擅长于Java,Spring Boot,Spring Cloud,微服务、中间件、大数据等领域。 请关注我的公众号:「陶陶技术笔记」
公众号 | 个人博客 | 开源中国 | CSDN | GitChat |
---|---|---|---|---|
陶陶技术笔记 | ZLT's Blog | 我的OSCHINA | 我的CSDN | 我的GitChat |
基于SpringBoot2.x、SpringCloud和SpringCloudAlibaba并采用前后端分离的企业级微服务多租户系统架构。并引入组件化的**实现高内聚低耦合,项目代码简洁注释丰富上手容易,适合学习和企业中使用。真正实现了基于RBAC、jwt和oauth2的无状态统一权限认证的解决方案,面向互联网设计同时适合B端和C端用户,支持CI/CD多环境部署,并提供应用管理方便第三方系统接入;同时还集合各种微服务治理功能和监控功能。模块包括:企业级的认证系统、开发平台、应用监控、慢sql监控、统一日志、单点登录、Redis分布式高速缓存、配置中心、分布式任务调度、接口文档、代码生成等等。
Home Page: http://zlt2000.cn
License: Apache License 2.0
擅长于Java,Spring Boot,Spring Cloud,微服务、中间件、大数据等领域。 请关注我的公众号:「陶陶技术笔记」
公众号 | 个人博客 | 开源中国 | CSDN | GitChat |
---|---|---|---|---|
陶陶技术笔记 | ZLT's Blog | 我的OSCHINA | 我的CSDN | 我的GitChat |
一般数据库表名都会以t_xxx, t_xxx_yyy格式命名,replace函数是将tablePrefix替换成"",但如果有张表名为: t_event_message, 生成java文件就会出现EvenMessage, 这显然不是我们想要的结果,可以考虑这样改进: tableName = tableName.substring(tablePrefix.length(), tableName.length());
线上文档为什么要收费才能看哈。。
/**
* 一次性添加数组到 过期时间的 缓存,不用多次连接,节省开销
*
* @param keys redis主键数组
* @param values 值数组
* @param time 过期时间(单位秒)
*/
public void setExpire(final String[] keys, final Object[] values, final long time) {
for (int i = 0; i < keys.length; i++) {
redisTemplate.opsForValue().set(keys[i], values[i], time, TimeUnit.SECONDS);
}
}
上述代码:怎么做到不用多次连接,节省开销?
Recently, our team has identified a security vulnerability in the latest version of project. This vulnerability allows attackers to potentially upload arbitrary files to the server through malicious requests, thereby gaining control over server permissions.
The logic of the vulnerability is present in the following files: com/central/file/controller/FileController.java#upload.
Developers did not check the filename of the uploaded file when using com/central/file/service/impl/FastdfsService.java#uploadFile() to upload the file.
As a result, attackers could exploit this by submitting a malicious filename, such as ../../../pwned.txt, to achieve arbitrary file upload, which poses a threat to server security.
Hi,
I am a bit concern while using the projects's code for my own microservice because I noticed that the state
parameter in redirect URL is missing.
RFC 6749 strongly recommends the presence of the state
param because the absence of state param can essentially enable an attacker to perform Cross Site Request Forgery (CSRF) attack [1].
The following code snippet is what I am talking about which is from getAccessToken
method in ApiController
rest controller class where parameters of the redirect URL such as code
, grant_type
, redirect_uri
, scope
are constructed.
// zlt-demo/sso-demo/web-sso/src/main/java/com/sso/demo/controller/ApiController.java
param.add("code", code);
param.add("grant_type", "authorization_code");
param.add("redirect_uri", redirectUri);
param.add("scope", "app");
I want to know your view on this security concern and how it can affect the security of my application against CSRF attack as mentioned in the RFC 6749 document?
Thanks in advance.
References:
[1] RFC 6749 The OAuth 2.0 Authorization Framework Cross Site Request Forgery
in
and instanceof
expressions in JS
a in obj;
a instanceof C;
can be negated by grouping them and applying the !
operator, i.e.
!(a in obj);
!(a instanceof C);
Applying the !
operator incorrectly (on the LHS operand) leads to bugs:
!a in obj; // will evaluate to false, unless obj has a "true" or "false" key
!a instanceof C; // will evaluate to false, unless C overrides instanceof with a @@hasInstance method
For more information, please see these MDN docs and the no-unsafe-negation recommended Eslint rule.
