLED_WHITE_IP));
+    }
+
+    public static boolean getEnableFilterAuthority() {
+        return Boolean.parseBoolean(systemParamService1.getValue(SystemParamKeys.ENABLED_FILTER_AUTHORITY));
+    }
+
+    @Override
+    public void afterPropertiesSet() throws Exception {
+        systemParamService1 = systemParamService;
+        systemParamService1.refresh();
+    }
+}
-package com.bsth.data.directive;
-
-import com.alibaba.fastjson.JSONObject;
-import com.bsth.util.ConfigUtil;
-import org.apache.http.client.config.RequestConfig;
-import org.apache.http.client.methods.CloseableHttpResponse;
-import org.apache.http.client.methods.HttpPost;
-import org.apache.http.entity.StringEntity;
-import org.apache.http.impl.client.CloseableHttpClient;
-import org.apache.http.impl.client.HttpClients;
-import org.apache.http.util.EntityUtils;
-import org.slf4j.Logger;
-import org.slf4j.LoggerFactory;
-
-/**
- * @author PanZhao
- * @ClassName: GatewayHttpUtils
- * @Description: TODO(和网关HTTP通讯工具类)
- * @date 2016年8月14日 下午9:50:46
- */
-public class GatewayHttpUtils {
-    static Logger logger = LoggerFactory.getLogger(GatewayHttpUtils.class);
-
-    static String url;
-    static CloseableHttpClient httpClient = null;
-    static HttpPost post;
-    static RequestConfig requestConfig;
-    static CloseableHttpResponse response;
-
-    static {
-        url = ConfigUtil.get("http.send.directive");
-        httpClient = HttpClients.createDefault();
-        post = new HttpPost(url);
-        requestConfig = RequestConfig.custom()
-                .setConnectTimeout(3000).setConnectionRequestTimeout(2000)
-                .setSocketTimeout(3000).build();
-        post.setConfig(requestConfig);
-    }
-
-    public static int postJson(String jsonStr) {
-        logger.info("send : " + jsonStr);
-
-        int code = -1;
-        try {
-            post.setEntity(new StringEntity(jsonStr, "utf-8"));
-
-            response = httpClient.execute(post);
-
-            int statusCode = response.getStatusLine().getStatusCode();
-            if(statusCode != 200){
-                logger.error("http client status code: " + statusCode);
-            }
-
-            JSONObject json = JSONObject.parseObject(EntityUtils.toString(response.getEntity()));
-            if (null != json && json.getInteger("errCode") == 0)
-                code = 0;
-            else
-                logger.error("和网关http通讯失败，rs: " + json);
-
-            if (null != response)
-                response.close();
-        } catch (Exception e) {
-            logger.error("", e);
-        }
-        return code;
-    }
-}
+package com.bsth.data.directive;
+
+import com.alibaba.fastjson.JSONObject;
+import com.bsth.data.SystemParamCache;
+import org.apache.http.client.config.RequestConfig;
+import org.apache.http.client.methods.CloseableHttpResponse;
+import org.apache.http.client.methods.HttpPost;
+import org.apache.http.entity.StringEntity;
+import org.apache.http.impl.client.CloseableHttpClient;
+import org.apache.http.impl.client.HttpClients;
+import org.apache.http.util.EntityUtils;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+import org.springframework.beans.factory.InitializingBean;
+import org.springframework.stereotype.Component;
+
+/**
+ * @author PanZhao
+ * @ClassName: GatewayHttpUtils
+ * @Description: TODO(和网关HTTP通讯工具类)
+ * @date 2016年8月14日 下午9:50:46
+ */
+@Component
+public class GatewayHttpUtils implements InitializingBean {
+    static Logger logger = LoggerFactory.getLogger(GatewayHttpUtils.class);
+
+    static String url;
+    static CloseableHttpClient httpClient = null;
+    static HttpPost post;
+    static RequestConfig requestConfig;
+    static CloseableHttpResponse response;
+
+    public static int postJson(String jsonStr) {
+        logger.info("send : " + jsonStr);
+
+        int code = -1;
+        try {
+            post.setEntity(new StringEntity(jsonStr, "utf-8"));
+
+            response = httpClient.execute(post);
+
+            int statusCode = response.getStatusLine().getStatusCode();
+            if(statusCode != 200){
+                logger.error("http client status code: " + statusCode);
