add sh

build.cmd

@@ -0,0 +1,27 @@
+@echo off
+SETLOCAL
+
+chcp 65001
+
+del /S *.log
+
+call mvn clean -DskipTests=true package
+
+cd chsm-web-manage
+echo ">>>>>>>>>>>begin build docker image ...<<<<<<<<<<<<<"
+docker build -t chsm-web-manager:latest .
+echo ">>>>>>>>>>>build docker image success<<<<<<<<<<<<<"
+
+cd ../chsm-web-server
+echo ">>>>>>>>>>>begin build docker image ...<<<<<<<<<<<<<"
+docker build -t chsm-web-server:latest .
+echo ">>>>>>>>>>>build docker image success<<<<<<<<<<<<<"
+
+cd ..
+echo ">>>>>>>>>>>begin build offline tar ...<<<<<<<<<<<<<"
+docker save -o chsm-web-manager.tar chsm-web-manager:latest
+docker save -o chsm-web-server.tar chsm-web-server:latest
+echo ">>>>>>>>>>>build docker offline tar success<<<<<<<<<<<<<"
+
+pause
+

build.sh

@@ -0,0 +1,20 @@
+#!/bin/bash
+call /app/maven/bin/mvn clean -DskipTests=true package
+
+cd chsm-web-manage
+echo ">>>>>>>>>>>begin build docker image ...<<<<<<<<<<<<<"
+docker build -t chsm-web-manager:latest .
+echo ">>>>>>>>>>>build docker image success<<<<<<<<<<<<<"
+
+cd ../chsm-web-server
+echo ">>>>>>>>>>>begin build docker image ...<<<<<<<<<<<<<"
+docker build -t chsm-web-server:latest .
+echo ">>>>>>>>>>>build docker image success<<<<<<<<<<<<<"
+
+cd ..
+echo ">>>>>>>>>>>begin build offline tar ...<<<<<<<<<<<<<"
+docker save -o chsm-web-manager.tar chsm-web-manager:latest
+docker save -o chsm-web-server.tar chsm-web-server:latest
+echo ">>>>>>>>>>>build docker offline tar success<<<<<<<<<<<<<"
+
+

chsm-common/src/main/java/com/sunyard/chsm/constant/ParamConfKeyConstant.java

@@ -13,6 +13,7 @@ public interface ParamConfKeyConstant {
     String IP_WHITELIST_SWITCH = "ipWhitelistSwitch";
 
     String TMK_INIT = "tmk_init";
+    String TMK_CHECK_VALUE = "tmk_check_value";
 
     String ENABLE_SOFT_DEVICE = "enable_soft_device";
 

chsm-common/src/main/java/com/sunyard/chsm/model/dto/TmkStatus.java

@@ -17,6 +17,9 @@ public class TmkStatus {
      * 主密钥是否初始化
      */
     private boolean tmkInit;
-
+    /**
+     * 主密钥校验值
+     */
+    private String checkValue;
 
 }

chsm-common/src/main/java/com/sunyard/chsm/sdf/adapter/SdfApiAdapterFactory.java

@@ -37,11 +37,16 @@ public class SdfApiAdapterFactory {
             // bc adaptor
             return BcSdfApiAdaptor.INSTANCE;
         }
-        switch (modelEnum) {
+        try {
-            case enc001:
+            switch (modelEnum) {
-                return Platform.isMac() ? getProxyRcpAdapter(ip, port) : new SunyardJnaSdfAdaptor(ip, port);
+                case enc001:
-            default:
+                    return Platform.isMac() ? getProxyRcpAdapter(ip, port) : new SunyardJnaSdfAdaptor(ip, port);
-                throw new UnsupportedOperationException("不支持的设备型号: " + model);
+                default:
+                    throw new UnsupportedOperationException("不支持的设备型号: " + model);
+            }
+        } catch (Throwable ex) {
+            log.warn("build SdfApiAdapter error", ex);
+            throw new IllegalArgumentException("build SdfApiAdapter error");
         }
     }
 

