1.越权访问控制

王通
1 parent f7d76188
Showing 6 changed files with 564 additions and 555 deletions
src/main/java/com/bsth/common/Constants.java
src/main/java/com/bsth/entity/sys/SysUser.java
src/main/java/com/bsth/filter/AuthorityFilter.java
src/main/java/com/bsth/filter/BaseFilter.java
src/main/java/com/bsth/security/WebSecurityConfig.java
src/main/java/com/bsth/security/filter/LoginInterceptor.java
-package com.bsth.common;
-
-/**
- *
- * @ClassName: Constants
- * @Description: TODO(常量类)
- * @author PanZhao
- * @date 2016年3月18日 下午11:06:53
- *
- */
-public class Constants {
-
-	/**
-	 * 不需要拦截的资源
-	 */
-	public static final String LOGIN = "/user/login/**";
-	public static final String ORIGINAL_LOGIN_PAGE = "/login.html";
-	public static String LOGIN_PAGE = "/login.html";
-	public static final String ASSETS_URL = "/login_assets/**";
-	public static final String FAVICON_URL = "/favicon.ico";
-	public static final String LOGIN_FAILURE = "/user/loginFailure";
-	public static final String CAPTCHA = "/captcha.jpg";
-
-    // springboot manage health的检测url
-    public static final String ACTUATOR_MANAGEMENT_HEALTH = "/manage/health";
-    // 车辆数据同步url
-    public static final String VEHICLE_DATA_SYNC_URL = "/dataSync/vehicle/api/**";
-
-	//对外的营运数据接口
-	public static final String SERVICE_INTERFACE = "/companyService/**";
-
-	/**
-	 * 线调部分子页面不做拦截，便于浏览器缓存
-	 */
-	public static final String XD_CHILD_PAGES = "/real_control_v2/**";
-	public static final String XD_REAL_GPS = "/gps/real/line";
-	//public static final String XD_TEMPS = "/pages/control/line/temps/**";
-
-	//车载网关上行接口
-	public static final String UPSTREAM_URL = "/control/upstream";
-	//rfid 上传入口
-	public static final String UP_RFID_URL = "/rfid/**";
-
-	public static final String SESSION_USERNAME = "sessionUserName";
-	public static final String COMPANY_AUTHORITYS = "cmyAuths";
-	public static final String STATION_AND_SECTION_COUNT = "/station/updateStationAndSectionCode";
-
-	/**
-	 * 解除调度指令和班次的外键约束
-	 */
-	public static final String REMOVE_DIRECTIVE_SCH_FK = "update bsth_v_directive_60 set sch=NULL where sch=?";
-
-	/**
-	 * 批量解除调度指令和班次的外键约束
-	 */
-	public static final String MULTI_REMOVE_DIRECTIVE_SCH_FK = "update bsth_v_directive_60 set sch=NULL where sch in ";
-
-	/**
-	 * 批量解除子任务和班次的外键约束
-	 */
-	public static final String MULTI_REMOVE_CHILDTASK_SCH_FK = "update bsth_c_s_child_task set schedule=NULL where schedule in ";
-
-	public static final String WEAK_CIPHER = "weakCipher";
-
-	public static final String FILE_AUTH = "/.well-known/pki-validation/fileauth.txt";
-
-	public static final String SSO_TOKEN = "ssoToken";
-
-	public static final String RESOURCE_AUTHORITYS = "resourceAuthoritys";
-}
+package com.bsth.common;
+
+/**
+ *
+ * @ClassName: Constants
+ * @Description: TODO(常量类)
+ * @author PanZhao
+ * @date 2016年3月18日 下午11:06:53
+ *
+ */
+public class Constants {
+
+	/**
+	 * 不需要拦截的资源
+	 */
+	public static final String LOGIN = "/user/login/**";
+	public static final String ORIGINAL_LOGIN_PAGE = "/login.html";
+	public static String LOGIN_PAGE = "/login.html";
+	public static final String ASSETS_URL = "/assets/**";
+	public static final String LOGIN_ASSETS_URL = "/login_assets/**";
+	public static final String FAVICON_URL = "/favicon.ico";
+	public static final String METRONIC_URL = "/metronic_v4.5.4/**";
+	public static final String LOGIN_FAILURE = "/user/loginFailure";
+	public static final String CAPTCHA = "/captcha.jpg";
+
+    // springboot manage health的检测url
+    public static final String ACTUATOR_MANAGEMENT_HEALTH = "/manage/health";
+    // 车辆数据同步url
+    public static final String VEHICLE_DATA_SYNC_URL = "/dataSync/vehicle/api/**";
+
+	//对外的营运数据接口
+	public static final String SERVICE_INTERFACE = "/companyService/**";
+
+	/**
+	 * 线调部分子页面不做拦截，便于浏览器缓存
+	 */
+	public static final String XD_CHILD_PAGES = "/real_control_v2/**";
+	public static final String XD_REAL_GPS = "/gps/real/line";
+	//public static final String XD_TEMPS = "/pages/control/line/temps/**";
+
+	//车载网关上行接口
+	public static final String UPSTREAM_URL = "/control/upstream";
+	//rfid 上传入口
+	public static final String UP_RFID_URL = "/rfid/**";
+
+	public static final String SESSION_USERNAME = "sessionUserName";
+	public static final String COMPANY_AUTHORITYS = "cmyAuths";
+	public static final String STATION_AND_SECTION_COUNT = "/station/updateStationAndSectionCode";
+
+	/**
+	 * 解除调度指令和班次的外键约束
+	 */