+            }
+
+            JSONObject json = JSONObject.parseObject(EntityUtils.toString(response.getEntity()));
+            if (null != json && json.getInteger("errCode") == 0)
+                code = 0;
+            else
+                logger.error("和网关http通讯失败，rs: " + json);
+
+            if (null != response)
+                response.close();
+        } catch (Exception e) {
+            logger.error("", e);
+        }
+        return code;
+    }
+
+    @Override
+    public void afterPropertiesSet() throws Exception {
+        url = SystemParamCache.getUrlHttpDirective();
+        httpClient = HttpClients.createDefault();
+        post = new HttpPost(url);
+        requestConfig = RequestConfig.custom()
+                .setConnectTimeout(3000).setConnectionRequestTimeout(2000)
+                .setSocketTimeout(3000).build();
+        post.setConfig(requestConfig);
+    }
+}
@@ -2,6 +2,7 @@ package com.bsth.data.gpsdata_v2.load;
  
 import com.alibaba.fastjson.JSON;
 import com.bsth.data.BasicData;
+import com.bsth.data.SystemParamCache;
 import com.bsth.data.gpsdata_v2.GpsRealData;
 import com.bsth.data.gpsdata_v2.entity.GpsEntity;
 import com.bsth.data.gpsdata_v2.utils.GpsDataUtils;
@@ -16,6 +17,7 @@ import org.apache.http.impl.client.HttpClients;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 import org.springframework.beans.BeansException;
+import org.springframework.beans.factory.InitializingBean;
 import org.springframework.context.ApplicationContext;
 import org.springframework.context.ApplicationContextAware;
 import org.springframework.stereotype.Component;
@@ -30,7 +32,7 @@ import java.util.List;
  * Created by panzhao on 2017/11/15.
  */
 @Component
-public class GatewayHttpLoader implements ApplicationContextAware{
+public class GatewayHttpLoader implements ApplicationContextAware, InitializingBean {
  
     static Logger logger = LoggerFactory.getLogger(GatewayHttpLoader.class);
  
@@ -45,17 +47,6 @@ public class GatewayHttpLoader implements ApplicationContextAware{
  
     static GpsRealData gpsRealData;
  
-    static{
-        url = ConfigUtil.get("http.gps.real.url");
-        list = new ArrayList<>();
-        httpClient = HttpClients.createDefault();
-        get = new HttpGet(url);
-        requestConfig = RequestConfig.custom()
-                .setConnectTimeout(2500).setConnectionRequestTimeout(2000)
-                .setSocketTimeout(2500).build();
-        get.setConfig(requestConfig);
-    }
-
     public static List<GpsEntity> load(){
         try{
             if(list.size() > 0)
@@ -117,4 +108,16 @@ public class GatewayHttpLoader implements ApplicationContextAware{
     public void setApplicationContext(ApplicationContext applicationContext) throws BeansException {
         gpsRealData = applicationContext.getBean(GpsRealData.class);
     }
+
+    @Override
+    public void afterPropertiesSet() throws Exception {
+        url = SystemParamCache.getUrlHttpGpsReal();
+        list = new ArrayList<>();
+        httpClient = HttpClients.createDefault();
+        get = new HttpGet(url);
+        requestConfig = RequestConfig.custom()
+                .setConnectTimeout(2500).setConnectionRequestTimeout(2000)
+                .setSocketTimeout(2500).build();
+        get.setConfig(requestConfig);
+    }
 }
-package com.bsth.data.gpsdata_v2.load;
-
-import com.alibaba.fastjson.JSON;
-import com.bsth.data.BasicData;
-import com.bsth.data.gpsdata_v2.entity.GpsEntity;
-import com.bsth.data.gpsdata_v2.utils.GpsDataUtils;
-import com.bsth.util.ConfigUtil;
-import org.apache.http.HttpEntity;
-import org.apache.http.client.config.RequestConfig;
-import org.apache.http.client.methods.CloseableHttpResponse;
-import org.apache.http.client.methods.HttpGet;
-import org.apache.http.impl.client.CloseableHttpClient;
-import org.apache.http.impl.client.HttpClients;
-import org.slf4j.Logger;
-import org.slf4j.LoggerFactory;
-import org.springframework.stereotype.Component;
-
-import java.io.BufferedReader;
-import java.io.InputStreamReader;
-import java.util.ArrayList;
-import java.util.List;
-
-/**
- * 从专用的socket client 加载数据
- * Created by panzhao on 2017/11/15.
