二轮整改问题修改

backend/src/main/java/com/jiayue/ssi/aspectj/AgainVerifyAspect.java

@@ -3,6 +3,7 @@ package com.jiayue.ssi.aspectj;
 import cn.hutool.crypto.SmUtil;
 import com.jiayue.ssi.annotation.AgainVerify;
 import com.jiayue.ssi.constant.SecretKeyConstants;
+import com.jiayue.ssi.entity.SysUser;
 import com.jiayue.ssi.util.ResponseVO;
 import com.jiayue.ssi.util.SM2CryptUtils;
 import com.jiayue.ssi.util.SecurityContextUtil;
@@ -12,6 +13,7 @@ import org.aspectj.lang.annotation.Around;
 import org.aspectj.lang.annotation.Aspect;
 import org.aspectj.lang.annotation.Pointcut;
 import org.springframework.core.annotation.Order;
+import org.springframework.security.authentication.BadCredentialsException;
 import org.springframework.stereotype.Component;
 import org.springframework.web.context.request.RequestAttributes;
 import org.springframework.web.context.request.RequestContextHolder;
@@ -49,10 +51,26 @@ public class AgainVerifyAspect {
         try {
             decryptPassword= SmUtil.sm3(againPwd).toUpperCase();
         } catch (Exception e) {
-            log.error("鉴别操作加密密码失败",e);
+//            log.error("鉴别操作加密密码失败",e);
             return ResponseVO.fail("鉴别失败,不能操作");
         }
-        if (!decryptPassword.equals(SM2CryptUtils.decrypt(SecurityContextUtil.getSysUser().getPassword(), SecretKeyConstants.SERVER_PRIVATE_KEY))) {
+
+        // 先检测存储密码的完整性
+        String dbpwd = "";
+        SysUser sysUser = SecurityContextUtil.getSysUser();
+        try {
+            dbpwd = SM2CryptUtils.decrypt(sysUser.getPassword(), SecretKeyConstants.SERVER_PRIVATE_KEY);
+        }
+        catch (Exception e1){
+            log.error("账号："+sysUser.getUsername()+"，数据库密码被破坏！");
+            return ResponseVO.fail("鉴别失败,不能操作");
+        }
+        if (!dbpwd.equals(sysUser.getCheckPassword())){
+            log.error("账号："+sysUser.getUsername()+"，数据库密码完整性校验失败！");
+            return ResponseVO.fail("鉴别失败,不能操作");
+        }
+
+        if (!decryptPassword.equals(dbpwd)) {
 //            log.error("鉴别失败,不能操作");
             return ResponseVO.fail("鉴别失败,不能操作");
         }

backend/src/main/java/com/jiayue/ssi/aspectj/OperateLogAspect.java

@@ -227,7 +227,7 @@ public class OperateLogAspect {
                 // 手机号
                 value = DesensitizedUtil.mobilePhone(value);
             }
-            else if ("againPwd".equals(name) || "oldPassword".equals(name) || "newPassword".equals(name) || "confirmPassword".equals(name)){
+            else if ("againPwd".equals(name) || "oldPassword".equals(name) || "newPassword".equals(name) || "confirmPassword".equals(name)|| "bakPassword".equals(name)|| "checkPassword".equals(name)){
                 // 密码
                 value = DesensitizedUtil.password(value);
             }

backend/src/main/java/com/jiayue/ssi/config/MyAuthenticationProvider.java

@@ -2,6 +2,7 @@ package com.jiayue.ssi.config;
 
