diff --git a/ccic-exam/.gitignore b/ccic-exam/.gitignore new file mode 100644 index 0000000..2ac6eab --- /dev/null +++ b/ccic-exam/.gitignore @@ -0,0 +1,10 @@ +#windows +.idea +target +ccic-exam.iml +*.log +#屏蔽配置文件 +src/test/java/demo/CodeGenerator.java +src/main/resources/dev.application.yml +#mac +.DS_Store diff --git a/ccic-exam/pom.xml b/ccic-exam/pom.xml new file mode 100644 index 0000000..db9f844 --- /dev/null +++ b/ccic-exam/pom.xml @@ -0,0 +1,190 @@ + + + 4.0.0 + + ccic-emam + 1.0-SNAPSHOT + + + com.ccic.safeliab + cloud-dependencies + 1.0 + + + + + + + org.yaml + snakeyaml + 2.3-ccic + + + + com.alibaba.cloud + spring-cloud-starter-alibaba-nacos-config + + + + com.alibaba.cloud + spring-cloud-starter-alibaba-nacos-discovery + + + + com.ccic.safeliab + cloud-starter + 1.0 + + + com.ccic.safeliab + ccic-entity + 1.0-SNAPSHOT + + + org.springframework.boot + spring-boot-starter + + + + org.springframework.boot + spring-boot-configuration-processor + + + + org.springframework.boot + spring-boot-starter-web + + + org.springframework.boot + spring-boot-starter-tomcat + + + + + org.springframework.boot + spring-boot-starter-undertow + + + io.undertow + undertow-servlet + + + + + org.projectlombok + lombok + provided + + + + ch.qos.logback + logback-core + + + ch.qos.logback + logback-classic + + + + + + + + + + + org.apache.velocity + velocity-engine-core + + + + org.springframework.boot + spring-boot-starter-data-redis + + + + com.zaxxer + HikariCP + runtime + + + + mysql + mysql-connector-java + runtime + + + + com.alibaba + fastjson + + + + junit + junit + test + + + + com.kingbase8 + kingbase8 + 8.6.0 + + + + org.owasp.esapi + esapi + 2.2.0.0 + + + + org.jsoup + jsoup + 1.9.2 + + + + xml-apis + xml-apis + 1.4.01 + + + + com.bes.appserv-web + bes-lite-spring-boot-2.x-starter + 9.5.2.008 + + + + cn.hutool + hutool-all + 5.7.16 + + + + + org.apache.commons + commons-pool2 + + + + + + + + + org.springframework.boot + spring-boot-maven-plugin + + + + diff --git a/ccic-exam/src/main/java/com/ccic/safeliab/ExamApplication.java b/ccic-exam/src/main/java/com/ccic/safeliab/ExamApplication.java new file mode 100644 index 0000000..792656f --- /dev/null +++ b/ccic-exam/src/main/java/com/ccic/safeliab/ExamApplication.java @@ -0,0 +1,13 @@ +package com.ccic.safeliab; + +import org.springframework.boot.SpringApplication; +import org.springframework.boot.autoconfigure.SpringBootApplication; + +@SpringBootApplication +public class ExamApplication { + + public static void main(String[] args) { + SpringApplication.run(ExamApplication.class, args); + } + +} diff --git a/ccic-exam/src/main/java/com/ccic/safeliab/dao/DemoMapper.java b/ccic-exam/src/main/java/com/ccic/safeliab/dao/DemoMapper.java new file mode 100644 index 0000000..e87c0fc --- /dev/null +++ b/ccic-exam/src/main/java/com/ccic/safeliab/dao/DemoMapper.java @@ -0,0 +1,9 @@ +package com.ccic.safeliab.dao; + +import com.baomidou.mybatisplus.core.mapper.BaseMapper; +import com.ccic.safeliab.entity.InsDemo; +import org.apache.ibatis.annotations.Mapper; + +@Mapper +public interface DemoMapper extends BaseMapper { +} \ No newline at end of file diff --git a/ccic-exam/src/main/java/com/ccic/safeliab/filter/RedisConfiguration.java b/ccic-exam/src/main/java/com/ccic/safeliab/filter/RedisConfiguration.java new file mode 100644 index 0000000..9e034f3 --- /dev/null +++ b/ccic-exam/src/main/java/com/ccic/safeliab/filter/RedisConfiguration.java @@ -0,0 +1,102 @@ +package com.ccic.safeliab.filter; + +import com.fasterxml.jackson.annotation.JsonAutoDetect; +import com.fasterxml.jackson.annotation.PropertyAccessor; +import com.fasterxml.jackson.databind.ObjectMapper; +import com.fasterxml.jackson.databind.jsontype.impl.LaissezFaireSubTypeValidator; +import io.lettuce.core.ReadFrom; +import org.springframework.boot.autoconfigure.data.redis.RedisProperties; +import org.springframework.context.annotation.Bean; +import org.springframework.context.annotation.Configuration; +import org.springframework.context.annotation.Primary; +import org.springframework.data.redis.connection.RedisConnectionFactory; +import org.springframework.data.redis.connection.RedisSentinelConfiguration; +import org.springframework.data.redis.connection.lettuce.LettuceConnectionFactory; +import org.springframework.data.redis.connection.lettuce.LettucePoolingClientConfiguration; +import org.springframework.data.redis.core.RedisTemplate; +import org.springframework.data.redis.serializer.Jackson2JsonRedisSerializer; +import org.springframework.data.redis.serializer.StringRedisSerializer; + +import java.text.SimpleDateFormat; +import java.util.HashSet; + +/** + * @author 89524 + * @ClassName RedisConfiguration + * @description: TODO redis哨兵配置 + * @date 2023年09月18日 + * @version: 1.0 + */ +@Configuration +public class RedisConfiguration { + + /** + * 配置redis序列化json + * + * @param redisConnectionFactory + * @return + */ + @Bean + @Primary //若有相同类型的Bean时,优先使用此注解标注的Bean + public RedisTemplate redisTemplate(RedisConnectionFactory redisConnectionFactory) { + // 为了开发方便,一般直接使用 + RedisTemplate template = new RedisTemplate<>(); + template.setConnectionFactory(redisConnectionFactory); + + // 配置具体的序列化方式 + // JSON解析任意对象 + Jackson2JsonRedisSerializer jackson2JsonRedisSerializer = new Jackson2JsonRedisSerializer(Object.class); + ObjectMapper om = new ObjectMapper(); + // 指定要序列化的域,field,get和set,以及修饰符范围,ANY是都有包括private和public + om.setVisibility(PropertyAccessor.ALL, JsonAutoDetect.Visibility.ANY); + // 指定序列化输入的类型,类必须是非final修饰的,final修饰的类,比如String,Integer等会跑出异常 + om.activateDefaultTyping(LaissezFaireSubTypeValidator.instance, ObjectMapper.DefaultTyping.NON_FINAL); + // 设置日期格式 + om.setDateFormat(new SimpleDateFormat("yyyy-MM-dd HH:mm:ss")); + jackson2JsonRedisSerializer.setObjectMapper(om); + // String的序列化 + StringRedisSerializer stringRedisSerializer = new StringRedisSerializer(); + + + //key采用String的序列化 + template.setKeySerializer(stringRedisSerializer); + //hash的key也采用String的序列化 + template.setHashKeySerializer(stringRedisSerializer); + //value的序列化方式采用jackson + template.setValueSerializer(jackson2JsonRedisSerializer); + //hash的value序列化方式采用jackson + template.setHashValueSerializer(jackson2JsonRedisSerializer); + //设置所有配置 + template.afterPropertiesSet(); + + return template; + } + + /** + * 配置读写分离 redis没有放开集群配置,没用,会报错! + * @param redisProperties + * @return + */ + /*@Bean + public RedisConnectionFactory lettuceConnectionFactory(RedisProperties redisProperties) { + // 配置哨兵节点以及主节点 + RedisSentinelConfiguration redisSentinelConfiguration = new RedisSentinelConfiguration( + redisProperties.getSentinel().getMaster(), new HashSet<>(redisProperties.getSentinel().getNodes()) + ); + + // 配置读写分离 + LettucePoolingClientConfiguration lettuceClientConfiguration = LettucePoolingClientConfiguration.builder() + // 读写分离,这里的ReadFrom是配置Redis的读取策略,是一个枚举,包括下面选择 + // MASTER 仅读取主节点 + // MASTER_PREFERRED 优先读取主节点,如果主节点不可用,则读取从节点 + // REPLICA_PREFERRED 优先读取从节点,如果从节点不可用,则读取主节点 + // REPLICA 仅读取从节点 + // NEAREST 从最近节点读取 + // ANY 从任意一个从节点读取 + .readFrom(ReadFrom.REPLICA_PREFERRED) + .build(); + + return new LettuceConnectionFactory(redisSentinelConfiguration, lettuceClientConfiguration); + }*/ + +} diff --git a/ccic-exam/src/main/java/com/ccic/safeliab/filter/RedisUtil.java b/ccic-exam/src/main/java/com/ccic/safeliab/filter/RedisUtil.java new file mode 100644 index 0000000..afbb26d --- /dev/null +++ b/ccic-exam/src/main/java/com/ccic/safeliab/filter/RedisUtil.java @@ -0,0 +1,588 @@ +package com.ccic.safeliab.filter; + +import org.springframework.beans.factory.annotation.Autowired; +import