- */
-@Component
-public class SocketClientLoader {
-
-    static Logger logger = LoggerFactory.getLogger(SocketClientLoader.class);
-
-    static String url;
-    static List<GpsEntity> list;
-    static CloseableHttpClient httpClient = null;
-    static HttpGet get;
-    static RequestConfig requestConfig;
-    static CloseableHttpResponse response;
-    static HttpEntity entity;
-    static BufferedReader br;
-
-    static {
-        url = ConfigUtil.get("http.gps.real.cache.url");
-        list = new ArrayList<>();
-        httpClient = HttpClients.createDefault();
-        get = new HttpGet(url);
-        requestConfig = RequestConfig.custom()
-                .setConnectTimeout(2500).setConnectionRequestTimeout(2000)
-                .setSocketTimeout(2500).build();
-        get.setConfig(requestConfig);
-    }
-
-    public static List<GpsEntity> load(){
-        try {
-            if(list.size() > 0)
-                list.clear();
-            logger.info("load start...");
-            response = httpClient.execute(get);
-            entity = response.getEntity();
-            if(null == entity)
-                return list;
-
-            br = new BufferedReader(new InputStreamReader(entity.getContent()));
-            StringBuilder sb = new StringBuilder();
-            String str;
-            while ((str = br.readLine()) != null)
-                sb.append(str);
-
-            list = JSON.parseArray(sb.toString(), GpsEntity.class);
-
-            logger.info("load end ! size: " + list.size());
-            //过滤掉无效的点位
-            list = GpsDataUtils.clearInvalid(list);
-
-            for (GpsEntity gps : list) {
-                gps.setNbbm(BasicData.deviceId2NbbmMap.get(gps.getDeviceId()));
-            }
-
-            if (null != response)
-                response.close();
-        } catch (Exception e) {
-            logger.error("", e);
-        }
-
-        return list;
-    }
-}
+package com.bsth.data.gpsdata_v2.load;
+
+import com.alibaba.fastjson.JSON;
+import com.bsth.data.BasicData;
+import com.bsth.data.SystemParamCache;
+import com.bsth.data.gpsdata_v2.entity.GpsEntity;
+import com.bsth.data.gpsdata_v2.utils.GpsDataUtils;
+import org.apache.http.HttpEntity;
+import org.apache.http.client.config.RequestConfig;
+import org.apache.http.client.methods.CloseableHttpResponse;
+import org.apache.http.client.methods.HttpGet;
+import org.apache.http.impl.client.CloseableHttpClient;
+import org.apache.http.impl.client.HttpClients;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+import org.springframework.beans.factory.InitializingBean;
+import org.springframework.stereotype.Component;
+
+import java.io.BufferedReader;
+import java.io.InputStreamReader;
+import java.util.ArrayList;
+import java.util.List;
+
+/**
+ * 从专用的socket client 加载数据
+ * Created by panzhao on 2017/11/15.
