From 9515ebbc39e2466262387d25c55f84c412e15e2e Mon Sep 17 00:00:00 2001
From: Saturneric <eric.bktu@gmail.com>
Date: Mon, 16 Mar 2020 15:25:34 +0800
Subject: [PATCH] =?UTF-8?q?=E5=AE=8C=E5=96=84=E8=AE=A4=E8=AF=81=E7=AE=A1?=
 =?UTF-8?q?=E7=90=86=E5=AD=90=E7=B3=BB=E7=BB=9F?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 .../auth/JSONRandomCodeGenerator.java          |  2 +-
 .../auth/TimestampExpiredChecker.java          | 18 ++++++++++++++++++
 .../component/datamanager/JSONParameter.java   |  8 +++++++-
 .../respond/UserLoginCheckerJSONRespond.java   |  9 +++++----
 .../permission/ASEAccessDeniedHandler.java     | 10 ++--------
 .../ASEAuthenticationEntryPoint.java           |  4 ++--
 .../ASEAuthenticationFailureHandler.java       |  7 ++++---
 ...SEUsernamePasswordAuthenticationFilter.java | 12 ++++++++++++
 8 files changed, 51 insertions(+), 19 deletions(-)
 create mode 100644 src/main/java/com/codesdream/ase/component/auth/TimestampExpiredChecker.java

diff --git a/src/main/java/com/codesdream/ase/component/auth/JSONRandomCodeGenerator.java b/src/main/java/com/codesdream/ase/component/auth/JSONRandomCodeGenerator.java
index 954850b..fe2ce6c 100644
--- a/src/main/java/com/codesdream/ase/component/auth/JSONRandomCodeGenerator.java
+++ b/src/main/java/com/codesdream/ase/component/auth/JSONRandomCodeGenerator.java
@@ -14,6 +14,6 @@ public class JSONRandomCodeGenerator {
 
     public String generateRandomCode(String username, Date date, String clientCode){
         return encoder.encode(String.format("RandomCode [%s][%s][%s]",
-                username, date.toString(), clientCode));
+                username, Long.toString(date.getTime()), clientCode));
     }
 }
diff --git a/src/main/java/com/codesdream/ase/component/auth/TimestampExpiredChecker.java b/src/main/java/com/codesdream/ase/component/auth/TimestampExpiredChecker.java
new file mode 100644
index 0000000..080bd20
--- /dev/null
+++ b/src/main/java/com/codesdream/ase/component/auth/TimestampExpiredChecker.java
@@ -0,0 +1,18 @@
+package com.codesdream.ase.component.auth;
+
+import org.springframework.stereotype.Component;
+
+import java.util.Date;
+
+// 验证时间戳是否有效
+@Component
+public class TimestampExpiredChecker {
+
+    public boolean checkTimestampBeforeMaxTime(String timestamp, int seconds){
+        Date timestampDate = new Date(Long.parseLong(timestamp));
+        long currentTime = System.currentTimeMillis();
+        Date maxDate = new Date(currentTime + seconds * 1000);
+        return timestampDate.before(maxDate);
+    }
+
+}
diff --git a/src/main/java/com/codesdream/ase/component/datamanager/JSONParameter.java b/src/main/java/com/codesdream/ase/component/datamanager/JSONParameter.java
index 103c5a0..3fd6706 100644
--- a/src/main/java/com/codesdream/ase/component/datamanager/JSONParameter.java
+++ b/src/main/java/com/codesdream/ase/component/datamanager/JSONParameter.java
@@ -86,7 +86,13 @@ public class JSONParameter {
 
     // 获得标准的JSON响应字符串返回(403状态)
     public String getJSONStandardRespond403(){
-        JSONBaseRespondObject respondObject = new JSONBaseRespondObject(403, "forbidden");
+        JSONBaseRespondObject respondObject = new JSONBaseRespondObject(403, "Forbidden");
+        return getJSONString(respondObject);
+    }
+
+    // 获得标准的JSON响应字符串返回(401状态)
+    public String getJSONStandardRespond401(){
+        JSONBaseRespondObject respondObject = new JSONBaseRespondObject(401, "Unauthorized");
         return getJSONString(respondObject);
     }
 
diff --git a/src/main/java/com/codesdream/ase/component/json/respond/UserLoginCheckerJSONRespond.java b/src/main/java/com/codesdream/ase/component/json/respond/UserLoginCheckerJSONRespond.java
index 79ccfe9..208851a 100644
--- a/src/main/java/com/codesdream/ase/component/json/respond/UserLoginCheckerJSONRespond.java
+++ b/src/main/java/com/codesdream/ase/component/json/respond/UserLoginCheckerJSONRespond.java
@@ -1,14 +1,15 @@
 package com.codesdream.ase.component.json.respond;
 
+import com.sun.org.apache.xpath.internal.operations.Bool;
 import lombok.Data;
 import lombok.EqualsAndHashCode;
 
 @Data
 public class UserLoginCheckerJSONRespond {
-    boolean userExist = false;
-    boolean loginStatus = false;
-    boolean userBanned = false;
+    Boolean userExist = null;
+    Boolean userBanned = null;
+    Boolean loginStatus = null;
     String respondInformation = "";
-    String token = "";
+    String token = null;
 
 }
diff --git a/src/main/java/com/codesdream/ase/component/permission/ASEAccessDeniedHandler.java b/src/main/java/com/codesdream/ase/component/permission/ASEAccessDeniedHandler.java
index 2043f27..67955f5 100644
--- a/src/main/java/com/codesdream/ase/component/permission/ASEAccessDeniedHandler.java
+++ b/src/main/java/com/codesdream/ase/component/permission/ASEAccessDeniedHandler.java
@@ -26,15 +26,9 @@ public class ASEAccessDeniedHandler implements AccessDeniedHandler {
             throws IOException, ServletException {
         log.info("ASEAccessDeniedHandler Found!");
 