org.springframework.data.redis.core.RedisTemplate; +import org.springframework.stereotype.Component; +import org.springframework.util.CollectionUtils; + +import java.util.List; +import java.util.Map; +import java.util.Set; +import java.util.concurrent.TimeUnit; + +@Component +public final class RedisUtil { + + @Autowired + private RedisTemplate redisTemplate; + + // =============================common============================ + + /** + * 指定缓存失效时间 + * + * @param key 键 + * @param time 时间(秒) + */ + public boolean expire(String key, long time) { + try { + if (time > 0) { + redisTemplate.expire(key, time, TimeUnit.SECONDS); + } + return true; + } catch (Exception e) { + e.printStackTrace(); + return false; + } + } + + /** + * 根据key 获取过期时间 + * + * @param key 键 不能为null + * @return 时间(秒) 返回0代表为永久有效 + */ + public long getExpire(String key) { + return redisTemplate.getExpire(key, TimeUnit.SECONDS); + } + + + /** + * 判断key是否存在 + * + * @param key 键 + * @return true 存在 false不存在 + */ + public boolean hasKey(String key) { + try { + return redisTemplate.hasKey(key); + } catch (Exception e) { + e.printStackTrace(); + return false; + } + } + + + /** + * 删除缓存 + * + * @param key 可以传一个值 或多个 + */ + @SuppressWarnings("unchecked") + public void del(String... key) { + if (key != null && key.length > 0) { + if (key.length == 1) { + redisTemplate.delete(key[0]); + } else { + redisTemplate.delete(CollectionUtils.arrayToList(key)); + } + } + } + + + // ============================String============================= + + /** + * 普通缓存获取 + * + * @param key 键 + * @return 值 + */ + public Object get(String key) { + return key == null ? null : redisTemplate.opsForValue().get(key); + } + + /** + * 普通缓存放入 + * + * @param key 键 + * @param value 值 + * @return true成功 false失败 + */ + + public boolean set(String key, Object value) { + try { + redisTemplate.opsForValue().set(key, value); + return true; + } catch (Exception e) { + e.printStackTrace(); + return false; + } + } + + + /** + * 普通缓存放入并设置时间 + * + * @param key 键 + * @param value 值 + * @param time 时间(秒) time要大于0 如果time小于等于0 将设置无限期 + * @return true成功 false 失败 + */ + + public boolean set(String key, Object value, long time) { + try { + if (time > 0) { + redisTemplate.opsForValue().set(key, value, time, TimeUnit.SECONDS); + } else { + set(key, value); + } + return true; + } catch (Exception e) { + e.printStackTrace(); + return false; + } + } + + + /** + * 递增 + * + * @param key 键 + * @param delta 要增加几(大于0) + */ + public long incr(String key, long delta) { + if (delta < 0) { + throw new RuntimeException("递增因子必须大于0"); + } + return redisTemplate.opsForValue().increment(key, delta); + } + + + /** + * 递减 + * + * @param key 键 + * @param delta 要减少几(小于0) + */ + public long decr(String key, long delta) { + if (delta < 0) { + throw new RuntimeException("递减因子必须大于0"); + } + return redisTemplate.opsForValue().increment(key, -delta); + } + + + // ================================Map================================= + + /** + * HashGet + * + * @param key 键 不能为null + * @param item 项 不能为null + */ + public Object hget(String key, String item) { + return redisTemplate.opsForHash().get(key, item); + } + + /** + * 获取hashKey对应的所有键值 + * + * @param key 键 + * @return 对应的多个键值 + */ + public Map hmget(String key) { + return redisTemplate.opsForHash().entries(key); + } + + /** + * HashSet + * + * @param key 键 + * @param map 对应多个键值 + */ + public boolean hmset(String key, Map map) { + try { + redisTemplate.opsForHash().putAll(key, map); + return true; + } catch (Exception e) { + e.printStackTrace(); + return false; + } + } + + + /** + * HashSet 并设置时间 + * + * @param key 键 + * @param map 对应多个键值 + * @param time 时间(秒) + * @return true成功 false失败 + */ + public boolean hmset(String key, Map map, long time) { + try { + redisTemplate.opsForHash().putAll(key, map); + if (time > 0) { + expire(key, time); + } + return true; + } catch (Exception e) { + e.printStackTrace(); + return false; + } + } + + + /** + * 向一张hash表中放入数据,如果不存在将创建 + * + * @param key 键 + * @param item 项 + * @param value 值 + * @return true 成功 false失败 + */ + public boolean hset(String key, String item, Object value) { + try { + redisTemplate.opsForHash().put(key, item, value); + return true; + } catch (Exception e) { + e.printStackTrace(); + return false; + } + } + + /** + * 向一张hash表中放入数据,如果不存在将创建 + * + * @param key 键 + * @param item 项 + * @param value 值 + * @param time 时间(秒) 注意:如果已存在的hash表有时间,这里将会替换原有的时间 + * @return true 成功 false失败 + */ + public boolean hset(String key, String item, Object value, long time) { + try { + redisTemplate.opsForHash().put(key, item, value); + if (time > 0) { + expire(key, time); + } + return true; + } catch (Exception e) { + e.printStackTrace(); + return false; + } + } + + + /** + * 删除hash表中的值 + * + * @param key 键 不能为null + * @param item 项 可以使多个 不能为null + */ + public void hdel(String key, Object... item) { + redisTemplate.opsForHash().delete(key, item); + } + + + /** + * 判断hash表中是否有该项的值 + * + * @param key 键 不能为null + * @param item 项 不能为null + * @return true 存在 false不存在 + */ + public boolean hHasKey(String key, String item) { + return redisTemplate.opsForHash().hasKey(key, item); + } + + + /** + * hash递增 如果不存在,就会创建一个 并把新增后的值返回 + * + * @param key 键 + * @param item 项 + * @param by 要增加几(大于0) + */ + public double hincr(String key, String item, double by) { + return redisTemplate.opsForHash().increment(key, item, by); + } + + + /** + * hash递减 + * + * @param key 键 + * @param item 项 + * @param by 要减少记(小于0) + */ + public double hdecr(String key, String item, double by) { + return redisTemplate.opsForHash().increment(key, item, -by); + } + + + // ============================set============================= + + /** + * 根据key获取Set中的所有值 + * + * @param key 键 + */ + public Set sGet(String key) { + try { + return redisTemplate.opsForSet().members(key); + } catch (Exception e) { + e.printStackTrace(); + return null; + } + } + + + /** + * 根据value从一个set中查询,是否存在 + * + * @param key 键 + * @param value 值 + * @return true 存在 false不存在 + */ + public boolean sHasKey(String key, Object value) { + try { + return redisTemplate.opsForSet().isMember(key, value); + } catch (Exception e) { + e.printStackTrace(); + return false; + } + } + + + /** + * 将数据放入set缓存 + * + * @param key 键 + * @param values 值 可以是多个 + * @return 成功个数 + */ + public long sSet(String key, Object... values) { + try { + return redisTemplate.opsForSet().add(key, values); + } catch (Exception e) { + e.printStackTrace(); + return 0; + } + } + + + /** + * 将set数据放入缓存 + * + * @param key 键 + * @param time 时间(秒) + * @param values 值 可以是多个 + * @return 成功个数 + */ + public long sSetAndTime(String key, long time, Object... values) { + try { + Long count = redisTemplate.opsForSet().add(key, values); + if (time > 0) + expire(key, time); + return count; + } catch (Exception e) { + e.printStackTrace(); + return 0; + } + } + + + /** + * 获取set缓存的长度 + * + * @param key 键 + */ + public long sGetSetSize(String key) { + try { + return redisTemplate.opsForSet().size(key); + } catch (Exception e) { + e.printStackTrace(); + return 0; + } + } + + + /** + * 移除值为value的 + * + * @param key 键 + * @param values 值 可以是多个 + * @return 移除的个数 + */ + + public long setRemove(String key, Object... values) { + try { + Long count = redisTemplate.opsForSet().remove(key, values); + return count; + } catch (Exception e) { + e.printStackTrace(); + return 0; + } + } + + // ===============================list================================= + + /** + * 获取list缓存的内容 + * + * @param key 键 + * @param start 开始 + * @param end 结束 0 到 -1代表所有值 + */ + public List lGet(String key, long start, long end) { + try { + return redisTemplate.opsForList().range(key, start, end); + } catch (Exception e) { + e.printStackTrace(); + return null; + } + } + + + /** + * 获取list缓存的长度 + * + * @param key 键 + */ + public long lGetListSize(String key) { + try { + return redisTemplate.opsForList().size(key); + } catch (Exception e) { + e.printStackTrace(); + return 0; + } + } + + + /** + * 通过索引 获取list中的值 + * + * @param key 键 + * @param index 索引 index>=0时, 0 表头,1 第二个元素,依次类推;index<0时,-1,表尾,-2倒数第二个元素,依次类推 + */ + public Object lGetIndex(String key, long index) { + try { + return redisTemplate.opsForList().index(key, index); + } catch (Exception e) { + e.printStackTrace(); + return null; + } + } + + + /** + * 将list放入缓存 + * + * @param key 键 + * @param value 值 + */ + public boolean lSet(String key, Object value) { + try { + redisTemplate.opsForList().rightPush(key, value); + return true; + } catch (Exception e) { + e.printStackTrace(); + return false; + } + } + + + /** + * 将list放入缓存 + * + * @param key 键 + * @param value 值 + * @param time 时间(秒) + */ + public boolean lSet(String key, Object value, long time) { + try { + redisTemplate.opsForList().rightPush(key, value); + if (time > 0) + expire(key, time); + return true; + } catch (Exception e) { + e.printStackTrace(); + return false; + } + + } + + + /** + * 将list放入缓存 + * + * @param key 键 + * @param value 值 + * @return + */ + public boolean lSet(String key, List value) { + try { + redisTemplate.opsForList().rightPushAll(key, value); + return true; + } catch (Exception e) { + e.printStackTrace(); + return false; + } + + } + + + /** + * 将list放入缓存 + * + * @param key 键 + * @param value 值 + * @param time 时间(秒) + * @return + */ + public boolean lSet(String key, List value, long time) { + try { + redisTemplate.opsForList().rightPushAll(key, value); + if (time > 0) + expire(key, time); + return true; + } catch (Exception e) { + e.printStackTrace(); + return false; + } + } + + + /** + * 根据索引修改list中的某条数据 + * + * @param key 键 + * @param index 索引 + * @param value 值 + * @return + */ + + public boolean lUpdateIndex(String key, long index, Object value) { + try { + redisTemplate.opsForList().set(key, index, value); + return true; + } catch (Exception e) { + e.printStackTrace(); + return false; + } + } + + + /** + * 移除N个值为value + * + * @param key 键 + * @param count 移除多少个 + * @param value 值 + * @return 移除的个数 + */ + + public long lRemove(String key, long count, Object value) { + try { + Long remove = redisTemplate.opsForList().remove(key, count, value); + return remove; + } catch (Exception e) { + e.printStackTrace(); + return 0; + } + + } + +} diff --git a/ccic-exam/src/main/java/com/ccic/safeliab/filter/TokenAuthenticationFilter.java b/ccic-exam/src/main/java/com/ccic/safeliab/filter/TokenAuthenticationFilter.java new file mode 100644 index 0000000..4d590cb --- /dev/null +++ b/ccic-exam/src/main/java/com/ccic/safeliab/filter/TokenAuthenticationFilter.java @@ -0,0 +1,69 @@ +package com.ccic.safeliab.filter; + +import com.ccic.safeliab.util.JwtUtils; +import org.springframework.beans.factory.annotation.Autowired; +import org.springframework.stereotype.Component; +import org.springframework.util.StringUtils; +import org.springframework.web.filter.OncePerRequestFilter; + +import javax.servlet.FilterChain; +import javax.servlet.ServletException; +import javax.servlet.http.HttpServletRequest; +import javax.servlet.http.HttpServletResponse; +import java.io.IOException; + +@Component +public class TokenAuthenticationFilter extends OncePerRequestFilter { + + @Autowired + private RedisUtil redisUtil; + + @Override + protected void doFilterInternal(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, FilterChain filterChain) throws ServletException, IOException { + //加入支持token的请求头 + /*HeaderMapRequestWrapper requestWrapper = new HeaderMapRequestWrapper(httpServletRequest); + requestWrapper.addHeader("Access-Control-Allow-Headers", "content-type,token");*/ + //System.out.println("经过了此过滤器"); + String uri = httpServletRequest.getRequestURI(); + if (uri.indexOf("login") > 0 || uri.indexOf("getWorkId") > 0 || uri.indexOf("userLogin") > 0 + || uri.indexOf("userWxLogin") > 0 || uri.indexOf("demo") > 0) { + filterChain.doFilter(httpServletRequest, httpServletResponse); + return; + } +// String token = httpServletRequest.getHeader("token"); +// if (token == null || token == "") { +// httpServletResponse.sendError(5000); +// return; +// } +// if (!JwtUtils.checkToken(token)) { +// httpServletResponse.sendError(5001); +// return; +// } +// filterChain.doFilter(httpServletRequest, httpServletResponse); + + String token = httpServletRequest.getHeader("token"); + if (token == null || token == "") { + httpServletResponse.sendError(5000); + return; + } + //判断token是否失效 + if (!JwtUtils.checkToken(token)) { + httpServletResponse.sendError(5001); + return; + } + + //判断token是否注销 + String organType = JwtUtils.getMemberIdByJwtToken(httpServletRequest, "organType"); + if (!StringUtils.isEmpty(organType) && "1".equals(organType)) { + String userId = JwtUtils.getMemberIdByJwtToken(httpServletRequest, "id"); + if (!redisUtil.hasKey(userId)) { + httpServletResponse.sendError(5001); + return; + } + } + + filterChain.doFilter(httpServletRequest, httpServletResponse); + + + } +} diff --git a/ccic-exam/src/main/java/com/ccic/safeliab/service/DemoService.java b/ccic-exam/src/main/java/com/ccic/safeliab/service/DemoService.java new file mode 100644 index 0000000..eceee47 --- /dev/null +++ b/ccic-exam/src/main/java/com/ccic/safeliab/service/DemoService.java @@ -0,0 +1,21 @@ +package com.ccic.safeliab.service; + +import com.baomidou.mybatisplus.extension.service.IService; +import com.ccic.safeliab.entity.*; +import com.ccic.safeliab.vo.InsDemoVO; + +import java.util.List; +import java.util.Map; + +/** + *

+ *

+ * + * @author testjava + * @since 2022-11-03 + */ +public interface DemoService extends IService { + +// List find(InsDemoVO insDemoVO); + +} diff --git a/ccic-exam/src/main/java/com/ccic/safeliab/service/DemoServiceImpl.java b/ccic-exam/src/main/java/com/ccic/safeliab/service/DemoServiceImpl.java new file mode 100644 index 0000000..1e208fb --- /dev/null +++ b/ccic-exam/src/main/java/com/ccic/safeliab/service/DemoServiceImpl.java @@ -0,0 +1,26 @@ +package com.ccic.safeliab.service; + +import com.baomidou.mybatisplus.extension.service.impl.ServiceImpl; +import com.ccic.safeliab.dao.DemoMapper; +import com.ccic.safeliab.entity.*; +import com.ccic.safeliab.support.Condition; +import com.ccic.safeliab.vo.InsDemoVO; +import org.springframework.stereotype.Service; + +import java.util.List; + +/** + *

+ *