+ */
+@Component
+public class SocketClientLoader implements InitializingBean {
+
+    static Logger logger = LoggerFactory.getLogger(SocketClientLoader.class);
+
+    static String url;
+    static List<GpsEntity> list;
+    static CloseableHttpClient httpClient = null;
+    static HttpGet get;
+    static RequestConfig requestConfig;
+    static CloseableHttpResponse response;
+    static HttpEntity entity;
+    static BufferedReader br;
+
+    public static List<GpsEntity> load(){
+        try {
+            if(list.size() > 0)
+                list.clear();
+            logger.info("load start...");
+            response = httpClient.execute(get);
+            entity = response.getEntity();
+            if(null == entity)
+                return list;
+
+            br = new BufferedReader(new InputStreamReader(entity.getContent()));
+            StringBuilder sb = new StringBuilder();
+            String str;
+            while ((str = br.readLine()) != null)
+                sb.append(str);
+
+            list = JSON.parseArray(sb.toString(), GpsEntity.class);
+
+            logger.info("load end ! size: " + list.size());
+            //过滤掉无效的点位
+            list = GpsDataUtils.clearInvalid(list);
+
+            for (GpsEntity gps : list) {
+                gps.setNbbm(BasicData.deviceId2NbbmMap.get(gps.getDeviceId()));
+            }
+
+            if (null != response)
+                response.close();
+        } catch (Exception e) {
+            logger.error("", e);
+        }
+
+        return list;
+    }
+
+    @Override
+    public void afterPropertiesSet() throws Exception {
+        url = SystemParamCache.getUrlHttpGpsRealCache();
+        list = new ArrayList<>();
+        httpClient = HttpClients.createDefault();
+        get = new HttpGet(url);
+        requestConfig = RequestConfig.custom()
+                .setConnectTimeout(2500).setConnectionRequestTimeout(2000)
+                .setSocketTimeout(2500).build();
+        get.setConfig(requestConfig);
+    }
+}
 package com.bsth.entity.sys;
  
+import com.fasterxml.jackson.annotation.JsonIgnore;
 import com.fasterxml.jackson.annotation.JsonIgnoreProperties;
+import org.springframework.format.annotation.DateTimeFormat;
+import org.springframework.util.StringUtils;
 import org.joda.time.DateTime;
-
 import javax.persistence.*;
 import java.util.Date;
+import java.util.HashSet;
 import java.util.LinkedHashSet;
 import java.util.Set;
  
@@ -25,16 +28,21 @@ public class SysUser {
 	private String userName;
  
 	private String name;
-	
+
+	@JsonIgnore
 	private String password;
  
 	@Column(updatable = false, name = "create_date", columnDefinition = "TIMESTAMP DEFAULT CURRENT_TIMESTAMP")
 	private Date createDate;
-	
-	@Column(name = "last_loginDate", columnDefinition = "timestamp  DEFAULT CURRENT_TIMESTAMP ON UPDATE CURRENT_TIMESTAMP")
+
+	@Column(name = "update_date", columnDefinition = "timestamp  DEFAULT CURRENT_TIMESTAMP ON UPDATE CURRENT_TIMESTAMP")
+	private Date updateDate;
+
+	@DateTimeFormat(pattern = "yyyy-MM-dd")
 	private Date lastLoginDate;
  
     /** 最近密码更新时间 */
+	@DateTimeFormat(pattern = "yyyy-MM-dd")
     private Date lastPwdDate;
     /** 密码有效期 */
     private Integer pwdValidPeriod;
@@ -84,6 +92,14 @@ public class SysUser {
 		this.createDate = createDate;
 	}
  
+	public Date getUpdateDate() {
+		return updateDate;
+	}
+
+	public void setUpdateDate(Date updateDate) {
+		this.updateDate = updateDate;
+	}
+
 	public Date getLastLoginDate() {
 		return lastLoginDate;
 	}
@@ -124,6 +140,27 @@ public class SysUser {
 		this.roles = roles;
 	}
  
+	public Set<String> getLinks() {
+		Set<String> links = new HashSet<>();
+		if (links.size() == 0) {
+			for (Role role : roles) {
