登入生成token的小bug issues/I1XOVS

5 years ago · b92bec3eed
parent 72f32e47a0
commit b92bec3eed
2 changed files with 7 additions and 2 deletions
--- a/jeecg-boot/jeecg-boot-base-common/src/main/java/org/jeecg/config/shiro/ShiroRealm.java
+++ b/jeecg-boot/jeecg-boot-base-common/src/main/java/org/jeecg/config/shiro/ShiroRealm.java
@ -1,5 +1,6 @@
 package org.jeecg.config.shiro;

+import cn.hutool.crypto.SecureUtil;
 import lombok.extern.slf4j.Slf4j;
 import org.apache.shiro.authc.AuthenticationException;
 import org.apache.shiro.authc.AuthenticationInfo;
@ -118,6 +119,8 @@ public class ShiroRealm extends AuthorizingRealm {
        //如果redis缓存用户信息为空，则通过接口获取用户信息,避免超过两个小时操作中token过期
        if(loginUser==null){
            loginUser = commonAPI.getUserByName(username);
+            //密码二次加密，因为存于redis会泄露
+            loginUser.setPassword(SecureUtil.md5(loginUser.getPassword()));
        }
        if (loginUser == null) {
            throw new AuthenticationException("用户不存在!");
--- a/jeecg-boot/jeecg-boot-module-system/src/main/java/org/jeecg/modules/system/controller/LoginController.java
+++ b/jeecg-boot/jeecg-boot-module-system/src/main/java/org/jeecg/modules/system/controller/LoginController.java
@ -81,7 +81,8 @@ public class LoginController {
        String lowerCaseCaptcha = captcha.toLowerCase();
 		String realKey = MD5Util.MD5Encode(lowerCaseCaptcha+sysLoginModel.getCheckKey(), "utf-8");
 		Object checkCode = redisUtil.get(realKey);
-		if(checkCode==null || !checkCode.equals(lowerCaseCaptcha)) {
+		//当进入登录页时，有一定几率出现验证码错误 #1714
+		if(checkCode==null || !checkCode.toString().equals(lowerCaseCaptcha)) {
 			result.error500("验证码错误");
 			return result;
 		}
@ -355,7 +356,7 @@ public class LoginController {
 		String syspassword = sysUser.getPassword();
 		String username = sysUser.getUsername();
 		// 生成token
-		String token = JwtUtil.sign(username, syspassword);
+		String token = JwtUtil.sign(username, SecureUtil.md5(syspassword));
        // 设置token缓存有效时间
 		redisUtil.set(CommonConstant.PREFIX_USER_TOKEN + token, token);
 		redisUtil.expire(CommonConstant.PREFIX_USER_TOKEN + token, JwtUtil.EXPIRE_TIME*2 / 1000);
@ -363,6 +364,7 @@ public class LoginController {
 		//update-begin-author:taoyan date:20200812 for:登录缓存用户信息
 		LoginUser vo = new LoginUser();
 		BeanUtils.copyProperties(sysUser,vo);
+		//密码二次加密，因为存于redis会泄露
 		vo.setPassword(SecureUtil.md5(sysUser.getPassword()));
 		redisUtil.set(CacheConstant.SYS_USERS_CACHE_JWT +":" +token, vo);
 		redisUtil.expire(CacheConstant.SYS_USERS_CACHE_JWT +":" +token, JwtUtil.EXPIRE_TIME*2 / 1000);