chsm-common/src/main/java/com/sunyard/chsm/service/TmkService.java

@@ -14,11 +14,19 @@ import com.sunyard.chsm.sdf.context.AlgId;
 import com.sunyard.chsm.sdf.model.DeviceInfo;
 import com.sunyard.chsm.sdf.model.EccCipher;
 import com.sunyard.chsm.sdf.model.EccPubKey;
+import com.sunyard.chsm.sdf.util.LangUtils;
 import com.sunyard.chsm.utils.CodecUtils;
+import com.sunyard.chsm.utils.gm.BCECUtils;
+import com.sunyard.chsm.utils.gm.BCSM2Utils;
+import com.sunyard.chsm.utils.gm.BCSM3Utils;
 import lombok.RequiredArgsConstructor;
 import lombok.extern.slf4j.Slf4j;
+import org.apache.commons.lang3.tuple.Pair;
+import org.bouncycastle.asn1.x509.SubjectPublicKeyInfo;
+import org.bouncycastle.jcajce.provider.asymmetric.ec.BCECPublicKey;
 import org.bouncycastle.jce.provider.BouncyCastleProvider;
 import org.springframework.stereotype.Component;
+import org.springframework.transaction.annotation.Transactional;
 import org.springframework.util.Assert;
 import org.springframework.util.ObjectUtils;
 import org.springframework.util.StringUtils;
@@ -40,6 +48,7 @@ public class TmkService {
     private final SpDeviceMapper spDeviceMapper;
     private final ParamConfMapper paramConfMapper;
 
+    @Transactional
     public void initTmk() {
         boolean tmkInit = isTmkInit();
         Assert.isTrue(!tmkInit, "主密钥已经初始化");
@@ -59,6 +68,8 @@ public class TmkService {
         byte[] prk = sdfApi.symDecrypt(hs, hk, AlgId.SGD_SM4_ECB, new byte[0], encrk);
         Assert.isTrue(Arrays.equals(rk, prk), "密码机加解密异常");
 
+        byte[] hash = BCSM3Utils.hash(rk);
+
         sdfApi.destroyKey(hs, hk);
         sdfApi.closeSession(hs);
         sdfApi.closeDevice(hd);
@@ -72,7 +83,7 @@ public class TmkService {
             up.setTmkStatus(DeviceTmkStatus.finished.name());
             spDeviceMapper.updateById(up);
         }
-        updateTmkInit(true);
+        updateTmkInit(true, hash);
 
     }
 
@@ -82,6 +93,10 @@ public class TmkService {
         if (init) {
             status.setHasDevice(true);
             status.setTmkInit(true);
+            ParamConf paramConf = paramConfMapper.selectByKey(ParamConfKeyConstant.TMK_CHECK_VALUE);
+            if (paramConf != null) {
+                status.setCheckValue(paramConf.getValue());
+            }
             return status;
         }
         status.setTmkInit(false);
@@ -90,6 +105,89 @@ public class TmkService {
         return status;
     }
 