+				for (Module module : role.getModules()) {
+					String symbol = module.getMappSymbol();
+					if (!StringUtils.isEmpty(symbol)) {
+						String[] symbols = symbol.split(";");
+						for (String temp : symbols) {
+							if (!StringUtils.isEmpty(temp)) {
+								links.add(temp);
+							}
+						}
+					}
+				}
+			}
+		}
+
+		return links;
+	}
+
     public Date getLastPwdDate() {
         return lastPwdDate;
     }
+package com.bsth.filter;
+
+import com.bsth.common.Constants;
+import com.bsth.common.ResponseCode;
+import com.bsth.data.SystemParamCache;
+import com.fasterxml.jackson.databind.ObjectMapper;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+
+import javax.servlet.*;
+import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletResponse;
+import java.io.IOException;
+import java.util.HashMap;
+import java.util.Map;
+import java.util.Set;
+
+/**
+ * 权限过滤器
+ * @author Hill
+ */
+public class AuthorityFilter extends BaseFilter {
+
+	Logger logger = LoggerFactory.getLogger(this.getClass());
+
+	private ObjectMapper mapper = new ObjectMapper();
+
+	private final String rootUri = "/";
+
+	private final String scheduleReferer = "/real_control/v2";
+
+	private String[] pubUrls = new String[]{ "/sockjs/", "/pages/", "/error", "/dictionary/all", "/user/isWeakCipher", "/user/isRealName", "/user/currentUser", "/user/companyData", "/module/findByCurrentUser", "/eci/validate_get_destroy_info", "/business", "/personnel/all_py", "/companyAuthority/all", "/line/all", "/basic/refresh_person_data", "/downloadFile", "/report/lineList", "/adminUtils", "/metronic_v4.5.4", "/assets" };
+
+	@Override
+	public void doFilter(HttpServletRequest request, HttpServletResponse response, FilterChain chain) throws IOException, ServletException {
+		if (!SystemParamCache.getEnableFilterAuthority()) {
+			chain.doFilter(request, response);
+			return;
+		}
+
+		String uri = request.getRequestURI(), referer = request.getHeader("Referer");
+		Set<String> links = (Set<String>) request.getSession().getAttribute(Constants.RESOURCE_AUTHORITYS);
+		if (rootUri.equals(uri) || (referer != null && referer.indexOf(scheduleReferer) > 0) || isPubURL(uri)) {
+			chain.doFilter(request, response);
+			return;
+		}
+		if (links != null) {
+			boolean matched = false;
+			for (String link : links) {
+				if (uri.startsWith(link)) {
+					matched = true;
+					break;
+				}
+			}
+			if (!matched) {
+				Map<String, Object> result = new HashMap<>();
+				result.put("status", ResponseCode.ERROR);
+				result.put("msg", "未授权的访问");
+				response.setContentType("text/html;charset=utf-8");
+				response.getWriter().write(mapper.writeValueAsString(result));
+				return;
+			}
+		}
+
+		chain.doFilter(request, response);
+	}
+
+	protected boolean isPubURL(String url) {
+		for (String pubUrl : pubUrls) {
+			if (url.startsWith(pubUrl)) {
+				return true;
+			}
+		}
+
+		return false;
+	}
+}
+package com.bsth.filter;
+
+import com.bsth.data.SystemParamCache;
+import org.springframework.stereotype.Component;
+
+import javax.servlet.FilterChain;
+import javax.servlet.ServletException;
+import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletResponse;
+import java.io.IOException;
+import java.util.Enumeration;
+
+@Component
+public class SQLInjectFilter extends BaseFilter{
+
+	private static String injStr = "'|and|exec|create|insert|select|delete|update|count|*|%|chr|mid|master|truncate|drop|char|declare";
+
+	private final static String specialUri = "adminUtils";
+
+	@Override
+	public void doFilter(HttpServletRequest request, HttpServletResponse response, FilterChain chain)
+			throws IOException, ServletException {
+		if (!SystemParamCache.getEnabledFilterSqlInjection()) {
