改为undertow启动，修复appscan漏洞

backend/pom.xml

@@ -55,13 +55,17 @@
             <groupId>org.springframework.boot</groupId>
             <artifactId>spring-boot-starter-web</artifactId>
             <version>${spring-boot.version}</version>
-<!--            <exclusions>-->
-<!--                &lt;!&ndash;排除tomcat依赖&ndash;&gt;-->
-<!--                <exclusion>-->
-<!--                    <artifactId>spring-boot-starter-tomcat</artifactId>-->
-<!--                    <groupId>org.springframework.boot</groupId>-->
-<!--                </exclusion>-->
-<!--            </exclusions>-->
+            <exclusions>
+                <!--排除tomcat依赖-->
+                <exclusion>
+                    <artifactId>spring-boot-starter-tomcat</artifactId>
+                    <groupId>org.springframework.boot</groupId>
+                </exclusion>
+            </exclusions>
+        </dependency>
+        <dependency>
+            <groupId>org.springframework.boot</groupId>
+            <artifactId>spring-boot-starter-undertow</artifactId>
         </dependency>
         <!--mysql 驱动-->
         <dependency>
@@ -132,10 +136,6 @@
         </dependency>
         <dependency>
             <groupId>org.springframework.boot</groupId>
-            <artifactId>spring-boot-starter-undertow</artifactId>
-        </dependency>
-        <dependency>
-            <groupId>org.springframework.boot</groupId>
             <artifactId>spring-boot-starter-test</artifactId>
             <scope>test</scope>
         </dependency>

backend/src/main/java/com/jiayue/ssi/SsiApplication.java

@@ -1,17 +1,10 @@
 package com.jiayue.ssi;
 
 import com.ulisesbocchio.jasyptspringboot.annotation.EnableEncryptableProperties;
-//import org.apache.catalina.Context;
-//import org.apache.catalina.connector.Connector;
-//import org.apache.tomcat.util.descriptor.web.SecurityCollection;
-//import org.apache.tomcat.util.descriptor.web.SecurityConstraint;
 import org.mybatis.spring.annotation.MapperScan;
 import org.springframework.boot.SpringApplication;
 import org.springframework.boot.autoconfigure.SpringBootApplication;
-//import org.springframework.boot.web.embedded.tomcat.TomcatConnectorCustomizer;
-//import org.springframework.boot.web.embedded.tomcat.TomcatServletWebServerFactory;
-//import org.springframework.boot.web.servlet.server.ConfigurableServletWebServerFactory;
-//import org.springframework.context.annotation.Bean;
+
 
 /**
  * TODO
@@ -26,45 +19,4 @@ public class SsiApplication {
     public static void main(String[] args) {
         SpringApplication.run(SsiApplication.class, args);
     }
-
-//    @Bean
-//    public ConfigurableServletWebServerFactory webServerFactory() {
-//        TomcatServletWebServerFactory factory = new TomcatServletWebServerFactory();
-//        factory.addConnectorCustomizers(new TomcatConnectorCustomizer() {
-//            @Override
-//            public void customize(Connector connector) {
-//                connector.setProperty("relaxedQueryChars", "|{}[]");//允许的特殊字符
-//            }
-//        });
-//        return factory;
-//    }
-
-//    @Bean
-//    public TomcatServletWebServerFactory servletContainer() {
-//        TomcatServletWebServerFactory tomcat = new TomcatServletWebServerFactory() {
-//            @Override
-//            protected void postProcessContext(Context context) {
-//                SecurityConstraint constraint = new SecurityConstraint();
-//                constraint.setUserConstraint("CONFIDENTIAL");
-//                SecurityCollection collection = new SecurityCollection();
-//                collection.addPattern("/*");
-//                constraint.addCollection(collection);
-//                context.addConstraint(constraint);
-//            }
-//        };
-//        tomcat.addAdditionalTomcatConnectors(httpConnector());
-//        return tomcat;
-//    }
-//
-//    @Bean
-//    public Connector httpConnector() {
-//        Connector connector = new Connector("org.apache.coyote.http11.Http11NioProtocol");
-//        connector.setScheme("http");
-//        //Connector监听的http的端口号
-//        connector.setPort(8887);
-//        connector.setSecure(false);
-//        //监听到http的端口号后转向到的https的端口号
-//        connector.setRedirectPort(8888);
-//        return connector;
-//    }
 }

backend/src/main/java/com/jiayue/ssi/config/TomcatCustomizer.java

@@ -1,39 +0,0 @@
-package com.jiayue.ssi.config;
-
-import org.apache.tomcat.util.descriptor.web.SecurityCollection;
-import org.apache.tomcat.util.descriptor.web.SecurityConstraint;
-import org.springframework.boot.web.embedded.tomcat.TomcatServletWebServerFactory;
-import org.springframework.boot.web.servlet.server.ConfigurableServletWebServerFactory;
-import org.springframework.context.annotation.Bean;
-import org.springframework.context.annotation.Configuration;
-
-/**
-*
-*
-* @author xsl
-* @since 2023/07/11
-*/
-@Configuration
-public class TomcatCustomizer{
-    @Bean
-    public ConfigurableServletWebServerFactory configurableServletWebServerFactory() {
-        TomcatServletWebServerFactory factory = new TomcatServletWebServerFactory();
-        factory.addContextCustomizers(context -> {
-            SecurityConstraint securityConstraint = new SecurityConstraint();
-            securityConstraint.setUserConstraint("CONFIDENTIAL");
-            SecurityCollection collection = new SecurityCollection();
-            collection.addPattern("/*");
-            collection.addMethod("HEAD");
-            collection.addMethod("PUT");
-            collection.addMethod("DELETE");
-            collection.addMethod("OPTIONS");
-            collection.addMethod("TRACE");
-            collection.addMethod("COPY");
-            collection.addMethod("SEARCH");
-            collection.addMethod("PROPFIND");
-            securityConstraint.addCollection(collection);
-            context.addConstraint(securityConstraint);
-        });
-        return factory;
-    }
-}