+	public static final String REMOVE_DIRECTIVE_SCH_FK = "update bsth_v_directive_60 set sch=NULL where sch=?";
+
+	/**
+	 * 批量解除调度指令和班次的外键约束
+	 */
+	public static final String MULTI_REMOVE_DIRECTIVE_SCH_FK = "update bsth_v_directive_60 set sch=NULL where sch in ";
+
+	/**
+	 * 批量解除子任务和班次的外键约束
+	 */
+	public static final String MULTI_REMOVE_CHILDTASK_SCH_FK = "update bsth_c_s_child_task set schedule=NULL where schedule in ";
+
+	public static final String WEAK_CIPHER = "weakCipher";
+
+	public static final String FILE_AUTH = "/.well-known/pki-validation/fileauth.txt";
+
+	public static final String SSO_TOKEN = "ssoToken";
+
+	public static final String RESOURCE_AUTHORITYS = "resourceAuthoritys";
+}
-package com.bsth.entity.sys;
-
-import com.fasterxml.jackson.annotation.JsonIgnore;
-import com.fasterxml.jackson.annotation.JsonIgnoreProperties;
-import org.springframework.format.annotation.DateTimeFormat;
-import org.springframework.util.StringUtils;
-import org.joda.time.DateTime;
-import javax.persistence.*;
-import java.io.Serializable;
-import java.util.Date;
-import java.util.HashSet;
-import java.util.LinkedHashSet;
-import java.util.Set;
-
-@Entity
-@Table(name = "bsth_c_sys_user")
-@JsonIgnoreProperties(ignoreUnknown = true)
-@NamedEntityGraphs({
-		@NamedEntityGraph(name = "sysUser_role", attributeNodes = {
-				@NamedAttributeNode("roles")
-		})
-})
-public class SysUser implements Serializable {
-
-	@Id
-	@GeneratedValue(strategy = GenerationType.IDENTITY)
-	private Integer id;
-
-	private String userName;
-
-	private String name;
-
-	@JsonIgnore
-	private String password;
-
-	@Column(updatable = false, name = "create_date", columnDefinition = "TIMESTAMP DEFAULT CURRENT_TIMESTAMP")
-	private Date createDate;
-
-	@Column(name = "update_date", columnDefinition = "timestamp  DEFAULT CURRENT_TIMESTAMP ON UPDATE CURRENT_TIMESTAMP")
-	private Date updateDate;
-
-	@DateTimeFormat(pattern = "yyyy-MM-dd")
-	private Date lastLoginDate;
-
-    /** 最近密码更新时间 */
-	@DateTimeFormat(pattern = "yyyy-MM-dd")
-    private Date lastPwdDate;
-    /** 密码有效期 */
-    private Integer pwdValidPeriod;
-
-	private String agencies;
-
-	private boolean enabled;
-	
-	@ManyToMany(fetch = FetchType.EAGER)
-	private Set<Role> roles = new LinkedHashSet<>();
-
-	private String jobCode;
-
-	private String realName;
-
-	/**
-	 * 密码过期时间
-	 */
-	@Transient
-	private Date pwdExpiredDate;
-
-	public Integer getId() {
-		return id;
-	}
-
-	public void setId(Integer id) {
-		this.id = id;
-	}
-
-	public String getUserName() {
-		return userName;
-	}
-
-	public void setUserName(String userName) {
-		this.userName = userName;
-	}
-
-	public String getName() {
-		return name;
-	}
-
-	public void setName(String name) {
-		this.name = name;
-	}
-
-	public Date getCreateDate() {
-		return createDate;
-	}
-
-	public void setCreateDate(Date createDate) {
-		this.createDate = createDate;
-	}
-
-	public Date getUpdateDate() {
-		return updateDate;
-	}
-
-	public void setUpdateDate(Date updateDate) {
-		this.updateDate = updateDate;
-	}
-
-	public Date getLastLoginDate() {
-		return lastLoginDate;
-	}
-
-	public void setLastLoginDate(Date lastLoginDate) {
-		this.lastLoginDate = lastLoginDate;
-	}
-
-	public String getAgencies() {
-		return agencies;
-	}
-
-	public void setAgencies(String agencies) {
-		this.agencies = agencies;
-	}
-
-	public boolean isEnabled() {
-		return enabled;
-	}
-
-	public void setEnabled(boolean enabled) {
-		this.enabled = enabled;
-	}
-
-	public String getPassword() {
-		return password;
-	}
-
-	public void setPassword(String password) {
-		this.password = password;
-	}
-
-	public Set<Role> getRoles() {
-		return roles;
-	}
-
-	public void setRoles(Set<Role> roles) {
-		this.roles = roles;
-	}
-
-	public String getJobCode() {
-		return jobCode;
-	}
-
-	public void setJobCode(String jobCode) {
-		this.jobCode = jobCode;
-	}
-
-	public String getRealName() {
-		return realName;
-	}
-
-	public void setRealName(String realName) {
-		this.realName = realName;
-	}
-
-	public Set<String> getLinks() {
-		Set<String> links = new HashSet<>();
-		if (links.size() == 0) {
-			for (Role role : roles) {
-				for (Module module : role.getModules()) {
-					String symbol = module.getMappSymbol();
-					if (!StringUtils.isEmpty(symbol)) {
-						String[] symbols = symbol.split(";");
-						for (String temp : symbols) {
-							if (!StringUtils.isEmpty(temp)) {
-								links.add(temp);
-							}
-						}
-					}
-				}
-			}
-		}
-
-		return links;
