Home Explore Help
Sign In
iot
/
hsweb-framework
4
0
Fork 0
Files Issues 0 Pull Requests 0 Wiki
Browse Source

fix #107 csrf

zhouhao 6 years ago
parent
b72a2275ed
commit
40929e9b0d
2 changed files with 7 additions and 1 deletions
Split View Show Diff Stats
  1. 2 0
      hsweb-authorization/hsweb-authorization-oauth2/hsweb-authorization-oauth2-core/src/main/java/org/hswebframework/web/oauth2/core/ErrorType.java
  2. 5 1
      hsweb-system/hsweb-system-oauth2-client/hsweb-system-oauth2-client-web/src/main/java/org/hswebframework/web/authorization/oauth2/controller/OAuth2ClientController.java

+ 2 - 0
hsweb-authorization/hsweb-authorization-oauth2/hsweb-authorization-oauth2-core/src/main/java/org/hswebframework/web/oauth2/core/ErrorType.java
View File 

@@ -57,6 +57,8 @@ public enum ErrorType {
 
 
     USER_NOT_EXIST(4041),//客户端不存在
 
 
+    STATE_ERROR(4042), //stat错误
 
+
 
     ACCESS_DENIED(503), //访问被拒绝
 
 
     OTHER(5001), //其他错误 ;

+ 5 - 1
hsweb-system/hsweb-system-oauth2-client/hsweb-system-oauth2-client-web/src/main/java/org/hswebframework/web/authorization/oauth2/controller/OAuth2ClientController.java
View File 

@@ -20,12 +20,14 @@ package org.hswebframework.web.authorization.oauth2.controller;
 
 
 import io.swagger.annotations.Api;
 
 import io.swagger.annotations.ApiOperation;
 
+import org.hswebframework.web.BusinessException;
 
 import org.hswebframework.web.WebUtil;
 
 import org.hswebframework.web.authorization.oauth2.client.OAuth2RequestService;
 
 import org.hswebframework.web.authorization.oauth2.client.listener.OAuth2CodeAuthBeforeEvent;
 
 import org.hswebframework.web.controller.message.ResponseMessage;
 
 import org.hswebframework.web.entity.oauth2.client.OAuth2ServerConfigEntity;
 
 import org.hswebframework.web.id.IDGenerator;
 
+import org.hswebframework.web.oauth2.core.ErrorType;
 
 import org.hswebframework.web.oauth2.core.OAuth2Constants;
 
 import org.hswebframework.web.service.oauth2.client.OAuth2ServerConfigService;
 
 import org.springframework.beans.factory.annotation.Autowired;
 
@@ -104,7 +106,9 @@ public class OAuth2ClientController {
 
                                  HttpSession session) throws UnsupportedEncodingException {
 
         try {
 
             String cachedState = (String) session.getAttribute(STATE_SESSION_KEY);
 
-            //  if (!state.equals(cachedState)) throw new BusinessException("state error");
 
+            if (!state.equals(cachedState)) {
 
+                throw new BusinessException(ErrorType.STATE_ERROR.name());
 
+            }
 
             oAuth2RequestService.doEvent(serverId, new OAuth2CodeAuthBeforeEvent(code, state, request::getParameter));
 
             return new RedirectView(URLDecoder.decode(redirect, "UTF-8"));
 
         } finally {