diff --git a/jeecg-boot/jeecg-boot-base-common/src/main/java/org/jeecg/config/shiro/ShiroRealm.java b/jeecg-boot/jeecg-boot-base-common/src/main/java/org/jeecg/config/shiro/ShiroRealm.java index 44982267..0c80f268 100644 --- a/jeecg-boot/jeecg-boot-base-common/src/main/java/org/jeecg/config/shiro/ShiroRealm.java +++ b/jeecg-boot/jeecg-boot-base-common/src/main/java/org/jeecg/config/shiro/ShiroRealm.java @@ -1,5 +1,6 @@ package org.jeecg.config.shiro; +import cn.hutool.crypto.SecureUtil; import lombok.extern.slf4j.Slf4j; import org.apache.shiro.authc.AuthenticationException; import org.apache.shiro.authc.AuthenticationInfo; @@ -118,6 +119,8 @@ public class ShiroRealm extends AuthorizingRealm { //如果redis缓存用户信息为空,则通过接口获取用户信息,避免超过两个小时操作中token过期 if(loginUser==null){ loginUser = commonAPI.getUserByName(username); + //密码二次加密,因为存于redis会泄露 + loginUser.setPassword(SecureUtil.md5(loginUser.getPassword())); } if (loginUser == null) { throw new AuthenticationException("用户不存在!"); diff --git a/jeecg-boot/jeecg-boot-module-system/src/main/java/org/jeecg/modules/system/controller/LoginController.java b/jeecg-boot/jeecg-boot-module-system/src/main/java/org/jeecg/modules/system/controller/LoginController.java index fa34b8dc..c3639cea 100644 --- a/jeecg-boot/jeecg-boot-module-system/src/main/java/org/jeecg/modules/system/controller/LoginController.java +++ b/jeecg-boot/jeecg-boot-module-system/src/main/java/org/jeecg/modules/system/controller/LoginController.java @@ -81,7 +81,8 @@ public class LoginController { String lowerCaseCaptcha = captcha.toLowerCase(); String realKey = MD5Util.MD5Encode(lowerCaseCaptcha+sysLoginModel.getCheckKey(), "utf-8"); Object checkCode = redisUtil.get(realKey); - if(checkCode==null || !checkCode.equals(lowerCaseCaptcha)) { + //当进入登录页时,有一定几率出现验证码错误 #1714 + if(checkCode==null || !checkCode.toString().equals(lowerCaseCaptcha)) { result.error500("验证码错误"); return result; } @@ -355,7 +356,7 @@ public class LoginController { String syspassword = sysUser.getPassword(); String username = sysUser.getUsername(); // 生成token - String token = JwtUtil.sign(username, syspassword); + String token = JwtUtil.sign(username, SecureUtil.md5(syspassword)); // 设置token缓存有效时间 redisUtil.set(CommonConstant.PREFIX_USER_TOKEN + token, token); redisUtil.expire(CommonConstant.PREFIX_USER_TOKEN + token, JwtUtil.EXPIRE_TIME*2 / 1000); @@ -363,6 +364,7 @@ public class LoginController { //update-begin-author:taoyan date:20200812 for:登录缓存用户信息 LoginUser vo = new LoginUser(); BeanUtils.copyProperties(sysUser,vo); + //密码二次加密,因为存于redis会泄露 vo.setPassword(SecureUtil.md5(sysUser.getPassword())); redisUtil.set(CacheConstant.SYS_USERS_CACHE_JWT +":" +token, vo); redisUtil.expire(CacheConstant.SYS_USERS_CACHE_JWT +":" +token, JwtUtil.EXPIRE_TIME*2 / 1000);