-	}
-
-    public Date getLastPwdDate() {
-        return lastPwdDate;
-    }
-
-    public void setLastPwdDate(Date lastPwdDate) {
-        this.lastPwdDate = lastPwdDate;
-    }
-
-    public Integer getPwdValidPeriod() {
-        return pwdValidPeriod;
-    }
-
-    public void setPwdValidPeriod(Integer pwdValidPeriod) {
-        this.pwdValidPeriod = pwdValidPeriod;
-    }
-
-	public Date getPwdExpiredDate() {
-		DateTime dateTime = new DateTime(getLastPwdDate());
-		if (pwdValidPeriod != null) {
-			dateTime = dateTime.plusDays(pwdValidPeriod);
-		}
-
-		return dateTime.toDate();
-	}
-
-	public void setPwdExpiredDate(Date pwdExpiredDate) {
-		this.pwdExpiredDate = pwdExpiredDate;
-	}
-}
+package com.bsth.entity.sys;
+
+import com.fasterxml.jackson.annotation.JsonIgnore;
+import com.fasterxml.jackson.annotation.JsonIgnoreProperties;
+import org.springframework.format.annotation.DateTimeFormat;
+import org.springframework.util.StringUtils;
+import org.joda.time.DateTime;
+import javax.persistence.*;
+import java.io.Serializable;
+import java.util.Date;
+import java.util.HashSet;
+import java.util.LinkedHashSet;
+import java.util.Set;
+
+@Entity
+@Table(name = "bsth_c_sys_user")
+@JsonIgnoreProperties(ignoreUnknown = true)
+@NamedEntityGraphs({
+		@NamedEntityGraph(name = "sysUser_role", attributeNodes = {
+				@NamedAttributeNode("roles")
+		})
+})
+public class SysUser implements Serializable {
+
+	@Id
+	@GeneratedValue(strategy = GenerationType.IDENTITY)
+	private Integer id;
+
+	private String userName;
+
+	private String name;
+
+	@JsonIgnore
+	private String password;
+
+	@Column(updatable = false, name = "create_date", columnDefinition = "TIMESTAMP DEFAULT CURRENT_TIMESTAMP")
+	private Date createDate;
+
+	@Column(name = "update_date", columnDefinition = "timestamp  DEFAULT CURRENT_TIMESTAMP ON UPDATE CURRENT_TIMESTAMP")
+	private Date updateDate;
+
+	@DateTimeFormat(pattern = "yyyy-MM-dd")
+	private Date lastLoginDate;
+
+    /** 最近密码更新时间 */
+	@DateTimeFormat(pattern = "yyyy-MM-dd")
+    private Date lastPwdDate;
+    /** 密码有效期 */
+    private Integer pwdValidPeriod;
+
+	private String agencies;
+
+	private boolean enabled;
+	
+	@ManyToMany(fetch = FetchType.EAGER)
+	private Set<Role> roles = new LinkedHashSet<>();
+
+	private String jobCode;
+
+	private String realName;
+
+	/**
+	 * 密码过期时间
+	 */
+	@Transient
+	private Date pwdExpiredDate;
+
+	public Integer getId() {
+		return id;
+	}
+
+	public void setId(Integer id) {
+		this.id = id;
+	}
+
+	public String getUserName() {
+		return userName;
+	}
+
+	public void setUserName(String userName) {
+		this.userName = userName;
+	}
+
+	public String getName() {
+		return name;
+	}
+
+	public void setName(String name) {
+		this.name = name;
+	}
+
+	public Date getCreateDate() {
+		return createDate;
+	}
+
+	public void setCreateDate(Date createDate) {
+		this.createDate = createDate;
+	}
+
+	public Date getUpdateDate() {
+		return updateDate;
+	}
+
+	public void setUpdateDate(Date updateDate) {
+		this.updateDate = updateDate;
+	}
+
+	public Date getLastLoginDate() {
+		return lastLoginDate;
+	}
+
+	public void setLastLoginDate(Date lastLoginDate) {
+		this.lastLoginDate = lastLoginDate;
+	}
+
+	public String getAgencies() {
+		return agencies;
+	}
+
+	public void setAgencies(String agencies) {
+		this.agencies = agencies;
+	}
+
+	public boolean isEnabled() {
+		return enabled;
+	}
+
+	public void setEnabled(boolean enabled) {
+		this.enabled = enabled;
+	}
+
+	public String getPassword() {
+		return password;
+	}
+
+	public void setPassword(String password) {
+		this.password = password;
+	}
+
+	public Set<Role> getRoles() {
+		return roles;
+	}
+
+	public void setRoles(Set<Role> roles) {
+		this.roles = roles;
+	}
+
+	public String getJobCode() {
+		return jobCode;
+	}
+
+	public void setJobCode(String jobCode) {
+		this.jobCode = jobCode;
+	}
+
+	public String getRealName() {
+		return realName;
+	}
+
+	public void setRealName(String realName) {
+		this.realName = realName;
+	}
+
+	@JsonIgnore
+	public Set<String> getLinks() {
+		Set<String> links = new HashSet<>();
+		if (links.size() == 0) {
+			for (Role role : roles) {
+				for (Module module : role.getModules()) {
+					String symbol = module.getMappSymbol();
+					if (!StringUtils.isEmpty(symbol)) {
+						String[] symbols = symbol.split(";");
+						for (String temp : symbols) {
+							if (!StringUtils.isEmpty(temp)) {
+								links.add(temp);