+			chain.doFilter(request, response);
+			return;
+		}
+
+		//获取请求对象中的参数名称
+		Enumeration enu = request.getParameterNames();
+		String uri = request.getRequestURI();
+
+		if (uri.indexOf(specialUri) > -1) {
+			chain.doFilter(request, response);
+			return;
+		}
+
+		//遍历枚举
+		while (enu.hasMoreElements()) {
+			//取参数名
+			String paraName = (String)enu.nextElement();
+
+			//取参数值并校验
+			if (isSqlInject(request.getParameter(paraName))) {
+				return;
+			}
+		}
+		//校验完毕，放行
+		chain.doFilter(request, response);
+	}
+
+	private static boolean isSqlInject(String injectStr) {
+		String injStrArr[] = injStr.split("\\|");
+		injectStr = injectStr.toLowerCase();
+		for (int i = 0; i < injStrArr.length; i++) {
+			if (injectStr.indexOf(injStrArr[i]) >= 0) {
+				return true;
+			}
+		}
+		return false;
+	}
+
+	public static String getInjStr() {
+		return injStr;
+	}
+
+	public static void setInjStr(String injStr) {
+		SQLInjectFilter.injStr = injStr;
+	}
+}
-package com.bsth.security;
-
-import org.springframework.beans.factory.annotation.Autowired;
-import org.springframework.boot.context.embedded.ServletListenerRegistrationBean;
-import org.springframework.context.annotation.Bean;
-import org.springframework.context.annotation.Configuration;
-import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
-import org.springframework.security.config.annotation.web.builders.HttpSecurity;
-import org.springframework.security.config.annotation.web.builders.WebSecurity;
-import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
-import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
-import org.springframework.security.core.session.SessionRegistry;
-import org.springframework.security.core.session.SessionRegistryImpl;
-import org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder;
-import org.springframework.security.web.access.intercept.FilterSecurityInterceptor;
-import org.springframework.security.web.session.HttpSessionEventPublisher;
-
-import com.bsth.common.Constants;
-import com.bsth.security.filter.LoginInterceptor;
-
-@Configuration
-@EnableWebSecurity
-public class WebSecurityConfig extends WebSecurityConfigurerAdapter {
-
-    @Autowired
-    UserDetailServiceImpl customUserDetailService;
-
-    @Autowired
-    CustomAccessDecisionManager customAccessDecisionManager;
-
-    @Autowired
-    SecurityMetadataSourceService securityMetadataSourceService;
-
-
-    @Override
-    public void configure(WebSecurity web) throws Exception {
-        // 白名单
-        web.ignoring().antMatchers(Constants.LOGIN_PAGE, Constants.LOGIN, Constants.ASSETS_URL, Constants.FAVICON_URL, Constants.CAPTCHA,
-                Constants.SERVICE_INTERFACE, Constants.METRONIC_URL, Constants.LOGIN_FAILURE, Constants.UPSTREAM_URL, Constants.XD_CHILD_PAGES, Constants.STATIONSIGNO_URL, Constants.UP_RFID_URL,Constants.STATION_AND_SECTION_COUNT);
-    }
-
-    @Override
-    protected void configure(AuthenticationManagerBuilder auth)
-            throws Exception {
-        auth.userDetailsService(customUserDetailService).passwordEncoder(
-                new BCryptPasswordEncoder(4));
-    }
-
-    @Override
-    protected void configure(HttpSecurity http) throws Exception {
-        http.authorizeRequests().antMatchers("/").permitAll().anyRequest()
-                .authenticated().and()
-                .formLogin()
-                //指定登录页
-                .loginPage(Constants.LOGIN_PAGE)
-                .loginProcessingUrl(Constants.LOGIN).permitAll()
-                .and().logout()
-                //禁用CXRF
-                .and().csrf().disable()
-                //禁用匿名用户功能
-                .anonymous().disable()
-                //允许 iframe
-                .headers().frameOptions().disable();