I have found a potentially problematic instance of the above bugs in your codebase:
rocket MQ 环境:
ver 4.7all
broker conf:
#brokerIP1=localhost
namesrvAddr=localhost:9876
autoCreateTopicEnable= true
autoCreateSubscriptionGroup=true
运行
http://localhost:11002/success
提示异常:No route info of this topic TransactionTopic
各种尝试无果,最终检查dependencies
修改pom中rocket 依赖改成org.springframework.cloud后运行正常
<!--<dependency>-->
<!--<groupId>com.alibaba.cloud</groupId>-->
<!--<artifactId>spring-cloud-starter-stream-rocketmq</artifactId>-->
<!--</dependency>-->
<!-- <dependency>
<groupId>org.springframework.cloud</groupId>
<artifactId>spring-cloud-starter-stream-rocketmq</artifactId>
<version>0.9.0.RELEASE</version>
</dependency>
-->
感谢zlt2000
有封装打包和启停脚本吗
jdk9+移除了misc包下的base64编码与解码
涉及
com.central.common.utils.RsaUtils
com.sso.demo.controller.ApiController
可以考虑以下方式兼容
Base64.Encoder encoder = Base64.getEncoder();
String encode = encoder.encodeToString(text2.getBytes());
Base64.Decoder decoder = Base64.getDecoder();
byte[] decode = decoder.decode(encodeValue2);
通过admin用户登录mp.zlt2000.cn后,查看LocalStorage,可以看到两个信息
1、login_user
其中包含了admin管理员加密后的password 以及 很多登录用户相关信息
{
"id": 1,
"createTime": 1510909019000,
"updateTime": 1548229920000,
"username": "admin",
"password": "$2a$10$TJkwVdlpbHKnV45.nBxbgeFHmQRmyWlshg94lFu2rKxVtT2OMniDO",
"nickname": "管理员",
"headImgUrl": "http://file.zlt2000.cn/group1/M00/00/00/rBJttFztYwyABaTaAAaskHJyvCo696.jpg",
"mobile": "18888888888",
"sex": 1,
"enabled": true,
"type": "APP",
"openId": "123",
"roles": [
{
"id": 1,
"createTime": 1510909019000,
"updateTime": 1537321150000,
"code": "ADMIN",
"name": "管理员",
"userId": null
}
],
"roleId": null,
"oldPassword": null,
"newPassword": null,
"permissions": [
"user-btn-add",
"user-list",
"user-roles",
"user-btn-export",
"user-btn-import"
],
"userId": "123",
"accountNonExpired": true,
"accountNonLocked": true,
"credentialsNonExpired": true,
"del": false
}
2、token
其中包含OAuth2的访问令牌、refresh token
{
"access_token": "f80ecd30-fd5f-4597-8416-66092672e78d",
"token_type": "bearer",
"refresh_token": "bab98952-0359-4ec7-9930-2ca3613e3bb8",
"expires_in": 3334,
"scope": "app"
}
疑问:
1、请问将这些重要信息,尤其是加密后的password、token存放在LocalStorage中,如果发生XSS攻击,如何防范??网站安全性如何保障??
2、另外,mp.zlt2000.cn 也使用了cookie,请问仍然是使用cookie与网关上的session关联做会话管理的吗?那么交给前端的OAuth2访问令牌是做什么用的??访问令牌有必要交给浏览器吗??
打包命令为:mvn clean package -Dmaven.test.skip=true
错误如下:
[ERROR] Failed to execute goal on project zlt-db-spring-boot-starter: Could not resolve dependencies for project com.zlt:zlt-db-spring-boot-starter:jar:5.0.0: The following artifacts could not be resolved: com.sun:tools:jar:1.8, com.sun:jconsole:jar:1.8: Could not find artifact com.sun:tools:jar:1.8 at specified path /Users/cmlanche/.m2/repository/com/alibaba/druid/1.2.6/lib/openjdk-1.8-tools.jar -> [Help 1]
多租户的模块没找到。
问题描述:应用里面有 “app" pc,然后在token列表选择app, 选择对应的token 点击删除 页面列表会少一条数据 同时提示成功。
但是 重新刷新则 会发现数据实际没有删除成功。查看redis里面
client_id_to_access:* 查出来对应的list里面对应token没有删除。
跟踪代码 发现 CustomRedisTokenStore对应的removeAccessToken里面
conn.get(accessKey);
conn.get(authKey);
List results = conn.closePipeline();
byte[] access = (byte[]) results.get(0);
byte[] auth = (byte[]) results.get(1);
实际上redis里面accessKey authKey都是可以查得到,但results.get(0) 基本上都是返回的空( 偶尔才返回)。
如果返回空
则:
conn.lRem(unameKey, 1, access);
conn.lRem(clientId, 1, access);
conn.del(serialize(ACCESS + key)); 这几行不会执行 导致lrem里面的list数据没有移除掉。
再次刷新 会发现如上图所示。有重复的也有用户名等信息不存在的现象 根本原因就是results.get(0) 和results.get(1)没有值导致 lRem没有执行。
证据:
2.当将openPipeline closePipeline等注释掉,然后用同步方式 如下:
byte[] access = conn.get(accessKey);
byte[] auth = conn.get(authKey);
则 不管是3.5 3.6 3.7都无问题
3.redis集群我们试过 4.0.11 和5.0.3 都一样 跟版本的关联性应该可以排除
如上测试也许不全面 但是希望有朋友能够帮忙看看解惑
看到用了阿里的TransmittableThreadLocal,但是没找到在哪里进行了修饰?用java agent的方式修饰的?
添加appassembler-maven-plugin打包插件
zlt-log中,WebTraceFilter类上的注解@component并没有起作用,导致在微服务调用时,并没有走OncePerRequestFilter的代码逻辑。将@component注释,把这个类放入spring.factories中,在被调用微服务中打印日志,可以显示traceId。
--以上是个人见解,如果有理解错误,请批评指正,谢谢
A declarative, efficient, and flexible JavaScript library for building user interfaces.
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google ❤️ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.