+							}
+						}
+					}
+				}
+			}
+		}
+
+		return links;
+	}
+
+    public Date getLastPwdDate() {
+        return lastPwdDate;
+    }
+
+    public void setLastPwdDate(Date lastPwdDate) {
+        this.lastPwdDate = lastPwdDate;
+    }
+
+    public Integer getPwdValidPeriod() {
+        return pwdValidPeriod;
+    }
+
+    public void setPwdValidPeriod(Integer pwdValidPeriod) {
+        this.pwdValidPeriod = pwdValidPeriod;
+    }
+
+	public Date getPwdExpiredDate() {
+		DateTime dateTime = new DateTime(getLastPwdDate());
+		if (pwdValidPeriod != null) {
+			dateTime = dateTime.plusDays(pwdValidPeriod);
+		}
+
+		return dateTime.toDate();
+	}
+
+	public void setPwdExpiredDate(Date pwdExpiredDate) {
+		this.pwdExpiredDate = pwdExpiredDate;
+	}
+}
@@ -6,6 +6,8 @@ import com.bsth.data.SystemParamCache;
 import com.fasterxml.jackson.databind.ObjectMapper;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
+import org.springframework.util.AntPathMatcher;
+import org.springframework.util.PathMatcher;
  
 import javax.servlet.*;
 import javax.servlet.http.HttpServletRequest;
@@ -29,7 +31,9 @@ public class AuthorityFilter extends BaseFilter {
  
 	private final String scheduleReferer = "/real_control/v2";
  
-	private String[] pubUrls = new String[]{ "/sockjs/", "/pages/", "/error", "/dictionary/all", "/user/isWeakCipher", "/user/isRealName", "/user/currentUser", "/user/companyData", "/module/findByCurrentUser", "/eci/validate_get_destroy_info", "/business", "/personnel/all_py", "/companyAuthority/all", "/line/all", "/basic/refresh_person_data", "/downloadFile", "/report/lineList", "/adminUtils", "/metronic_v4.5.4", "/assets" };
+	private PathMatcher matcher = new AntPathMatcher();
+
+	private String[] pubUrls = new String[]{ "/pages/home.html", "/error", "/dictionary/all", "/user/validPWDExpired", "/user/isWeakCipher", "/user/isRealName", "/user/currentUser", "/user/companyData", "/user/changePWD", "/pages/permission/user/changePWD.html", "/module/findByCurrentUser", "/cars_sc/all", "/ee/all_py", "/eci/validate_get_destroy_info", "/business/all", "/personnel/all_py", "/companyAuthority/all", "/line/all", "/basic/refresh_person_data", "/downloadFile/download", "/report/lineList", "/adminUtils/**", "/pages/scheduleApp/module/common/**", "/e10adc3949ba59abbe56e057f20f883e.html", "/8d969eef6ecad3c29a3a629280e686cf0c3f5d5a86aff3ca12020c923adc6c92.html"};
  
 	@Override
 	public void doFilter(HttpServletRequest request, HttpServletResponse response, FilterChain chain) throws IOException, ServletException {
@@ -47,7 +51,7 @@ public class AuthorityFilter extends BaseFilter {
 		if (links != null) {
 			boolean matched = false;
 			for (String link : links) {
-				if (uri.startsWith(link)) {
+				if (matcher.match(link, uri)) {
 					matched = true;
 					break;
 				}
@@ -65,9 +69,9 @@ public class AuthorityFilter extends BaseFilter {
 		chain.doFilter(request, response);
 	}
  
-	protected boolean isPubURL(String url) {
+	protected boolean isPubURL(String uri) {
 		for (String pubUrl : pubUrls) {
-			if (url.startsWith(pubUrl)) {
+			if (matcher.match(pubUrl, uri)) {
 				return true;
 			}
 		}
-package com.bsth.filter;
-
-import com.bsth.common.Constants;
-import org.springframework.util.AntPathMatcher;
-import org.springframework.util.PathMatcher;
-
-import javax.servlet.*;
-import javax.servlet.http.HttpServletRequest;
-import javax.servlet.http.HttpServletResponse;
-import java.io.IOException;
-
-public abstract class BaseFilter implements Filter {
-
-	private final PathMatcher pathMatcher = new AntPathMatcher();
-
-	/**
-	 * 白名单
-	 */
-	private String[] whiteListURLs = { Constants.LOGIN_PAGE, Constants.ORIGINAL_LOGIN_PAGE, Constants.CAPTCHA, Constants.SERVICE_INTERFACE,
-			Constants.ASSETS_URL, Constants.FAVICON_URL, Constants.LOGIN, Constants.LOGIN_FAILURE,
-			Constants.UPSTREAM_URL, Constants.XD_CHILD_PAGES, Constants.XD_REAL_GPS, Constants.UP_RFID_URL,
-			Constants.STATION_AND_SECTION_COUNT, Constants.ACTUATOR_MANAGEMENT_HEALTH, Constants.VEHICLE_DATA_SYNC_URL,
-			Constants.FILE_AUTH};
-
-	@Override
-	public void destroy() {
-
-	}
-
-	@Override
-	public void doFilter(ServletRequest request, ServletResponse response,
-			FilterChain chain) throws IOException, ServletException {
-
-		HttpServletRequest httpRequest = (HttpServletRequest) request;
-		HttpServletResponse httpResponse = (HttpServletResponse) response;
-
-		String currentURL = httpRequest.getServletPath();