-        response.setCharacterEncoding("utf-8");
-        response.setContentType("text/javascript;charset=utf-8");
-        UserLoginCheckerJSONRespond checkerRespond = new UserLoginCheckerJSONRespond();
-        checkerRespond.setLoginStatus(true);
-        checkerRespond.setUserExist(true);
-        checkerRespond.setRespondInformation("Authenticated user has no access to this resource");
+        // 对无权限操作返回403
+        response.getWriter().print(jsonParameter.getJSONStandardRespond403());
 
-        // 对匿名用户返回
-        response.getWriter().print(jsonParameter.getJSONString(checkerRespond));
 
     }
 }
diff --git a/src/main/java/com/codesdream/ase/component/permission/ASEAuthenticationEntryPoint.java b/src/main/java/com/codesdream/ase/component/permission/ASEAuthenticationEntryPoint.java
index 3e62a3f..b367794 100644
--- a/src/main/java/com/codesdream/ase/component/permission/ASEAuthenticationEntryPoint.java
+++ b/src/main/java/com/codesdream/ase/component/permission/ASEAuthenticationEntryPoint.java
@@ -24,8 +24,8 @@ public class ASEAuthenticationEntryPoint implements AuthenticationEntryPoint {
     @Override
     public void commence(HttpServletRequest request, HttpServletResponse response, AuthenticationException authException)
             throws IOException, ServletException {
-        // 对匿名用户返回403
-        response.getWriter().print(jsonParameter.getJSONStandardRespond403());
+        // 对匿名用户返回401
+        response.getWriter().print(jsonParameter.getJSONStandardRespond401());
 
     }
 }
diff --git a/src/main/java/com/codesdream/ase/component/permission/ASEAuthenticationFailureHandler.java b/src/main/java/com/codesdream/ase/component/permission/ASEAuthenticationFailureHandler.java
index 1680ec3..393d591 100644
--- a/src/main/java/com/codesdream/ase/component/permission/ASEAuthenticationFailureHandler.java
+++ b/src/main/java/com/codesdream/ase/component/permission/ASEAuthenticationFailureHandler.java
@@ -23,13 +23,14 @@ public class ASEAuthenticationFailureHandler extends SimpleUrlAuthenticationFail
 
     @Override
     public void onAuthenticationFailure(HttpServletRequest request, HttpServletResponse response, AuthenticationException exception)
-            throws IOException, ServletException
+            throws IOException
     {
         log.info("ASEAuthenticationFailureHandler Login Fail!");
         UserLoginCheckerJSONRespond respond = new UserLoginCheckerJSONRespond();
-        respond.setUserExist(false);
+
+        respond.setUserExist(null);
+        respond.setUserBanned(null);
         respond.setLoginStatus(false);
-        respond.setUserBanned(true);
         respond.setRespondInformation("Authentication Failed");
 
         // 填充response对象
diff --git a/src/main/java/com/codesdream/ase/component/permission/ASEUsernamePasswordAuthenticationFilter.java b/src/main/java/com/codesdream/ase/component/permission/ASEUsernamePasswordAuthenticationFilter.java
index 2be84dd..7c78ae6 100644
--- a/src/main/java/com/codesdream/ase/component/permission/ASEUsernamePasswordAuthenticationFilter.java
+++ b/src/main/java/com/codesdream/ase/component/permission/ASEUsernamePasswordAuthenticationFilter.java
@@ -2,6 +2,7 @@ package com.codesdream.ase.component.permission;
 
 import com.codesdream.ase.component.auth.AJAXRequestChecker;
 import com.codesdream.ase.component.auth.JSONTokenUsernamePasswordAuthenticationToken;
+import com.codesdream.ase.component.auth.TimestampExpiredChecker;
 import com.codesdream.ase.component.datamanager.JSONParameter;
 import com.codesdream.ase.component.json.request.UserLoginChecker;
 import lombok.extern.slf4j.Slf4j;
@@ -12,6 +13,7 @@ import org.springframework.security.core.Authentication;
 import org.springframework.security.core.AuthenticationException;
 import org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter;
 import org.springframework.security.web.authentication.WebAuthenticationDetailsSource;
+import org.springframework.web.bind.annotation.RequestMapping;
 
 import javax.annotation.Resource;
 import javax.servlet.http.HttpServletRequest;
@@ -28,10 +30,20 @@ public class ASEUsernamePasswordAuthenticationFilter extends UsernamePasswordAut
     @Resource
     private AJAXRequestChecker ajaxRequestChecker;
 
+    @Resource
+    private TimestampExpiredChecker timestampExpiredChecker;
+
     @Override
     public Authentication attemptAuthentication(HttpServletRequest request, HttpServletResponse response)
             throws AuthenticationException {
 
+        String timestamp =  request.getHeader("timestamp");
+
+        // 检查时间戳是否合理(60秒内)
+        if(!timestampExpiredChecker.checkTimestampBeforeMaxTime(timestamp, 60)){
+            throw new AuthenticationServiceException("Timestamp Expired.");
+        }
+
         // 判断是否为AJAX请求格式的数据
         if(!ajaxRequestChecker.checkAjaxPOSTRequest(request)) {
             throw new AuthenticationServiceException("Authentication method not supported: NOT Ajax Method.");