backend/src/main/java/com/jiayue/ssi/config/WebSecurityConfig.java

@@ -96,8 +96,8 @@ public class WebSecurityConfig extends WebSecurityConfigurerAdapter {
         httpSecurity.addFilterBefore(new VerifyCodeFilter(), LogoutFilter.class);
         httpSecurity.addFilterBefore(new MailCodeFilter(), LogoutFilter.class);
         httpSecurity.addFilterBefore(new JwtAuthenticationTokenFilter(userServiceImpl, jwtTokenUtil, sysUserService,bfhhs), LogoutFilter.class);
-        httpSecurity.headers().frameOptions().disable();
-        httpSecurity.headers().httpStrictTransportSecurity().includeSubDomains(true).preload(true).maxAgeInSeconds(31536000);
+//        httpSecurity.headers().frameOptions().disable();
+//        httpSecurity.headers().httpStrictTransportSecurity().includeSubDomains(true).preload(true).maxAgeInSeconds(31536000);
         httpSecurity
                 // 由于使用的是JWT，我们这里不需要csrf
                 .csrf().disable()

backend/src/main/java/com/jiayue/ssi/entity/SysLogininfor.java

@@ -1,5 +1,7 @@
 package com.jiayue.ssi.entity;
 
+import com.baomidou.mybatisplus.annotation.IdType;
+import com.baomidou.mybatisplus.annotation.TableId;
 import com.fasterxml.jackson.annotation.JsonFormat;
 
 import java.util.Date;
@@ -14,6 +16,7 @@ public class SysLogininfor extends BaseEntity
     private static final long serialVersionUID = 1L;
 
     /** ID */
+    @TableId(type = IdType.AUTO)
     private Long infoId;
 
     /** 用户账号 */

backend/src/main/java/com/jiayue/ssi/entity/SysOperLog.java

@@ -1,6 +1,8 @@
 package com.jiayue.ssi.entity;
 
+import com.baomidou.mybatisplus.annotation.IdType;
 import com.baomidou.mybatisplus.annotation.TableField;
+import com.baomidou.mybatisplus.annotation.TableId;
 import com.fasterxml.jackson.annotation.JsonFormat;
 
 import java.util.Date;
@@ -14,6 +16,7 @@ public class SysOperLog extends BaseEntity {
     private static final long serialVersionUID = 1L;
 
     /** 日志主键 */
+    @TableId(type = IdType.AUTO)
     private Long operId;
 
     /** 操作模块 */

backend/src/main/java/com/jiayue/ssi/filter/InterfaceLimitFilter.java

@@ -39,6 +39,9 @@ public class InterfaceLimitFilter extends OncePerRequestFilter {
         response.setHeader("X-Content-Type-Options","nosniff");
         response.setHeader("X-XSS-Protection","1; mode=block");
         response.setHeader("X-Frame-Options","SAMEORIGIN");
+        response.setHeader("Cache-Control", "no-cache, no-store, must-revalidate, max-age=0");
+        response.setHeader("Cache-Control", "no-cache='set-cookie'");
+        response.setHeader("Pragma", "no-cache");
 
         checkIp(request,response,filterChain);
     }

backend/src/main/resources/application.yml

@@ -5,11 +5,9 @@ server:
     key-store-type: PKCS12
     key-store-password: ENC(6daOBtvpihAkIU2Kh8iRK3KqYgI4E0/s)
     enabled-protocols: "TLSv1.2"
-    ciphers: "ECDHE-ECDSA-AES128-GCM-SHA256,ECDHE-RSA-AES128-GCM-SHA256,ECDHE-ECDSA-AES256-GCM-SHA384,ECDHE-RSA-AES256-GCM-SHA384,ECDHE-ECDSA-CHACHA20-POLY1305,ECDHE-RSA-CHACHA20-POLY1305,DHE-RSA-AES128-GCM-SHA256,DHE-RSA-AES256-GCM-SHA384"
-  tomcat:
-    max-connections: 50
-    max-threads: 30
-    accept-count: 5
+    ciphers: "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256"
+    #ciphers: "ECDHE-ECDSA-AES128-GCM-SHA256,ECDHE-RSA-AES128-GCM-SHA256,ECDHE-ECDSA-AES256-GCM-SHA384,ECDHE-RSA-AES256-GCM-SHA384,ECDHE-ECDSA-CHACHA20-POLY1305,ECDHE-RSA-CHACHA20-POLY1305,DHE-RSA-AES128-GCM-SHA256,DHE-RSA-AES256-GCM-SHA384"
+
 
 logging:
   config: classpath:logback-ssi.xml