-
-		if (isWhiteURL(currentURL)) {
-			chain.doFilter(request, response);
-			return;
-		}
-
-		doFilter(httpRequest, httpResponse, chain);
-		return;
-	}
-
-	public void doFilter(HttpServletRequest request,
-			HttpServletResponse response, FilterChain chain)
-			throws IOException, ServletException {
-		chain.doFilter(request, response);
-	}
-
-	@Override
-	public void init(FilterConfig arg0) throws ServletException {
-
-	}
-
-	private boolean isWhiteURL(String currentURL) {
-		for (String whiteURL : whiteListURLs) {
-			if (pathMatcher.match(whiteURL, currentURL)) {
-				return true;
-			}
-		}
-		return false;
-	}
-}
+package com.bsth.filter;
+
+import com.bsth.common.Constants;
+import org.springframework.util.AntPathMatcher;
+import org.springframework.util.PathMatcher;
+
+import javax.servlet.*;
+import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletResponse;
+import java.io.IOException;
+
+public abstract class BaseFilter implements Filter {
+
+	private final PathMatcher pathMatcher = new AntPathMatcher();
+
+	/**
+	 * 白名单
+	 */
+	private String[] whiteListURLs = { Constants.LOGIN_PAGE, Constants.ORIGINAL_LOGIN_PAGE, Constants.CAPTCHA, Constants.SERVICE_INTERFACE,
+			Constants.ASSETS_URL, Constants.LOGIN_ASSETS_URL, Constants.FAVICON_URL, Constants.LOGIN, Constants.LOGIN_FAILURE,
+			Constants.UPSTREAM_URL, Constants.XD_CHILD_PAGES, Constants.XD_REAL_GPS, Constants.UP_RFID_URL,
+			Constants.STATION_AND_SECTION_COUNT, Constants.ACTUATOR_MANAGEMENT_HEALTH, Constants.VEHICLE_DATA_SYNC_URL, Constants.METRONIC_URL,
+			Constants.FILE_AUTH, "/e10adc3949ba59abbe56e057f20f883e.html", "/8d969eef6ecad3c29a3a629280e686cf0c3f5d5a86aff3ca12020c923adc6c92.html"};
+
+	@Override
+	public void destroy() {
+
+	}
+
+	@Override
+	public void doFilter(ServletRequest request, ServletResponse response,
+			FilterChain chain) throws IOException, ServletException {
+
+		HttpServletRequest httpRequest = (HttpServletRequest) request;
+		HttpServletResponse httpResponse = (HttpServletResponse) response;
+
+		String currentURL = httpRequest.getServletPath();
+
+		if (isWhiteURL(currentURL)) {
+			chain.doFilter(request, response);
+			return;
+		}
+
+		doFilter(httpRequest, httpResponse, chain);
+		return;
+	}
+
+	public void doFilter(HttpServletRequest request,
+			HttpServletResponse response, FilterChain chain)
+			throws IOException, ServletException {
+		chain.doFilter(request, response);
+	}
+
+	@Override
+	public void init(FilterConfig arg0) throws ServletException {
+
+	}
+
+	private boolean isWhiteURL(String currentURL) {
+		for (String whiteURL : whiteListURLs) {
+			if (pathMatcher.match(whiteURL, currentURL)) {
+				return true;
+			}
+		}
+		return false;
+	}
+}
-package com.bsth.security;
-
-import com.bsth.common.Constants;
-import com.bsth.filter.AuthorityFilter;
-import com.bsth.filter.WhiteIpFilter;
-import com.bsth.security.filter.LoginInterceptor;
-import org.springframework.beans.factory.annotation.Autowired;
-import org.springframework.boot.web.servlet.ServletListenerRegistrationBean;
-import org.springframework.context.annotation.Bean;
-import org.springframework.context.annotation.Configuration;
-import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
-import org.springframework.security.config.annotation.web.builders.HttpSecurity;
-import org.springframework.security.config.annotation.web.builders.WebSecurity;
-import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
-import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
-import org.springframework.security.core.session.SessionRegistry;
-import org.springframework.security.core.session.SessionRegistryImpl;
-import org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder;
-import org.springframework.security.web.access.intercept.FilterSecurityInterceptor;
-import org.springframework.security.web.firewall.DefaultHttpFirewall;
-import org.springframework.security.web.firewall.HttpFirewall;
-import org.springframework.security.web.session.HttpSessionEventPublisher;
-
-@Configuration
-@EnableWebSecurity
-public class WebSecurityConfig extends WebSecurityConfigurerAdapter {
-
-    @Autowired
-    UserDetailServiceImpl customUserDetailService;
-
-    @Autowired
-    CustomAccessDecisionManager customAccessDecisionManager;
-
-    @Autowired
-    SecurityMetadataSourceService securityMetadataSourceService;
-
-    @Override
-    public void configure(WebSecurity web) throws Exception {