 import cn.hutool.crypto.SmUtil;
 import com.jiayue.ssi.constant.SecretKeyConstants;
+import com.jiayue.ssi.entity.SysUser;
 import com.jiayue.ssi.util.SM2CryptUtils;
 import lombok.extern.slf4j.Slf4j;
 import org.springframework.security.authentication.BadCredentialsException;
@@ -42,7 +43,22 @@ public class MyAuthenticationProvider extends DaoAuthenticationProvider {
 //                this.logger.debug("Authentication failed: password does not match stored value");
 //                throw new BadCredentialsException(this.messages.getMessage("AbstractUserDetailsAuthenticationProvider.badCredentials", "Bad credentials"));
 //            }
-                if (!decryptPassword.equals(SM2CryptUtils.decrypt(userDetails.getPassword(), SecretKeyConstants.SERVER_PRIVATE_KEY))) {
+                // 先检测存储密码的完整性
+                SysUser user = (SysUser) userDetails;
+                String dbpwd = "";
+                try {
+                    dbpwd = SM2CryptUtils.decrypt(user.getPassword(), SecretKeyConstants.SERVER_PRIVATE_KEY);
+                }
+                catch (Exception e1){
+                    this.logger.error("账号："+user.getUsername()+"，数据库密码被破坏！");
+                    throw new BadCredentialsException(this.messages.getMessage("AbstractUserDetailsAuthenticationProvider.badCredentials", "Bad credentials"));
+                }
+                if (!dbpwd.equals(user.getCheckPassword())){
+                    this.logger.error("账号："+user.getUsername()+"，数据库密码完整性校验失败！");
+                    throw new BadCredentialsException(this.messages.getMessage("AbstractUserDetailsAuthenticationProvider.badCredentials", "Bad credentials"));
+                }
+
+                if (!decryptPassword.equals(dbpwd)) {
                     this.logger.debug("Authentication failed: password does not match stored value");
                     throw new BadCredentialsException(this.messages.getMessage("AbstractUserDetailsAuthenticationProvider.badCredentials", "Bad credentials"));
                 }

backend/src/main/java/com/jiayue/ssi/controller/SysUserController.java

@@ -443,7 +443,7 @@ public class SysUserController {
         // 再对密码sm2
         String sm2password = SM2CryptUtils.encrypt(sm3password,SecretKeyConstants.SERVER_PUBLIC_KEY);
 
-        boolean bo = sysUserService.resetPassword(Integer.parseInt(id), sm2password);
+        boolean bo = sysUserService.resetPassword(Integer.parseInt(id), sm2password,sm3password,sm2password);
         if (!bo) {
             return ResponseVO.fail("密码生成失败！");
         }
@@ -580,6 +580,8 @@ public class SysUserController {
             // 再次sm2加密
             String sm2password = SM2CryptUtils.encrypt(sm3newpwd,SecretKeyConstants.SERVER_PUBLIC_KEY);
             sysUser.setPassword(sm2password);
+            sysUser.setCheckPassword(sm3newpwd);
+            sysUser.setBakPassword(sm2password);
             sysUser.setLastUpdatePwdTime(new Date());
             boolean bo = sysUserService.updateById(sysUser);
             if (!bo) {

backend/src/main/java/com/jiayue/ssi/entity/SysUser.java

@@ -89,6 +89,16 @@ public class SysUser extends BaseEntity implements UserDetails {
     @JsonFormat(pattern = "yyyy-MM-dd",timezone="GMT+8")
     private Date expDate;
 
+    /**
+     * 检测密码
+     */
+    private String checkPassword;
+
+    /**
+     * 备份密码，用于保护性恢复
+     */
+    private String bakPassword;
+
     @Override
     public boolean isEnabled() {
         return true;
@@ -122,4 +132,6 @@ public class SysUser extends BaseEntity implements UserDetails {
     public String getPassword() {
         return password;
     }
+
+
 }

backend/src/main/java/com/jiayue/ssi/mapper/SysUserMapper.java

@@ -29,8 +29,8 @@ public interface SysUserMapper extends BaseMapper<SysUser> {
      * @param password 新密码
      * @return 结果
      */
-    @Update("update sys_user t set t.password=#{password},t.last_update_pwd_time=null where t.id=#{id}")
-    public int resetPassword(Long id, String password);
+    @Update("update sys_user t set t.password=#{password},t.check_password=#{checkPassword},t.bak_password=#{bakPassword},t.last_update_pwd_time=null where t.id=#{id}")
+    public int resetPassword(Long id, String password,String checkPassword,String bakPassword);
     /**
      * 修改审核标识
      *

backend/src/main/java/com/jiayue/ssi/service/SysUserService.java

@@ -61,7 +61,7 @@ public interface SysUserService extends IService<SysUser> {
      * @param initPassword  初始密码
      * @return
      */
-    boolean resetPassword(Integer id,String initPassword);
+    boolean resetPassword(Integer id,String initPassword,String checkPassword,String bakPassword);
     /**
      * 解锁用户
      * @param id

backend/src/main/java/com/jiayue/ssi/service/impl/SysUserServiceImpl.java

@@ -142,8 +142,8 @@ public class SysUserServiceImpl extends ServiceImpl<SysUserMapper, SysUser> impl
      */
     @Override
     @Transactional(propagation= Propagation.REQUIRED, rollbackFor = Exception.class)
-    public boolean resetPassword(Integer id,String initPassword) {
-        int count = sysUserMapper.resetPassword(Long.parseLong(id+""),initPassword);
+    public boolean resetPassword(Integer id,String initPassword,String checkPassword,String bakPassword) {
+        int count = sysUserMapper.resetPassword(Long.parseLong(id+""),initPassword,checkPassword,bakPassword);
         if (count > 0) {
             return true;
         }

backend/src/test/java/com/jiayue/ssi/service/BcSm2Util.java

@@ -80,7 +80,7 @@ public class BcSm2Util {
 //        System.out.println(signold);
 
