test-version22
/
MeterSphere
mirror of https://gitee.com/fit2cloud-feizhiyun/MeterSphere.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity

fix: socket 链接不用经过csrf

This commit is contained in:
Captain.B 2021-03-11 11:47:20 +08:00
parent 061966ce36
commit 3392ae6cb3
3 changed files with 13 additions and 6 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
backend/src/main/java/io/metersphere/commons/utils/ShiroUtils.java
View File

@ -44,6 +44,10 @@ public class ShiroUtils {
// filterChainDefinitionMap.put("/document/**", "anon"); // filterChainDefinitionMap.put("/document/**", "anon");
} }
public static void ignoreCsrfFilter(Map<String, String> filterChainDefinitionMap) {
filterChainDefinitionMap.put("/", "apikey, authc"); // 跳转到 / 不用校验 csrf
}
public static Cookie getSessionIdCookie(){ public static Cookie getSessionIdCookie(){
SimpleCookie sessionIdCookie = new SimpleCookie(); SimpleCookie sessionIdCookie = new SimpleCookie();
sessionIdCookie.setPath("/"); sessionIdCookie.setPath("/");

9
backend/src/main/java/io/metersphere/config/ShiroConfig.java
View File

@ -47,18 +47,15 @@ public class ShiroConfig implements EnvironmentAware {
shiroFilterFactoryBean.getFilters().put("apikey", new ApiKeyFilter()); shiroFilterFactoryBean.getFilters().put("apikey", new ApiKeyFilter());
shiroFilterFactoryBean.getFilters().put("csrf", new CsrfFilter()); shiroFilterFactoryBean.getFilters().put("csrf", new CsrfFilter());
Map<String, String> filterChainDefinitionMap = shiroFilterFactoryBean.getFilterChainDefinitionMap(); Map<String, String> filterChainDefinitionMap = shiroFilterFactoryBean.getFilterChainDefinitionMap();
ShiroUtils.loadBaseFilterChain(filterChainDefinitionMap); ShiroUtils.loadBaseFilterChain(filterChainDefinitionMap);
ignoreCsrfFilter(filterChainDefinitionMap); ShiroUtils.ignoreCsrfFilter(filterChainDefinitionMap);
filterChainDefinitionMap.put("/**", "apikey, csrf, authc"); filterChainDefinitionMap.put("/**", "apikey, csrf, authc");
return shiroFilterFactoryBean; return shiroFilterFactoryBean;
} }
private void ignoreCsrfFilter(Map<String, String> filterChainDefinitionMap) {
filterChainDefinitionMap.put("/", "apikey, authc"); // 跳转到 / 不用校验 csrf
filterChainDefinitionMap.put("/performance/report/*", "apikey, authc"); // socket 不用校验 csrf
}
@Bean(name = "shiroFilter") @Bean(name = "shiroFilter")
public FilterRegistrationBean<Filter> shiroFilter(ShiroFilterFactoryBean shiroFilterFactoryBean) throws Exception { public FilterRegistrationBean<Filter> shiroFilter(ShiroFilterFactoryBean shiroFilterFactoryBean) throws Exception {
FilterRegistrationBean<Filter> registration = new FilterRegistrationBean<>(); FilterRegistrationBean<Filter> registration = new FilterRegistrationBean<>();

6
backend/src/main/java/io/metersphere/security/CsrfFilter.java
View File

@ -32,6 +32,12 @@ public class CsrfFilter extends AnonymousFilter {
if (ApiKeyHandler.isApiKeyCall(WebUtils.toHttp(request))) { if (ApiKeyHandler.isApiKeyCall(WebUtils.toHttp(request))) {
return true; return true;
} }
// websocket 不需要csrf
String websocketKey = httpServletRequest.getHeader("Sec-WebSocket-Key");
if (StringUtils.isNotBlank(websocketKey)) {
return true;
}
// 请求头取出的token value // 请求头取出的token value
String csrfToken = httpServletRequest.getHeader(TOKEN_NAME); String csrfToken = httpServletRequest.getHeader(TOKEN_NAME);
// 校验 token // 校验 token