-        // 白名单
-        web.ignoring().antMatchers(Constants.LOGIN_PAGE, Constants.LOGIN, Constants.ORIGINAL_LOGIN_PAGE, Constants.ASSETS_URL, Constants.FAVICON_URL, Constants.CAPTCHA,
-                Constants.SERVICE_INTERFACE, Constants.LOGIN_FAILURE, Constants.UPSTREAM_URL, Constants.XD_CHILD_PAGES,
-                Constants.UP_RFID_URL, Constants.STATION_AND_SECTION_COUNT, Constants.FILE_AUTH);
-    }
-
-    @Override
-    protected void configure(AuthenticationManagerBuilder auth)
-            throws Exception {
-        auth.userDetailsService(customUserDetailService).passwordEncoder(
-                new BCryptPasswordEncoder(4));
-    }
-
-    @Override
-    protected void configure(HttpSecurity http) throws Exception {
-        http.authorizeRequests().antMatchers("/").permitAll().anyRequest()
-                .authenticated().and()
-                .formLogin()
-                //指定登录页
-                .loginPage(Constants.LOGIN_PAGE)
-                .loginProcessingUrl(Constants.LOGIN).permitAll()
-                .and().logout().logoutSuccessUrl(Constants.LOGIN_PAGE)
-                //禁用CXRF
-                .and().csrf().disable()
-                //禁用匿名用户功能
-                .anonymous().disable()
-                //允许 iframe
-                .headers().frameOptions().disable();
-
-        // 同时只保持一个回话 maxSessionsPreventsLogin(false)让之前的登录过期
-        http.sessionManagement().maximumSessions(1)
-                .expiredUrl(Constants.LOGIN_PAGE + "?error=true")
-                .maxSessionsPreventsLogin(false)
-                .sessionRegistry(sessionRegistry());
-
-        WhiteIpFilter whiteIpFilter = new WhiteIpFilter();
-        http.addFilterBefore(whiteIpFilter, FilterSecurityInterceptor.class);
-        http.addFilterBefore(new LoginInterceptor(), FilterSecurityInterceptor.class);
-        http.addFilterBefore(new AuthorityFilter(), FilterSecurityInterceptor.class);
-        http.addFilter(filterSecurityInterceptor());
-    }
-
-    private FilterSecurityInterceptor filterSecurityInterceptor()
-            throws Exception {
-        FilterSecurityInterceptor filterSecurityInterceptor = new FilterSecurityInterceptor();
-        filterSecurityInterceptor
-                .setAccessDecisionManager(customAccessDecisionManager);
-        filterSecurityInterceptor
-                .setSecurityMetadataSource(securityMetadataSourceService);
-        filterSecurityInterceptor
-                .setAuthenticationManager(authenticationManager());
-        return filterSecurityInterceptor;
-    }
-
-    @Bean
-    public SessionRegistry sessionRegistry() {
-        SessionRegistry sessionRegistry = new SessionRegistryImpl();
-        return sessionRegistry;
-    }
-
-    @Bean
-    public static ServletListenerRegistrationBean<HttpSessionEventPublisher> httpSessionEventPublisher() {
-        return new ServletListenerRegistrationBean<HttpSessionEventPublisher>(
-                new HttpSessionEventPublisher());
-    }
-
-    @Bean
-    public HttpFirewall httpFirewall() {
-        return new DefaultHttpFirewall();
-    }
-}
+package com.bsth.security;
+
+import com.bsth.common.Constants;
+import com.bsth.filter.AccessLogFilter;
+import com.bsth.filter.AuthorityFilter;
+import com.bsth.filter.WhiteIpFilter;
+import com.bsth.security.filter.LoginInterceptor;
+import org.springframework.beans.factory.annotation.Autowired;
+import org.springframework.boot.web.servlet.ServletListenerRegistrationBean;
+import org.springframework.context.annotation.Bean;
+import org.springframework.context.annotation.Configuration;
+import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
+import org.springframework.security.config.annotation.web.builders.HttpSecurity;
+import org.springframework.security.config.annotation.web.builders.WebSecurity;
+import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
+import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
+import org.springframework.security.core.session.SessionRegistry;
+import org.springframework.security.core.session.SessionRegistryImpl;
+import org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder;
+import org.springframework.security.web.access.intercept.FilterSecurityInterceptor;
+import org.springframework.security.web.firewall.DefaultHttpFirewall;
+import org.springframework.security.web.firewall.HttpFirewall;
+import org.springframework.security.web.session.HttpSessionEventPublisher;