-
-        // 同时只保持一个回话
-        http.sessionManagement().maximumSessions(1)
-                .expiredUrl(Constants.LOGIN_PAGE + "?error=true")
-                .maxSessionsPreventsLogin(false)//让之前的登录过期
-                .sessionRegistry(sessionRegistry());
-
-        http.addFilterBefore(new LoginInterceptor(), FilterSecurityInterceptor.class);
-        http.addFilter(filterSecurityInterceptor());
-    }
-
-    private FilterSecurityInterceptor filterSecurityInterceptor()
-            throws Exception {
-        FilterSecurityInterceptor filterSecurityInterceptor = new FilterSecurityInterceptor();
-        filterSecurityInterceptor
-                .setAccessDecisionManager(customAccessDecisionManager);
-        filterSecurityInterceptor
-                .setSecurityMetadataSource(securityMetadataSourceService);
-        filterSecurityInterceptor
-                .setAuthenticationManager(authenticationManager());
-        return filterSecurityInterceptor;
-    }
-
-/*	@Bean
-	public LoginSuccessHandler loginSuccessHandler(){
-		return new LoginSuccessHandler();
-	}*/
-	
-/*	@Bean
-	public LogoutHandler logoutHandler(){
-		return new CustomLogoutHandler();
-	}*/
-
-    @Bean
-    public SessionRegistry sessionRegistry() {
-        SessionRegistry sessionRegistry = new SessionRegistryImpl();
-        return sessionRegistry;
-    }
-
-    @Bean
-    public static ServletListenerRegistrationBean<HttpSessionEventPublisher> httpSessionEventPublisher() {
-        return new ServletListenerRegistrationBean<HttpSessionEventPublisher>(
-                new HttpSessionEventPublisher());
-    }
-}
+package com.bsth.security;
+
+import com.bsth.filter.AuthorityFilter;
+import org.springframework.beans.factory.annotation.Autowired;
+import org.springframework.boot.context.embedded.ServletListenerRegistrationBean;
+import org.springframework.context.annotation.Bean;
+import org.springframework.context.annotation.Configuration;
+import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
+import org.springframework.security.config.annotation.web.builders.HttpSecurity;
+import org.springframework.security.config.annotation.web.builders.WebSecurity;
+import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
+import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
+import org.springframework.security.core.session.SessionRegistry;
+import org.springframework.security.core.session.SessionRegistryImpl;
+import org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder;
+import org.springframework.security.web.access.intercept.FilterSecurityInterceptor;
+import org.springframework.security.web.session.HttpSessionEventPublisher;
+
+import com.bsth.common.Constants;
+import com.bsth.security.filter.LoginInterceptor;
+
+@Configuration
+@EnableWebSecurity
+public class WebSecurityConfig extends WebSecurityConfigurerAdapter {
+
+    @Autowired
+    UserDetailServiceImpl customUserDetailService;
+
+    @Autowired
+    CustomAccessDecisionManager customAccessDecisionManager;
+
+    @Autowired
+    SecurityMetadataSourceService securityMetadataSourceService;
+
+
+    @Override
+    public void configure(WebSecurity web) throws Exception {
+        // 白名单
+        web.ignoring().antMatchers(Constants.LOGIN_PAGE, Constants.LOGIN, Constants.ASSETS_URL, Constants.FAVICON_URL, Constants.CAPTCHA,
+                Constants.SERVICE_INTERFACE, Constants.METRONIC_URL, Constants.LOGIN_FAILURE, Constants.UPSTREAM_URL, Constants.XD_CHILD_PAGES, Constants.STATIONSIGNO_URL, Constants.UP_RFID_URL,Constants.STATION_AND_SECTION_COUNT);
+    }
+
+    @Override
+    protected void configure(AuthenticationManagerBuilder auth)
+            throws Exception {
+        auth.userDetailsService(customUserDetailService).passwordEncoder(