+ * + * @author testjava + * @since 2022-11-03 + */ +@Service +public class DemoServiceImpl extends ServiceImpl implements DemoService { + +// @Override +// public List find(InsDemoVO insDemoVO) { +// return baseMapper.selectList(Condition.getQueryWrapper(insDemoVO)); +// } +} diff --git a/ccic-exam/src/main/java/com/ccic/safeliab/support/Condition.java b/ccic-exam/src/main/java/com/ccic/safeliab/support/Condition.java new file mode 100644 index 0000000..67916ab --- /dev/null +++ b/ccic-exam/src/main/java/com/ccic/safeliab/support/Condition.java @@ -0,0 +1,13 @@ +package com.ccic.safeliab.support; + +import com.baomidou.mybatisplus.core.conditions.query.QueryWrapper; + +public class Condition { + + public Condition() { + } + + public static QueryWrapper getQueryWrapper(T entity) { + return new QueryWrapper(entity); + } +} diff --git a/ccic-exam/src/main/java/com/ccic/safeliab/vo/InsDemoVO.java b/ccic-exam/src/main/java/com/ccic/safeliab/vo/InsDemoVO.java new file mode 100644 index 0000000..7c71607 --- /dev/null +++ b/ccic-exam/src/main/java/com/ccic/safeliab/vo/InsDemoVO.java @@ -0,0 +1,6 @@ +package com.ccic.safeliab.vo; + +import com.ccic.safeliab.entity.InsDemo; + +public class InsDemoVO extends InsDemo { +} diff --git a/ccic-exam/src/main/java/com/ccic/safeliab/web/DemoController.java b/ccic-exam/src/main/java/com/ccic/safeliab/web/DemoController.java new file mode 100644 index 0000000..a1b68c6 --- /dev/null +++ b/ccic-exam/src/main/java/com/ccic/safeliab/web/DemoController.java @@ -0,0 +1,31 @@ +package com.ccic.safeliab.web; + +import com.ccic.safeliab.service.DemoService; +import com.ccic.safeliab.support.Condition; +import com.ccic.safeliab.util.R; +import com.ccic.safeliab.vo.InsDemoVO; +import org.springframework.beans.factory.annotation.Autowired; +import org.springframework.web.bind.annotation.GetMapping; +import org.springframework.web.bind.annotation.RequestMapping; +import org.springframework.web.bind.annotation.RestController; + +@RestController +@RequestMapping("/demo") +public class DemoController { + + @Autowired + private DemoService service; + + @GetMapping("/test") + public R test() { + return R.ok().data("success."); + } + + @GetMapping("/list") + public R findList() { + InsDemoVO insDemoVO = new InsDemoVO(); + return R.ok().data(service.list(Condition.getQueryWrapper(insDemoVO))); + } + + +} diff --git a/ccic-exam/src/main/resources/ESAPI.properties b/ccic-exam/src/main/resources/ESAPI.properties new file mode 100644 index 0000000..2355db3 --- /dev/null +++ b/ccic-exam/src/main/resources/ESAPI.properties @@ -0,0 +1,539 @@ +# +# OWASP Enterprise Security API (ESAPI) Properties file -- PRODUCTION Version +# +# This file is part of the Open Web Application Security Project (OWASP) +# Enterprise Security API (ESAPI) project. For details, please see +# https://owasp.org/www-project-enterprise-security-api/ +# +# Copyright (c) 2008,2009 - The OWASP Foundation +# +# DISCUSS: This may cause a major backwards compatibility issue, etc. but +# from a name space perspective, we probably should have prefaced +# all the property names with ESAPI or at least OWASP. Otherwise +# there could be problems is someone loads this properties file into +# the System properties. We could also put this file into the +# esapi.jar file (perhaps as a ResourceBundle) and then allow an external +# ESAPI properties be defined that would overwrite these defaults. +# That keeps the application's properties relatively simple as usually +# they will only want to override a few properties. If looks like we +# already support multiple override levels of this in the +# DefaultSecurityConfiguration class, but I'm suggesting placing the +# defaults in the esapi.jar itself. That way, if the jar is signed, +# we could detect if those properties had been tampered with. (The +# code to check the jar signatures is pretty simple... maybe 70-90 LOC, +# but off course there is an execution penalty (similar to the way +# that the separate sunjce.jar used to be when a class from it was +# first loaded). Thoughts? +############################################################################### +# +# WARNING: Operating system protection should be used to lock down the .esapi +# resources directory and all the files inside and all the directories all the +# way up to the root directory of the file system. Note that if you are using +# file-based implementations, that some files may need to be read-write as they +# get updated dynamically. +# +#=========================================================================== +# ESAPI Configuration +# +# If true, then print all the ESAPI properties set here when they are loaded. +# If false, they are not printed. Useful to reduce output when running JUnit tests. +# If you need to troubleshoot a properties related problem, turning this on may help. +# This is 'false' in the src/test/resources/.esapi version. It is 'true' by +# default for reasons of backward compatibility with earlier ESAPI versions. +ESAPI.printProperties=true + +# ESAPI is designed to be easily extensible. You can use the reference implementation +# or implement your own providers to take advantage of your enterprise's security +# infrastructure. The functions in ESAPI are referenced using the ESAPI locator, like: +# +# String ciphertext = +# ESAPI.encryptor().encrypt("Secret message"); // Deprecated in 2.0 +# CipherText cipherText = +# ESAPI.encryptor().encrypt(new PlainText("Secret message")); // Preferred +# +# Below you can specify the classname for the provider that you wish to use in your +# application. The only requirement is that it implement the appropriate ESAPI interface. +# This allows you to switch security implementations in the future without rewriting the +# entire application. +# +# ExperimentalAccessController requires ESAPI-AccessControlPolicy.xml in .esapi directory +ESAPI.AccessControl=org.owasp.esapi.reference.DefaultAccessController +# FileBasedAuthenticator requires users.txt file in .esapi directory +ESAPI.Authenticator=org.owasp.esapi.reference.FileBasedAuthenticator +ESAPI.Encoder=org.owasp.esapi.reference.DefaultEncoder +ESAPI.Encryptor=org.owasp.esapi.reference.crypto.JavaEncryptor + +ESAPI.Executor=org.owasp.esapi.reference.DefaultExecutor +ESAPI.HTTPUtilities=org.owasp.esapi.reference.DefaultHTTPUtilities +ESAPI.IntrusionDetector=org.owasp.esapi.reference.DefaultIntrusionDetector +# Log4JFactory Requires log4j.xml or log4j.properties in classpath - http://www.laliluna.de/log4j-tutorial.html +# Note that this is now considered deprecated! +#ESAPI.Logger=org.owasp.esapi.logging.log4j.Log4JLogFactory +ESAPI.Logger=org.owasp.esapi.logging.slf4j.Slf4JLogFactory +# To use the new SLF4J logger in ESAPI (see GitHub issue #129), set +# ESAPI.Logger=org.owasp.esapi.logging.slf4j.Slf4JLogFactory +# and do whatever other normal SLF4J configuration that you normally would do for your application. +ESAPI.Randomizer=org.owasp.esapi.reference.DefaultRandomizer +ESAPI.Validator=org.owasp.esapi.reference.DefaultValidator + +#=========================================================================== +# ESAPI Authenticator +# +Authenticator.AllowedLoginAttempts=3 +#Authenticator.MaxOldPasswordHashes=13 +Authenticator.UsernameParameterName=username +#Authenticator.PasswordParameterName=password +# RememberTokenDuration (in days) +Authenticator.RememberTokenDuration=14 +# Session Timeouts (in minutes) +Authenticator.IdleTimeoutDuration=20 +Authenticator.AbsoluteTimeoutDuration=120 + +#=========================================================================== +# ESAPI Encoder +# +# ESAPI canonicalizes input before validation to prevent bypassing filters with encoded attacks. +# Failure to canonicalize input is a very common mistake when implementing validation schemes. +# Canonicalization is automatic when using the ESAPI Validator, but you can also use the +# following code to canonicalize data. +# +# ESAPI.Encoder().canonicalize( "%22hello world"" ); +# +# Multiple encoding is when a single encoding format is applied multiple times. Allowing +# multiple encoding is strongly discouraged. +Encoder.AllowMultipleEncoding=false + +# Mixed encoding is when multiple different encoding formats are applied, or when +# multiple formats are nested. Allowing multiple encoding is strongly discouraged. +Encoder.AllowMixedEncoding=false + +# The default list of codecs to apply when