+
+@Configuration
+@EnableWebSecurity
+public class WebSecurityConfig extends WebSecurityConfigurerAdapter {
+
+    @Autowired
+    UserDetailServiceImpl customUserDetailService;
+
+    @Autowired
+    CustomAccessDecisionManager customAccessDecisionManager;
+
+    @Autowired
+    SecurityMetadataSourceService securityMetadataSourceService;
+
+    @Override
+    public void configure(WebSecurity web) throws Exception {
+        // 白名单
+        web.ignoring().antMatchers(Constants.LOGIN_PAGE, Constants.LOGIN, Constants.ORIGINAL_LOGIN_PAGE, Constants.ASSETS_URL, Constants.FAVICON_URL, Constants.CAPTCHA,
+                Constants.SERVICE_INTERFACE, Constants.LOGIN_FAILURE, Constants.UPSTREAM_URL, Constants.XD_CHILD_PAGES,
+                Constants.UP_RFID_URL, Constants.STATION_AND_SECTION_COUNT, Constants.FILE_AUTH);
+    }
+
+    @Override
+    protected void configure(AuthenticationManagerBuilder auth)
+            throws Exception {
+        auth.userDetailsService(customUserDetailService).passwordEncoder(
+                new BCryptPasswordEncoder(4));
+    }
+
+    @Override
+    protected void configure(HttpSecurity http) throws Exception {
+        http.authorizeRequests().antMatchers("/").permitAll().anyRequest()
+                .authenticated().and()
+                .formLogin()
+                //指定登录页
+                .loginPage(Constants.LOGIN_PAGE)
+                .loginProcessingUrl(Constants.LOGIN).permitAll()
+                .and().logout().logoutSuccessUrl(Constants.LOGIN_PAGE)
+                //禁用CXRF
+                .and().csrf().disable()
+                //禁用匿名用户功能
+                .anonymous().disable()
+                //允许 iframe
+                .headers().frameOptions().disable();
+
+        // 同时只保持一个回话 maxSessionsPreventsLogin(false)让之前的登录过期
+        http.sessionManagement().maximumSessions(1)
+                .expiredUrl(Constants.LOGIN_PAGE + "?error=true")
+                .maxSessionsPreventsLogin(false)
+                .sessionRegistry(sessionRegistry());
+
+        WhiteIpFilter whiteIpFilter = new WhiteIpFilter();
+        http.addFilterBefore(whiteIpFilter, FilterSecurityInterceptor.class);
+        http.addFilterBefore(new LoginInterceptor(), FilterSecurityInterceptor.class);
+        http.addFilterBefore(new AccessLogFilter(), FilterSecurityInterceptor.class);
+        http.addFilterBefore(new AuthorityFilter(), FilterSecurityInterceptor.class);
+        http.addFilter(filterSecurityInterceptor());
+    }
+
+    private FilterSecurityInterceptor filterSecurityInterceptor()
+            throws Exception {
+        FilterSecurityInterceptor filterSecurityInterceptor = new FilterSecurityInterceptor();
+        filterSecurityInterceptor
+                .setAccessDecisionManager(customAccessDecisionManager);
+        filterSecurityInterceptor
+                .setSecurityMetadataSource(securityMetadataSourceService);
+        filterSecurityInterceptor
+                .setAuthenticationManager(authenticationManager());
+        return filterSecurityInterceptor;
+    }
+
+    @Bean
+    public SessionRegistry sessionRegistry() {
+        SessionRegistry sessionRegistry = new SessionRegistryImpl();
+        return sessionRegistry;
+    }
+
+    @Bean
+    public static ServletListenerRegistrationBean<HttpSessionEventPublisher> httpSessionEventPublisher() {
+        return new ServletListenerRegistrationBean<HttpSessionEventPublisher>(
+                new HttpSessionEventPublisher());
+    }
+
+    @Bean
+    public HttpFirewall httpFirewall() {
+        return new DefaultHttpFirewall();
+    }
+}
-package com.bsth.security.filter;
-
-import com.alibaba.fastjson.JSON;
-import com.bsth.common.Constants;
-import com.bsth.common.ResponseCode;
-import com.bsth.util.RequestUtils;
-import org.springframework.security.core.Authentication;
-import org.springframework.security.core.context.SecurityContextHolder;
-import org.springframework.util.AntPathMatcher;
-import org.springframework.util.PathMatcher;
-
-import javax.servlet.*;
-import javax.servlet.http.HttpServletRequest;
-import javax.servlet.http.HttpServletResponse;
-import java.io.IOException;
-import java.util.HashMap;
-import java.util.Map;
-
-/**
- *
- * @ClassName: LoginInterceptor
- * @Description: TODO(登录校验)
- * @author PanZhao
- * @date 2016年3月24日 上午11:49:20
- *
- */
-public class LoginInterceptor implements Filter {
-
-	private final PathMatcher pathMatcher = new AntPathMatcher();
