diff --git "a/doc/XXL-JOB\345\256\230\346\226\271\346\226\207\346\241\243.md" "b/doc/XXL-JOB\345\256\230\346\226\271\346\226\207\346\241\243.md" index 4a4dcd8..3ea55bd 100644 --- "a/doc/XXL-JOB\345\256\230\346\226\271\346\226\207\346\241\243.md" +++ "b/doc/XXL-JOB\345\256\230\346\226\271\346\226\207\346\241\243.md" @@ -1101,7 +1101,7 @@ - 24、Log地址格式兼容,支持非"/"结尾路径配置; - 25、底层系统日志级别规范调整,清理遗留代码; - 26、建表SQL优化,支持同步创建制定编码的库和表; -- 27、系统安全性优化,登陆Token写Cookie时进行MD5加密; +- 27、系统安全性优化,登陆Token写Cookie时进行MD5加密,同时Cookie启用HttpOnly; ### TODO LIST diff --git "a/doc/XXL-JOB\345\256\230\346\226\271\346\226\207\346\241\243.md" "b/doc/XXL-JOB\345\256\230\346\226\271\346\226\207\346\241\243.md" index 4a4dcd8..3ea55bd 100644 --- "a/doc/XXL-JOB\345\256\230\346\226\271\346\226\207\346\241\243.md" +++ "b/doc/XXL-JOB\345\256\230\346\226\271\346\226\207\346\241\243.md" @@ -1101,7 +1101,7 @@ - 24、Log地址格式兼容,支持非"/"结尾路径配置; - 25、底层系统日志级别规范调整,清理遗留代码; - 26、建表SQL优化,支持同步创建制定编码的库和表; -- 27、系统安全性优化,登陆Token写Cookie时进行MD5加密; +- 27、系统安全性优化,登陆Token写Cookie时进行MD5加密,同时Cookie启用HttpOnly; ### TODO LIST diff --git a/xxl-job-admin/src/main/java/com/xxl/job/admin/controller/interceptor/PermissionInterceptor.java b/xxl-job-admin/src/main/java/com/xxl/job/admin/controller/interceptor/PermissionInterceptor.java index da7f699..1d6facf 100644 --- a/xxl-job-admin/src/main/java/com/xxl/job/admin/controller/interceptor/PermissionInterceptor.java +++ b/xxl-job-admin/src/main/java/com/xxl/job/admin/controller/interceptor/PermissionInterceptor.java @@ -17,7 +17,8 @@ * @author xuxueli 2015-12-12 18:09:04 */ public class PermissionInterceptor extends HandlerInterceptorAdapter { - + + public static final String LOGIN_IDENTITY_KEY = "XXL_JOB_LOGIN_IDENTITY"; public static final String LOGIN_IDENTITY_TOKEN; static { @@ -30,7 +31,9 @@ LOGIN_IDENTITY_TOKEN = tokenTmp; } - + + + public static boolean login(HttpServletResponse response, String username, String password, boolean ifRemember){ // login token @@ -56,6 +59,8 @@ return true; } + + @Override public boolean preHandle(HttpServletRequest request, HttpServletResponse response, Object handler) throws Exception { diff --git "a/doc/XXL-JOB\345\256\230\346\226\271\346\226\207\346\241\243.md" "b/doc/XXL-JOB\345\256\230\346\226\271\346\226\207\346\241\243.md" index 4a4dcd8..3ea55bd 100644 --- "a/doc/XXL-JOB\345\256\230\346\226\271\346\226\207\346\241\243.md" +++ "b/doc/XXL-JOB\345\256\230\346\226\271\346\226\207\346\241\243.md" @@ -1101,7 +1101,7 @@ - 24、Log地址格式兼容,支持非"/"结尾路径配置; - 25、底层系统日志级别规范调整,清理遗留代码; - 26、建表SQL优化,支持同步创建制定编码的库和表; -- 27、系统安全性优化,登陆Token写Cookie时进行MD5加密; +- 27、系统安全性优化,登陆Token写Cookie时进行MD5加密,同时Cookie启用HttpOnly; ### TODO LIST diff --git a/xxl-job-admin/src/main/java/com/xxl/job/admin/controller/interceptor/PermissionInterceptor.java b/xxl-job-admin/src/main/java/com/xxl/job/admin/controller/interceptor/PermissionInterceptor.java index da7f699..1d6facf 100644 --- a/xxl-job-admin/src/main/java/com/xxl/job/admin/controller/interceptor/PermissionInterceptor.java +++ b/xxl-job-admin/src/main/java/com/xxl/job/admin/controller/interceptor/PermissionInterceptor.java @@ -17,7 +17,8 @@ * @author xuxueli 2015-12-12 18:09:04 */ public class PermissionInterceptor extends HandlerInterceptorAdapter { - + + public static final String LOGIN_IDENTITY_KEY = "XXL_JOB_LOGIN_IDENTITY"; public static final String LOGIN_IDENTITY_TOKEN; static { @@ -30,7 +31,9 @@ LOGIN_IDENTITY_TOKEN = tokenTmp; } - + + + public static boolean login(HttpServletResponse response, String username, String password, boolean ifRemember){ // login token @@ -56,6 +59,8 @@ return true; } + + @Override public boolean preHandle(HttpServletRequest request, HttpServletResponse response, Object handler) throws Exception { diff --git a/xxl-job-admin/src/main/java/com/xxl/job/admin/core/util/CookieUtil.java b/xxl-job-admin/src/main/java/com/xxl/job/admin/core/util/CookieUtil.java index 28baa21..31f30ee 100644 --- a/xxl-job-admin/src/main/java/com/xxl/job/admin/core/util/CookieUtil.java +++ b/xxl-job-admin/src/main/java/com/xxl/job/admin/core/util/CookieUtil.java @@ -6,9 +6,11 @@ /** * Cookie.Util + * * @author xuxueli 2015-12-12 18:01:06 */ public class CookieUtil { + // 默认缓存时间,单位/秒, 2H private static final int COOKIE_MAX_AGE = 60 * 60 * 2; // 保存路径,根路径 @@ -16,43 +18,39 @@ /** * 保存 + * * @param response * @param key * @param value * @param ifRemember */ public static void set(HttpServletResponse response, String key, String value, boolean ifRemember) { - - int age = COOKIE_MAX_AGE; - if (ifRemember) { - age = COOKIE_MAX_AGE; - } else { - age = -1; - } - - Cookie cookie = new Cookie(key, value); - cookie.setMaxAge(age); // Cookie过期时间,单位/秒 - cookie.setPath(COOKIE_PATH); // Cookie适用的路径 - response.addCookie(cookie); + int age = ifRemember?COOKIE_MAX_AGE:-1; + set(response, key, value, null, COOKIE_PATH, age, true); } /** * 保存 + * * @param response * @param key * @param value * @param maxAge */ - private static void set(HttpServletResponse response, - String key, String value, int maxAge, String path) { + private static void set(HttpServletResponse response, String key, String value, String domain, String path, int maxAge, boolean isHttpOnly) { Cookie cookie = new Cookie(key, value); - cookie.setMaxAge(maxAge); // Cookie过期时间,单位/秒 - cookie.setPath(path); // Cookie适用的路径 + if (domain != null) { + cookie.setDomain(domain); + } + cookie.setPath(path); + cookie.setMaxAge(maxAge); + cookie.setHttpOnly(isHttpOnly); response.addCookie(cookie); } /** * 查询value + * * @param request * @param key * @return @@ -67,6 +65,7 @@ /** * 查询Cookie + * * @param request * @param key */ @@ -84,6 +83,7 @@ /** * 删除Cookie + * * @param request * @param response * @param key @@ -91,7 +91,7 @@ public static void remove(HttpServletRequest request, HttpServletResponse response, String key) { Cookie cookie = get(request, key); if (cookie != null) { - set(response, key, "", 0, COOKIE_PATH); + set(response, key, "", null, COOKIE_PATH, 0, true); } }