canonicalizing untrusted data. The list should include the codecs +# for all downstream interpreters or decoders. For example, if the data is likely to end up in a URL, HTML, or +# inside JavaScript, then the list of codecs below is appropriate. The order of the list is not terribly important. +Encoder.DefaultCodecList=HTMLEntityCodec,PercentCodec,JavaScriptCodec + + +#=========================================================================== +# ESAPI Encryption +# +# The ESAPI Encryptor provides basic cryptographic functions with a simplified API. +# To get started, generate a new key using java -classpath esapi.jar org.owasp.esapi.reference.crypto.JavaEncryptor +# There is not currently any support for key rotation, so be careful when changing your key and salt as it +# will invalidate all signed, encrypted, and hashed data. +# +# WARNING: Not all combinations of algorithms and key lengths are supported. +# If you choose to use a key length greater than 128, you MUST download the +# unlimited strength policy files and install in the lib directory of your JRE/JDK. +# See http://java.sun.com/javase/downloads/index.jsp for more information. +# +# ***** IMPORTANT: Do NOT forget to replace these with your own values! ***** +# To calculate these values, you can run: +# java -classpath esapi.jar org.owasp.esapi.reference.crypto.JavaEncryptor +# +#Encryptor.MasterKey= +#Encryptor.MasterSalt= + +# Provides the default JCE provider that ESAPI will "prefer" for its symmetric +# encryption and hashing. (That is it will look to this provider first, but it +# will defer to other providers if the requested algorithm is not implemented +# by this provider.) If left unset, ESAPI will just use your Java VM's current +# preferred JCE provider, which is generally set in the file +# "$JAVA_HOME/jre/lib/security/java.security". +# +# The main intent of this is to allow ESAPI symmetric encryption to be +# used with a FIPS 140-2 compliant crypto-module. For details, see the section +# "Using ESAPI Symmetric Encryption with FIPS 140-2 Cryptographic Modules" in +# the ESAPI 2.0 Symmetric Encryption User Guide, at: +# http://owasp-esapi-java.googlecode.com/svn/trunk/documentation/esapi4java-core-2.0-symmetric-crypto-user-guide.html +# However, this property also allows you to easily use an alternate JCE provider +# such as "Bouncy Castle" without having to make changes to "java.security". +# See Javadoc for SecurityProviderLoader for further details. If you wish to use +# a provider that is not known to SecurityProviderLoader, you may specify the +# fully-qualified class name of the JCE provider class that implements +# java.security.Provider. If the name contains a '.', this is interpreted as +# a fully-qualified class name that implements java.security.Provider. +# +# NOTE: Setting this property has the side-effect of changing it in your application +# as well, so if you are using JCE in your application directly rather than +# through ESAPI (you wouldn't do that, would you? ;-), it will change the +# preferred JCE provider there as well. +# +# Default: Keeps the JCE provider set to whatever JVM sets it to. +Encryptor.PreferredJCEProvider= + +# AES is the most widely used and strongest encryption algorithm. This +# should agree with your Encryptor.CipherTransformation property. +# Warning: This property does not control the default reference implementation for +# ESAPI 2.0 using JavaEncryptor. Also, this property will be dropped +# in the future. +# @deprecated +Encryptor.EncryptionAlgorithm=AES +# For ESAPI Java 2.0 - New encrypt / decrypt methods use this. +Encryptor.CipherTransformation=AES/CBC/PKCS5Padding + +# Applies to ESAPI 2.0 and later only! +# Comma-separated list of cipher modes that provide *BOTH* +# confidentiality *AND* message authenticity. (NIST refers to such cipher +# modes as "combined modes" so that's what we shall call them.) If any of these +# cipher modes are used then no MAC is calculated and stored +# in the CipherText upon encryption. Likewise, if one of these +# cipher modes is used with decryption, no attempt will be made +# to validate the MAC contained in the CipherText object regardless +# of whether it contains one or not. Since the expectation is that +# these cipher modes support support message authenticity already, +# injecting a MAC in the CipherText object would be at best redundant. +# +# Note that as of JDK 1.5, the SunJCE provider does not support *any* +# of these cipher modes. Of these listed, only GCM and CCM are currently +# NIST approved. YMMV for other JCE providers. E.g., Bouncy Castle supports +# GCM and CCM with "NoPadding" mode, but not with "PKCS5Padding" or other +# padding modes. +Encryptor.cipher_modes.combined_modes=GCM,CCM,IAPM,EAX,OCB,CWC + +# Applies to ESAPI 2.0 and later only! +# Additional cipher modes allowed for ESAPI 2.0 encryption. These +# cipher modes are in _addition_ to those specified by the property +# 'Encryptor.cipher_modes.combined_modes'. +# Note: We will add support for streaming modes like CFB & OFB once +# we add support for 'specified' to the property 'Encryptor.ChooseIVMethod' +# (probably in ESAPI 2.1). +# DISCUSS: Better name? +Encryptor.cipher_modes.additional_allowed=CBC + +# Default key size to use for cipher specified by Encryptor.EncryptionAlgorithm. +# Note that this MUST be a valid key size for the algorithm being used +# (as specified by Encryptor.EncryptionAlgorithm). So for example, if AES is used, +# it must be 128, 192, or 256. If DESede is chosen, then it must be either 112 or 168. +# +# Note that 128-bits is almost always sufficient and for AES it appears to be more +# somewhat more resistant to related key attacks than is 256-bit AES.) +# +# Defaults to 128-bits if left blank. +# +# NOTE: If you use a key size > 128-bits, then you MUST have the JCE Unlimited +# Strength Jurisdiction Policy files installed!!! +# +Encryptor.EncryptionKeyLength=128 + +# This is the _minimum_ key size (in bits) that we allow with ANY symmetric +# cipher for doing encryption. (There is no minimum for decryption.) +# +# Generally, if you only use one algorithm, this should be set the same as +# the Encryptor.EncryptionKeyLength property. +Encryptor.MinEncryptionKeyLength=128 + +# Because 2.x uses CBC mode by default, it requires an initialization vector (IV). +# (All cipher modes except ECB require an IV.) There are two choices: we can either +# use a fixed IV known to both parties or allow ESAPI to choose a random IV. While +# the IV does not need to be hidden from adversaries, it is important that the +# adversary not be allowed to choose it. Also, random IVs are generally much more +# secure than fixed IVs. (In fact, it is essential that feed-back cipher modes +# such as CFB and OFB use a different IV for each encryption with a given key so +# in such cases, random IVs are much preferred. By default, ESAPI 2.0 uses random +# IVs. If you wish to use 'fixed' IVs, set 'Encryptor.ChooseIVMethod=fixed' and +# uncomment the Encryptor.fixedIV. +# +# Valid values: random|fixed|specified 'specified' not yet implemented; planned for 2.3 +# 'fixed' is deprecated as of 2.2 +# and will be removed in 2.3. +Encryptor.ChooseIVMethod=random + + +# If you choose to use a fixed IV, then you must place a fixed IV here that +# is known to all others who are sharing your secret key. The format should +# be a hex string that is the same length as the cipher block size for the +# cipher algorithm that you are using. The following is an *example* for AES +# from an AES