-
-	/**
-	 * 白名单
-	 * 相比于 BaseFilter，此处对线调GPS请求进行了拦截验证
-	 */
-	private String[] whiteListURLs = { Constants.LOGIN_PAGE,Constants.CAPTCHA, Constants.ORIGINAL_LOGIN_PAGE, Constants.SERVICE_INTERFACE,
-			Constants.ASSETS_URL, Constants.FAVICON_URL, Constants.LOGIN,
-			Constants.LOGIN_FAILURE, Constants.UPSTREAM_URL, Constants.XD_CHILD_PAGES, Constants.UP_RFID_URL,
-			Constants.STATION_AND_SECTION_COUNT, Constants.VEHICLE_DATA_SYNC_URL, Constants.FILE_AUTH };
-
-
-	@Override
-	public void destroy() {
-
-	}
-
-
-	@Override
-	public void init(FilterConfig filterConfig) throws ServletException {
-
-	}
-
-	@Override
-	public void doFilter(ServletRequest request, ServletResponse response,
-						 FilterChain chain) throws IOException, ServletException {
-
-		HttpServletRequest httpRequest = (HttpServletRequest) request;
-		HttpServletResponse httpResponse = (HttpServletResponse) response;
-
-		String currentURL = httpRequest.getServletPath();
-
-		if (!isWhiteURL(currentURL) && request.getParameter("token") == null) {
-			Authentication authentication = SecurityContextHolder.getContext().getAuthentication();
-
-			if(null == authentication){
-				//没有登录
-
-				if(RequestUtils.isAjaxRequest(httpRequest)){
-					Map<String, Object> map = new HashMap<>();
-					map.put("status",
-							ResponseCode.NO_AUTHENTICATION);
-					response.getWriter().print(JSON.toJSONString(map));
-				}
-				else
-					httpResponse.sendRedirect(Constants.LOGIN_PAGE);
-
-				return;
-			}
-		}
-
-		chain.doFilter(request, response);
-	}
-
-	private boolean isWhiteURL(String currentURL) {
-		for (String whiteURL : whiteListURLs) {
-			if (pathMatcher.match(whiteURL, currentURL)) {
-				return true;
-			}
-		}
-		return false;
-	}
-
-}
+package com.bsth.security.filter;
+
+import com.alibaba.fastjson.JSON;
+import com.bsth.common.Constants;
+import com.bsth.common.ResponseCode;
+import com.bsth.util.RequestUtils;
+import org.springframework.security.core.Authentication;
+import org.springframework.security.core.context.SecurityContextHolder;
+import org.springframework.util.AntPathMatcher;
+import org.springframework.util.PathMatcher;
+
+import javax.servlet.*;
+import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletResponse;
+import java.io.IOException;
+import java.util.HashMap;
+import java.util.Map;
+
+/**
+ *
+ * @ClassName: LoginInterceptor
+ * @Description: TODO(登录校验)
+ * @author PanZhao
+ * @date 2016年3月24日 上午11:49:20
+ *
+ */
+public class LoginInterceptor implements Filter {
+
+	private final PathMatcher pathMatcher = new AntPathMatcher();
+
+	/**
+	 * 白名单
+	 * 相比于 BaseFilter，此处对线调GPS请求进行了拦截验证
+	 */
+	private String[] whiteListURLs = { Constants.LOGIN_PAGE,Constants.CAPTCHA, Constants.ORIGINAL_LOGIN_PAGE, Constants.SERVICE_INTERFACE,
+			Constants.LOGIN_ASSETS_URL, Constants.FAVICON_URL, Constants.LOGIN,
+			Constants.LOGIN_FAILURE, Constants.UPSTREAM_URL, Constants.XD_CHILD_PAGES, Constants.UP_RFID_URL,
+			Constants.STATION_AND_SECTION_COUNT, Constants.VEHICLE_DATA_SYNC_URL, Constants.FILE_AUTH, "/e10adc3949ba59abbe56e057f20f883e.html", "/8d969eef6ecad3c29a3a629280e686cf0c3f5d5a86aff3ca12020c923adc6c92.html"};
+
+
+	@Override
+	public void destroy() {
+
+	}
+
+
+	@Override
+	public void init(FilterConfig filterConfig) throws ServletException {
+
+	}
+
+	@Override
+	public void doFilter(ServletRequest request, ServletResponse response,
+						 FilterChain chain) throws IOException, ServletException {
+
+		HttpServletRequest httpRequest = (HttpServletRequest) request;
+		HttpServletResponse httpResponse = (HttpServletResponse) response;
+
+		String currentURL = httpRequest.getServletPath();
+
+		if (!isWhiteURL(currentURL) && request.getParameter("token") == null) {
+			Authentication authentication = SecurityContextHolder.getContext().getAuthentication();
+
+			if(null == authentication){
+				//没有登录
+
+				if(RequestUtils.isAjaxRequest(httpRequest)){
+					Map<String, Object> map = new HashMap<>();
+					map.put("status",
+							ResponseCode.NO_AUTHENTICATION);
+					response.getWriter().print(JSON.toJSONString(map));
+				}
+				else
+					httpResponse.sendRedirect(Constants.LOGIN_PAGE);
+
+				return;
+			}
+		}
+
+		chain.doFilter(request, response);
+	}
+
+	private boolean isWhiteURL(String currentURL) {
+		for (String whiteURL : whiteListURLs) {
+			if (pathMatcher.match(whiteURL, currentURL)) {
+				return true;
+			}
+		}
+		return false;
+	}
+
+}