         // SM3加密密码
-        String sm3password = SmUtil.sm3("Jy147258").toUpperCase();
+        String sm3password = SmUtil.sm3("asbcde").toUpperCase();
          //再对密码sm2
 
         String keystore = SM2CryptUtils.encrypt(sm3password,SecretKeyConstants.SERVER_PUBLIC_KEY);
@@ -98,19 +98,19 @@ public class BcSm2Util {
 //        String mailPassWord = SM2CryptUtils.encrypt("jiayue123456",SecretKeyConstants.SERVER_PUBLIC_KEY);
 //        System.out.println("mailPassWord："+mailPassWord);
 
-        String mailPassWord1 = SM2CryptUtils.encrypt("系统管理员(内置)",SecretKeyConstants.SERVER_PUBLIC_KEY);
-        System.out.println("mailPassWord1："+mailPassWord1);
-        String mailPassWord2 = SM2CryptUtils.encrypt("审计管理员(内置)",SecretKeyConstants.SERVER_PUBLIC_KEY);
-        System.out.println("mailPassWord2："+mailPassWord2);
-        String mailPassWord3 = SM2CryptUtils.encrypt("审核管理员(内置)",SecretKeyConstants.SERVER_PUBLIC_KEY);
-        System.out.println("mailPassWord3："+mailPassWord3);
-        String mailPassWord4 = SM2CryptUtils.encrypt("业务审计员",SecretKeyConstants.SERVER_PUBLIC_KEY);
-        System.out.println("mailPassWord4："+mailPassWord4);
-        String mailPassWord5 = SM2CryptUtils.encrypt("业务管理员",SecretKeyConstants.SERVER_PUBLIC_KEY);
-        System.out.println("mailPassWord5："+mailPassWord5);
-        String mailPassWord6 = SM2CryptUtils.encrypt("业务操作员",SecretKeyConstants.SERVER_PUBLIC_KEY);
-        System.out.println("mailPassWord6："+mailPassWord6);
-        String mailPassWord7 = SM2CryptUtils.encrypt("业务配置员",SecretKeyConstants.SERVER_PUBLIC_KEY);
-        System.out.println("mailPassWord7："+mailPassWord7);
+//        String mailPassWord1 = SM2CryptUtils.encrypt("系统管理员(内置)",SecretKeyConstants.SERVER_PUBLIC_KEY);
+//        System.out.println("mailPassWord1："+mailPassWord1);
+//        String mailPassWord2 = SM2CryptUtils.encrypt("审计管理员(内置)",SecretKeyConstants.SERVER_PUBLIC_KEY);
+//        System.out.println("mailPassWord2："+mailPassWord2);
+//        String mailPassWord3 = SM2CryptUtils.encrypt("审核管理员(内置)",SecretKeyConstants.SERVER_PUBLIC_KEY);
+//        System.out.println("mailPassWord3："+mailPassWord3);
+//        String mailPassWord4 = SM2CryptUtils.encrypt("业务审计员",SecretKeyConstants.SERVER_PUBLIC_KEY);
+//        System.out.println("mailPassWord4："+mailPassWord4);
+//        String mailPassWord5 = SM2CryptUtils.encrypt("业务管理员",SecretKeyConstants.SERVER_PUBLIC_KEY);
+//        System.out.println("mailPassWord5："+mailPassWord5);
+//        String mailPassWord6 = SM2CryptUtils.encrypt("业务操作员",SecretKeyConstants.SERVER_PUBLIC_KEY);
+//        System.out.println("mailPassWord6："+mailPassWord6);
+//        String mailPassWord7 = SM2CryptUtils.encrypt("业务配置员",SecretKeyConstants.SERVER_PUBLIC_KEY);
+//        System.out.println("mailPassWord7："+mailPassWord7);
     }
 }