test vector for AES-128/CBC as described in: +# NIST Special Publication 800-38A (2001 Edition) +# "Recommendation for Block Cipher Modes of Operation". +# (Note that the block size for AES is 16 bytes == 128 bits.) +# +# @Deprecated -- fixed IVs are deprecated as of the 2.2 release and support +# will be removed in the next release (tentatively, 2.3). +# If you MUST use this, at least replace this IV with one +# that your legacy application was using. +Encryptor.fixedIV=0x000102030405060708090a0b0c0d0e0f + +# Whether or not CipherText should use a message authentication code (MAC) with it. +# This prevents an adversary from altering the IV as well as allowing a more +# fool-proof way of determining the decryption failed because of an incorrect +# key being supplied. This refers to the "separate" MAC calculated and stored +# in CipherText, not part of any MAC that is calculated as a result of a +# "combined mode" cipher mode. +# +# If you are using ESAPI with a FIPS 140-2 cryptographic module, you *must* also +# set this property to false. That is because ESAPI takes the master key and +# derives 2 keys from it--a key for the MAC and a key for encryption--and +# because ESAPI is not itself FIPS 140-2 verified such intermediary aterations +# to keys from FIPS approved sources would have the effect of making your FIPS +# approved key generation and thus your FIPS approved JCE provider unapproved! +# More details in +# documentation/esapi4java-core-2.0-readme-crypto-changes.html +# documentation/esapi4java-core-2.0-symmetric-crypto-user-guide.html +# You have been warned. +Encryptor.CipherText.useMAC=true + +# Whether or not the PlainText object may be overwritten and then marked +# eligible for garbage collection. If not set, this is still treated as 'true'. +Encryptor.PlainText.overwrite=true + +# Do not use DES except in a legacy situations. 56-bit is way too small key size. +#Encryptor.EncryptionKeyLength=56 +#Encryptor.MinEncryptionKeyLength=56 +#Encryptor.EncryptionAlgorithm=DES + +# TripleDES is considered strong enough for most purposes. +# Note: There is also a 112-bit version of DESede. Using the 168-bit version +# requires downloading the special jurisdiction policy from Sun. +#Encryptor.EncryptionKeyLength=168 +#Encryptor.MinEncryptionKeyLength=112 +#Encryptor.EncryptionAlgorithm=DESede + +Encryptor.HashAlgorithm=SHA-512 +Encryptor.HashIterations=1024 +Encryptor.DigitalSignatureAlgorithm=SHA1withDSA +Encryptor.DigitalSignatureKeyLength=1024 +Encryptor.RandomAlgorithm=SHA1PRNG +Encryptor.CharacterEncoding=UTF-8 + +# This is the Pseudo Random Function (PRF) that ESAPI's Key Derivation Function +# (KDF) normally uses. Note this is *only* the PRF used for ESAPI's KDF and +# *not* what is used for ESAPI's MAC. (Currently, HmacSHA1 is always used for +# the MAC, mostly to keep the overall size at a minimum.) +# +# Currently supported choices for JDK 1.5 and 1.6 are: +# HmacSHA1 (160 bits), HmacSHA256 (256 bits), HmacSHA384 (384 bits), and +# HmacSHA512 (512 bits). +# Note that HmacMD5 is *not* supported for the PRF used by the KDF even though +# the JDKs support it. See the ESAPI 2.0 Symmetric Encryption User Guide +# further details. +Encryptor.KDF.PRF=HmacSHA256 +#=========================================================================== +# ESAPI HttpUtilties +# +# The HttpUtilities provide basic protections to HTTP requests and responses. Primarily these methods +# protect against malicious data from attackers, such as unprintable characters, escaped characters, +# and other simple attacks. The HttpUtilities also provides utility methods for dealing with cookies, +# headers, and CSRF tokens. +# +# Default file upload location (remember to escape backslashes with \) +HttpUtilities.UploadDir=C:\ESAPI\testUpload +HttpUtilities.UploadTempDir=C:\temp +# Force flags on cookies, if you use HttpUtilities to set cookies +HttpUtilities.ForceHttpOnlySession=false +HttpUtilities.ForceSecureSession=false +HttpUtilities.ForceHttpOnlyCookies=true +HttpUtilities.ForceSecureCookies=true +# Maximum size of HTTP header key--the validator regex may have additional values. +HttpUtilities.MaxHeaderNameSize=256 +# Maximum size of HTTP header value--the validator regex may have additional values. +HttpUtilities.MaxHeaderValueSize=4096 +# Maximum size of JSESSIONID for the application--the validator regex may have additional values. +HttpUtilities.HTTPJSESSIONIDLENGTH=50 +# Maximum length of a URL (see https://stackoverflow.com/questions/417142/what-is-the-maximum-length-of-a-url-in-different-browsers) +HttpUtilities.URILENGTH=2000 +# Maximum length of a redirect +HttpUtilities.maxRedirectLength=512 +# Maximum length for an http scheme +HttpUtilities.HTTPSCHEMELENGTH=10 +# Maximum length for an http host +HttpUtilities.HTTPHOSTLENGTH=100 +# Maximum length for an http path +HttpUtilities.HTTPPATHLENGTH=150 +#Maximum length for a context path +HttpUtilities.contextPathLength=150 +#Maximum length for an httpServletPath +HttpUtilities.HTTPSERVLETPATHLENGTH=100 +#Maximum length for an http query parameter name +HttpUtilities.httpQueryParamNameLength=100 +#Maximum length for an http query parameter -- old default was 2000, but that's the max length for a URL... +HttpUtilities.httpQueryParamValueLength=500 +# File upload configuration +HttpUtilities.ApprovedUploadExtensions=.pdf,.doc,.docx,.ppt,.pptx,.xls,.xlsx,.rtf,.txt,.jpg,.png +HttpUtilities.MaxUploadFileBytes=500000000 +# Using UTF-8 throughout your stack is highly recommended. That includes your database driver, +# container, and any other technologies you may be using. Failure to do this may expose you +# to Unicode transcoding injection attacks. Use of UTF-8 does not hinder internationalization. +HttpUtilities.ResponseContentType=text/html; charset=UTF-8 +# This is the name of the cookie used to represent the HTTP session +# Typically this will be the default "JSESSIONID" +HttpUtilities.HttpSessionIdName=JSESSIONID +#Sets whether or not we will overwrite http status codes to 200. +HttpUtilities.OverwriteStatusCodes=true +#Sets the application's base character encoding. This is forked from the Java Encryptor property. +HttpUtilities.CharacterEncoding=UTF-8 + +#=========================================================================== +# ESAPI Executor +# CHECKME - This should be made OS independent. Don't use unsafe defaults. +# # Examples only -- do NOT blindly copy! +# For Windows: +# Executor.WorkingDirectory=C:\Windows\Temp +# Executor.ApprovedExecutables=C:\Windows\System32\cmd.exe,C:\Windows\System32\runas.exe +# For *nux, MacOS: +# Executor.WorkingDirectory=/tmp +# Executor.ApprovedExecutables=/bin/bash +Executor.WorkingDirectory= +Executor.ApprovedExecutables= + + +#=========================================================================== +# ESAPI Logging +# Set the application name if these logs are combined with other applications +Logger.ApplicationName=ExampleApplication +# If you use an HTML log viewer that does not properly HTML escape log data, you can set LogEncodingRequired to true +Logger.LogEncodingRequired=false +# Determines whether ESAPI should log the application name. This might be clutter in some single-server/single-app environments. +Logger.LogApplicationName=true +# Determines whether ESAPI should log the server IP and port. This might be clutter in some single-server environments. +Logger.LogServerIP=true +# Determines whether ESAPI should log the user info. +Logger.UserInfo=true +# Determines whether ESAPI should log the session id and