+                new BCryptPasswordEncoder(4));
+    }
+
+    @Override
+    protected void configure(HttpSecurity http) throws Exception {
+        http.authorizeRequests().antMatchers("/").permitAll().anyRequest()
+                .authenticated().and()
+                .formLogin()
+                //指定登录页
+                .loginPage(Constants.LOGIN_PAGE)
+                .loginProcessingUrl(Constants.LOGIN).permitAll()
+                .and().logout()
+                //禁用CXRF
+                .and().csrf().disable()
+                //禁用匿名用户功能
+                .anonymous().disable()
+                //允许 iframe
+                .headers().frameOptions().disable();
+
+        // 同时只保持一个回话
+        http.sessionManagement().maximumSessions(1)
+                .expiredUrl(Constants.LOGIN_PAGE + "?error=true")
+                .maxSessionsPreventsLogin(false)//让之前的登录过期
+                .sessionRegistry(sessionRegistry());
+
+        http.addFilterBefore(new LoginInterceptor(), FilterSecurityInterceptor.class);
+        http.addFilterBefore(new AuthorityFilter(), FilterSecurityInterceptor.class);
+        http.addFilter(filterSecurityInterceptor());
+    }
+
+    private FilterSecurityInterceptor filterSecurityInterceptor()
+            throws Exception {
+        FilterSecurityInterceptor filterSecurityInterceptor = new FilterSecurityInterceptor();
+        filterSecurityInterceptor
+                .setAccessDecisionManager(customAccessDecisionManager);
+        filterSecurityInterceptor
+                .setSecurityMetadataSource(securityMetadataSourceService);
+        filterSecurityInterceptor
+                .setAuthenticationManager(authenticationManager());
+        return filterSecurityInterceptor;
+    }
+
+/*	@Bean
+	public LoginSuccessHandler loginSuccessHandler(){
+		return new LoginSuccessHandler();
+	}*/
+	
+/*	@Bean
+	public LogoutHandler logoutHandler(){
+		return new CustomLogoutHandler();
+	}*/
+
+    @Bean
+    public SessionRegistry sessionRegistry() {
+        SessionRegistry sessionRegistry = new SessionRegistryImpl();
+        return sessionRegistry;
+    }
+
+    @Bean
+    public static ServletListenerRegistrationBean<HttpSessionEventPublisher> httpSessionEventPublisher() {
+        return new ServletListenerRegistrationBean<HttpSessionEventPublisher>(
+                new HttpSessionEventPublisher());
+    }
+}
@@ -6,4 +6,8 @@ import com.bsth.entity.SystemParam;
  * @author Hill
  */
 public interface SystemParamService extends BaseService<SystemParam, Integer> {
+
+    void refresh();
+
+    String getValue(String key);
 }
 package com.bsth.service.impl;
  
 import com.bsth.entity.SystemParam;
+import com.bsth.repository.SystemParamRepository;
 import com.bsth.service.SystemParamService;
+import org.springframework.beans.factory.annotation.Autowired;
+import org.springframework.scheduling.annotation.EnableScheduling;
+import org.springframework.scheduling.annotation.Scheduled;
+import org.springframework.stereotype.Service;
+
+import java.util.HashMap;
+import java.util.Map;
  
 /**
  * @author Hill
  */
+@Service
+@EnableScheduling
 public class SystemParamServiceImpl extends BaseServiceImpl<SystemParam, Integer> implements SystemParamService {
-}
+
+    @Autowired
+    private SystemParamRepository systemParamRepository;
+
+    private Map<String, String> pairs = new HashMap<>();
+
+    @Scheduled(cron = "0 0/30 * * * ?")
+    public void refresh() {
+        for (SystemParam sp : systemParamRepository.findAll()) {
+            pairs.put(sp.getKey(), sp.getValue());
+        }
+    }
+
+    public String getValue(String key) {
+        return pairs.get(key);
+    }
+}
 \ No newline at end of file