client IP. +Logger.ClientInfo=true + +#=========================================================================== +# ESAPI Intrusion Detection +# +# Each event has a base to which .count, .interval, and .action are added +# The IntrusionException will fire if we receive "count" events within "interval" seconds +# The IntrusionDetector is configurable to take the following actions: log, logout, and disable +# (multiple actions separated by commas are allowed e.g. event.test.actions=log,disable +# +# Custom Events +# Names must start with "event." as the base +# Use IntrusionDetector.addEvent( "test" ) in your code to trigger "event.test" here +# You can also disable intrusion detection completely by changing +# the following parameter to true +# +IntrusionDetector.Disable=false +# +IntrusionDetector.event.test.count=2 +IntrusionDetector.event.test.interval=10 +IntrusionDetector.event.test.actions=disable,log + +# Exception Events +# All EnterpriseSecurityExceptions are registered automatically +# Call IntrusionDetector.getInstance().addException(e) for Exceptions that do not extend EnterpriseSecurityException +# Use the fully qualified classname of the exception as the base + +# any intrusion is an attack +IntrusionDetector.org.owasp.esapi.errors.IntrusionException.count=1 +IntrusionDetector.org.owasp.esapi.errors.IntrusionException.interval=1 +IntrusionDetector.org.owasp.esapi.errors.IntrusionException.actions=log,disable,logout + +# for test purposes +# CHECKME: Shouldn't there be something in the property name itself that designates +# that these are for testing??? +IntrusionDetector.org.owasp.esapi.errors.IntegrityException.count=10 +IntrusionDetector.org.owasp.esapi.errors.IntegrityException.interval=5 +IntrusionDetector.org.owasp.esapi.errors.IntegrityException.actions=log,disable,logout + +# rapid validation errors indicate scans or attacks in progress +# org.owasp.esapi.errors.ValidationException.count=10 +# org.owasp.esapi.errors.ValidationException.interval=10 +# org.owasp.esapi.errors.ValidationException.actions=log,logout + +# sessions jumping between hosts indicates session hijacking +IntrusionDetector.org.owasp.esapi.errors.AuthenticationHostException.count=2 +IntrusionDetector.org.owasp.esapi.errors.AuthenticationHostException.interval=10 +IntrusionDetector.org.owasp.esapi.errors.AuthenticationHostException.actions=log,logout + + +#=========================================================================== +# ESAPI Validation +# +# The ESAPI Validator works on regular expressions with defined names. You can define names +# either here, or you may define application specific patterns in a separate file defined below. +# This allows enterprises to specify both organizational standards as well as application specific +# validation rules. +# +# Use 'p{L}' (without the quotes) within the character class to match +# any Unicode LETTER. You can also use a range, like: u00C0-u017F +# You can also use any of the regex flags as documented at +# https://docs.oracle.com/javase/tutorial/essential/regex/pattern.html, e.g. (?u) +# +Validator.ConfigurationFile=validation.properties + +# Validators used by ESAPI +Validator.AccountName=^[a-zA-Z0-9]{3,20}$ +Validator.SystemCommand=^[a-zA-Z\-\/]{1,64}$ +Validator.RoleName=^[a-z]{1,20}$ + +#the word TEST below should be changed to your application +#name - only relative URL's are supported +Validator.Redirect=^\/test.*$ + +# Global HTTP Validation Rules +# Values with Base64 encoded data (e.g. encrypted state) will need at least [a-zA-Z0-9/+=] +Validator.HTTPScheme=^(http|https)$ +Validator.HTTPServerName=^[a-zA-Z0-9_.\-]*$ +Validator.HTTPCookieName=^[a-zA-Z0-9\-_]{1,32}$ +Validator.HTTPCookieValue=^[a-zA-Z0-9\-\/+=_ ]*$ +# Note that headerName and Value length is also configured in the HTTPUtilities section +Validator.HTTPHeaderName=^[a-zA-Z0-9\-_]{1,256}$ +Validator.HTTPHeaderValue=^[a-zA-Z0-9()\-=\*\.\?;,+\/:&_ ]*$ +Validator.HTTPServletPath=^[a-zA-Z0-9.\-\/_]*$ +Validator.HTTPPath=^[a-zA-Z0-9.\-_]*$ +Validator.HTTPURL=^.*$ +Validator.HTTPJSESSIONID=^[A-Z0-9]{10,32}$ + + +# Contributed by Fraenku@gmx.ch +# Github Issue 126 https://github.com/ESAPI/esapi-java-legacy/issues/126 +Validator.HTTPParameterName=^[a-zA-Z0-9_\-]{1,32}$ +Validator.HTTPParameterValue=^[-\p{L}\p{N}./+=_ !$*?@]{0,1000}$ +Validator.HTTPContextPath=^/[a-zA-Z0-9.\-_]*$ +Validator.HTTPQueryString=^([a-zA-Z0-9_\-]{1,32}=[\p{L}\p{N}.\-/+=_ !$*?@%]*&?)*$ +Validator.HTTPURI=^/([a-zA-Z0-9.\-_]*/?)*$ + + +# Validation of file related input +Validator.FileName=^[a-zA-Z0-9!@#$%^&{}\[\]()_+\-=,.~'` ]{1,255}$ +Validator.DirectoryName=^[a-zA-Z0-9:/\\!@#$%^&{}\[\]()_+\-=,.~'` ]{1,255}$ + +# Validation of dates. Controls whether or not 'lenient' dates are accepted. +# See DataFormat.setLenient(boolean flag) for further details. +Validator.AcceptLenientDates=false + +# ~~~~~ Important Note ~~~~~ +# This is a workaround to make sure that a commit to address GitHub issue #509 +# doesn't accidentally break someone's production code. So essentially what we +# are doing is to reverting back to the previous possibly buggy (by +# documentation intent at least), but, by now, expected legacy behavior. +# Prior to the code changes for issue #509, if invalid / malicious HTML input was +# observed, AntiSamy would simply attempt to sanitize (cleanse) it and it would +# only be logged. However, the code change made ESAPI comply with its +# documentation, which stated that a ValidationException should be thrown in +# such cases. Unfortunately, changing this behavior--especially when no one is +# 100% certain that the documentation was correct--could break existing code +# using ESAPI so after a lot of debate, issue #521 was created to restore the +# previous behavior, but still allow the documented behavior. (We did this +# because it wasn't really causing an security issues since AntiSamy would clean +# it up anyway and we value backward compatibility as long as it doesn't clearly +# present security vulnerabilities.) +# More defaults about this are written up under GitHub issue #521 and +# the pull request it references. Future major releases of ESAPI (e.g., ESAPI 3.x) +# will not support this previous behavior, but it will remain for ESAPI 2.x. +# Set this to 'throw' if you want the originally intended behavior of throwing +# that was fixed via issue #509. Set to 'clean' if you want want the HTML input +# sanitized instead. +# +# Possible values: +# clean -- Use the legacy behavior where unsafe HTML input is logged and the +# sanitized (i.e., clean) input as determined by AntiSamy and your +# AntiSamy rules is returned. This is the default behavior if this +# new property is not found. +# throw -- The new, presumably correct and originally intended behavior where +# a ValidationException is thrown when unsafe HTML input is +# encountered. +# +#Validator.HtmlValidationAction=clean +Validator.HtmlValidationAction=throw + +# With the fix for #310 to enable loading antisamy-esapi.xml from the classpath +# also an enhancement was made to be able to use a different filename for the configuration. +# You don't have to configure the filename here, but in that case the code will keep looking for antisamy-esapi.xml. +# This is the default behaviour of ESAPI. +# +#Validator.HtmlValidationConfigurationFile=antisamy-esapi.xml diff --git a/ccic-exam/src/main/resources/META-INF/MANIFEST.MF b/ccic-exam/src/main/resources/META-INF/MANIFEST.MF new file mode 100644 index 0000000..396d3a8 --- /dev/null +++ b/ccic-exam/src/main/resources/META-INF/MANIFEST.MF @@ -0,0 +1,40 @@ +Manifest-Version: 1.0 +Class-Path: tomcat-embed-core-9.0.46.jar undertow-servlet-2.1.7.Final. + jar spring-webmvc-5.2.15.RELEASE.jar spring-boot-starter-data-redis-2 + .3.12.RELEASE.jar jakarta.annotation-api-1.3.5.jar netty-common-4.1.6 + 5.Final.jar undertow-websockets-jsr-2.1.7.Final.jar jackson-annotatio + ns-2.11.4.jar log4j-to-slf4j-2.13.3.jar spring-boot-starter-logging-2 + .3.12.RELEASE.jar jackson-core-2.11.4.jar netty-codec-4.1.65.Final.ja + r spring-data-keyvalue-2.3.9.RELEASE.jar spring-boot-autoconfigure-2. + 3.12.RELEASE.jar spring-boot-starter-jdbc-2.3.12.RELEASE.jar mybatis- + spring-boot-autoconfigure-1.1.1.jar spring-web-5.2.15.RELEASE.jar jbo + ss-logging-3.4.2.Final.jar spring-core-5.2.15.RELEASE.jar spring-bean + s-5.2.15.RELEASE.jar xnio-api-3.8.0.Final.jar reactive-streams-1.0.3. + jar javax.servlet-api-4.0.1.jar spring-data-commons-2.3.9.RELEASE.jar + logback-core-1.2.3.jar jackson-databind-2.11.4.jar mybatis-spring-1. + 3.0.jar jakarta.servlet-api-4.0.4.jar spring-boot-2.3.12.RELEASE.jar + xnio-nio-3.8.0.Final.jar spring-context-support-5.2.15.RELEASE.jar un + dertow-core-2.1.7.Final.jar tomcat-embed-websocket-9.0.46.jar reactor + -core-3.3.17.RELEASE.jar spring-boot-starter-2.3.12.RELEASE.jar mysql + -connector-java-8.0.25.jar spring-jdbc-5.2.15.RELEASE.jar netty-resol + ver-4.1.65.Final.jar spring-boot-starter-json-2.3.12.RELEASE.jar spri + ng-boot-starter-tomcat-2.3.12.RELEASE.jar spring-boot-starter-underto + w-2.3.12.RELEASE.jar spring-oxm-5.2.15.RELEASE.jar spring-boot-config + uration-processor-2.3.12.RELEASE.jar mybatis-3.4.0.jar spring-boot-st + arter-web-2.3.12.RELEASE.jar jakarta.el-3.0.3.jar spring-data-redis-2 + .3.9.RELEASE.jar spring-aop-5.2.15.RELEASE.jar netty-buffer-4.1.65.Fi + nal.jar jboss-annotations-api_1.3_spec-2.0.1.Final.jar slf4j-api-1.7. + 30.jar jul-to-slf4j-1.7.30.jar spring-context-5.2.15.RELEASE.jar myba + tis-spring-boot-starter-1.1.1.jar fastjson-1.2.7.sec06.jar jboss-serv + let-api_4.0_spec-2.0.0.Final.jar netty-transport-4.1.65.Final.jar jbo + ss-threads-3.1.0.Final.jar spring-expression-5.2.15.RELEASE.jar Hikar + iCP-3.4.5.jar jackson-module-parameter-names-2.11.4.jar spring-tx-5.2 + .15.RELEASE.jar wildfly-client-config-1.0.1.Final.jar jackson-datatyp + e-jdk8-2.11.4.jar logback-classic-1.2.3.jar jackson-datatype-jsr310-2 + .11.4.jar jsqlparser-0.9.5.jar spring-jcl-5.2.15.RELEASE.jar cloud-st + arter-1.0.jar jboss-websocket-api_1.1_spec-2.0.0.Final.jar log4j-api- + 2.13.3.jar pagehelper-4.1.6.jar netty-handler-4.1.65.Final.jar lettuc + e-core-5.3.7.RELEASE.jar snakeyaml-1.26.jar wildfly-common-1.5.2.Fina + l.jar +Main-Class: com.ccic.safeliab.ServerApplication + diff --git a/ccic-exam/src/main/resources/application.yml.txt b/ccic-exam/src/main/resources/application.yml.txt new file mode 100644 index 0000000..b3ab4e3 --- /dev/null +++ b/ccic-exam/src/main/resources/application.yml.txt @@ -0,0 +1,41 @@ +server: + port: 8086 + +spring: + application: + name: ccic-service + datasource: + driver-class-name: com.kingbase8.Driver + url: jdbc:kingbase8://kingbase01.safeliab.tsccic:54321/safeliabdb_dev?useUnicode=true&characterEncoding=UTF-8&zeroDateTimeBehavior=convertToNull + username: safeliabbusi_dev + password: RJRDD7nbpF_Zgt5b + #password: 111111 + #driver-class-name: com.kingbase8.Driver + #url: jdbc:kingbase8://120.46.153.78:54321/ccic?useUnicode=true&characterEncoding=UTF-8&zeroDateTimeBehavior=convertToNull + #username: system + #password: system + #返回json的全局时间格式 + jackson: + date-format: yyyy-MM-dd HH:mm:ss + time-zone: GMT+8 + #环境设置:dev、test、prod + profiles: + active: dev + +mybatis-plus: + mapperLocations: classpath:mappers/*.xml + type-aliases-package: com.cs.ccic.entity + configuration: + log-impl: org.apache.ibatis.logging.stdout.StdOutImpl + +logging: + level: + org.springframework.boot.autoconfigure: error + +ccic: + api: http://ccic.dev-api.jeean.cn + business: http://ccic.dev-business.jeean.cn + #exportPdf: http://10.3.0.34:8083 + exportPdf: http://120.46.153.78:8083 + #business: http://localhost:8086 + #api: http://localhost:8079 diff --git a/ccic-exam/src/main/resources/bootstrap.yml b/ccic-exam/src/main/resources/bootstrap.yml new file mode 100644 index 0000000..58af5e6 --- /dev/null +++ b/ccic-exam/src/main/resources/bootstrap.yml @@ -0,0 +1,58 @@ + +spring: + redis: + database: 1 + #password: zCJaN_xPL0jCei1y + password: MftT7ucfA5Zg_LdP + # redis哨兵配置 + sentinel: + # 主节点名称 + master: safeliabrescls + nodes: + - 10.3.88.7:16379 + - 10.3.88.8:16379 + - 10.3.88.9:16379 + #- 10.3.3.5:16379 + #- 10.3.3.6:16379 + #- 10.3.3.7:16379 + # 使用lettuce配置 + lettuce: + pool: + # 连接池最大连接数(使用负值表示没有限制) + max-active: 200 + # 连接池中的最大空闲连接 + max-idle: 20 + # 连接池中的最小空闲连接 + min-idle: 5 + # 连接池最大阻塞等待时间(使用负值表示没有限制) + max-wait: -1ms + application: + name: exam-server + profiles: + active: dev + + cloud: + nacos: + #生产环境 + server-addr: 172.16.10.156:8848 + username: nacos + password: nacos + # password: ENC(uA9HhACj5oG53b3AhbLpkQ==) + #上面3项存在,就不需要在spring.cloud.nacos.discovery中再写 + #上面3项存在,就不需要在spring.cloud.nacos.config中再写 + + # 注册 + discovery: + group: ${spring.profiles.active} + #生产环境 + namespace: safeliab-uat + # 配置 + config: + server-addr: 172.16.10.156:8848 + username: nacos + password: nacos + group: ${spring.profiles.active} + file-extension: yaml + #生产环境 + namespace: safeliab-uat + diff --git a/ccic-exam/src/main/resources/mappers/DemoMapper.xml b/ccic-exam/src/main/resources/mappers/DemoMapper.xml new file mode 100644 index 0000000..3bb5ccc --- /dev/null +++ b/ccic-exam/src/main/resources/mappers/DemoMapper.xml @@ -0,0 +1,4 @@ + + + + \ No newline at end of file diff --git a/ccic-exam/src/main/resources/validation.properties b/ccic-exam/src/main/resources/validation.properties new file mode 100644 index 0000000..9dbb262 --- /dev/null +++ b/ccic-exam/src/main/resources/validation.properties @@ -0,0 +1,28 @@ +# The ESAPI validator does many security checks on input, such as canonicalization +# and whitelist validation. Note that all of these validation rules are applied *after* +# canonicalization. Double-encoded characters (even with different encodings involved, +# are never allowed. +# +# To use: +# +# First set up a pattern below. You can choose any name you want, prefixed by the word +# "Validation." For example: +# Validation.Email=^[A-Za-z0-9._%-]+@[A-Za-z0-9.-]+\.[a-zA-Z]{2,4}$ +# +# Then you can validate in your code against the pattern like this: +# ESAPI.validator().isValidInput("User Email", input, "Email", maxLength, allowNull); +# Where maxLength and allowNull are set for you needs, respectively. +# +# But note, when you use boolean variants of validation functions, you lose critical +# canonicalization. It is preferable to use the "get" methods (which throw exceptions) and +# and use the returned user input which is in canonical form. Consider the following: +# +# try { +# someObject.setEmail(ESAPI.validator().getValidInput("User Email", input, "Email", maxLength, allowNull)); +# +Validator.SafeString=^[.\p{Alnum}\p{Space}]{0,1024}$ +Validator.Email=^[A-Za-z0-9._%'-]+@[A-Za-z0-9.-]+\.[a-zA-Z]{2,4}$ +Validator.IPAddress=^(?:(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.){3}(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)$ +Validator.URL=^(ht|f)tp(s?)\:\/\/[0-9a-zA-Z]([-.\w]*[0-9a-zA-Z])*(:(0-9)*)*(\/?)([a-zA-Z0-9\-\.\?\,\:\'\/\\\+=&;%\$#_]*)?$ +Validator.CreditCard=^(\d{4}[- ]?){3}\d{4}$ +Validator.SSN=^(?!000)([0-6]\d{2}|7([0-6]\d|7[012]))([ -]?)(?!00)\d\d\3(?!0000)\d{4}$