+    public String backup(String pubKey) {
+
+        boolean tmkInit = isTmkInit();
+        Assert.isTrue(tmkInit, "主密钥未初始化");
+        Device device = getOneByStatus(DeviceTmkStatus.finished);
+        Assert.notNull(device, "没有可以用于备份主密钥的设备");
+        byte[] xy;
+        try {
+            String pubBase6 = pubKey.replace("-----BEGIN ECDSA PUBLIC KEY-----", "").replace("-----END ECDSA PUBLIC KEY-----", "")
+                    .replace("\n", "");
+            byte[] pubBytes = CodecUtils.decodeBase64(pubBase6);
+            SubjectPublicKeyInfo keyInfo = SubjectPublicKeyInfo.getInstance(pubBytes);
+            BCECPublicKey key = BCECUtils.createPublicKeyFromSubjectPublicKeyInfo(keyInfo);
+            xy = LangUtils.merge(key.getQ().getXCoord().getEncoded(), key.getQ().getYCoord().getEncoded());
+        } catch (Exception e) {
+            throw new IllegalArgumentException(e);
+        }
+
+        SdfApiAdapter sdfApi = SdfApiAdapterFactory.newInstance(device.getManufacturerModel(), device.getServiceIp(), device.getServicePort());
+
+        String hd = sdfApi.openDevice();
+        String hs = sdfApi.openSession(hd);
+        sdfApi.getPrivateKeyAccessRight(hs, device.getEncKeyIdx(), device.getAccessCredentials().getBytes());
+
+        EccCipher cipher = sdfApi.exchangeDigitEnvelopeBaseOnECC(hs, device.getEncKeyIdx(), EccPubKey.fromBytes(xy), EccCipher.fromHex(device.getEncTmk()));
+
+        try {
+            byte[] der = BCSM2Utils.encodeSM2CipherToDER(LangUtils.merge(new byte[]{0x04}, cipher.getC1C3C2Bytes()));
+            return CodecUtils.encodeBase64(der);
+        } catch (Exception e) {
+            throw new IllegalArgumentException(e);
+        }
+    }
+
+    public Pair<Long, String> getDevicePubKey() {
+        Device device = getOneByStatus(DeviceTmkStatus.available);
+        Assert.notNull(device, "没有可以用于导入主密钥的设备");
+        SdfApiAdapter sdfApi = SdfApiAdapterFactory.newInstance(device.getManufacturerModel(), device.getServiceIp(), device.getServicePort());
+        String hd = sdfApi.openDevice();
+        String hs = sdfApi.openSession(hd);
+        EccPubKey pubKey = sdfApi.exportEncPublicKeyECC(hs, device.getEncKeyIdx());
+
+        BCECPublicKey publicKey = BCECUtils.createPublicKey(pubKey.getPubKeyHex());
+        return Pair.of(device.getId(), CodecUtils.encodeBase64(publicKey.getEncoded()));
+    }
+
+    @Transactional
+    public void importTmk(Long deviceId, String encTmk) {
+        boolean tmkInit = isTmkInit();
+        Assert.isTrue(!tmkInit, "主密钥已经初始化");
+
+        Device device = getOneByStatus(DeviceTmkStatus.available);
+        Assert.notNull(device, "没有可以用于导入主密钥的设备");
+        SdfApiAdapter sdfApi = SdfApiAdapterFactory.newInstance(device.getManufacturerModel(), device.getServiceIp(), device.getServicePort());
+        String hd = sdfApi.openDevice();
+        String hs = sdfApi.openSession(hd);
+        byte[] rk = CodecUtils.decodeBase64(encTmk);
+        EccPubKey pubKey = sdfApi.exportEncPublicKeyECC(hs, device.getEncKeyIdx());
+        EccCipher cipher = sdfApi.externalEncryptECC(hs, pubKey, rk);
+        sdfApi.getPrivateKeyAccessRight(hs, device.getEncKeyIdx(), device.getAccessCredentials().getBytes());
+        String hk = sdfApi.importKeyWithISKECC(hs, device.getEncKeyIdx(), cipher);
+        byte[] encrk = sdfApi.symEncrypt(hs, hk, AlgId.SGD_SM4_ECB, new byte[0], rk);
+        byte[] prk = sdfApi.symDecrypt(hs, hk, AlgId.SGD_SM4_ECB, new byte[0], encrk);
+        Assert.isTrue(Arrays.equals(rk, prk), "密码机加解密异常");
+
+        byte[] hash = BCSM3Utils.hash(rk);
+
+        sdfApi.destroyKey(hs, hk);
+        sdfApi.closeSession(hs);
+        sdfApi.closeDevice(hd);
+
+        if (Objects.equals(device.getManufacturerModel(), BouncyCastleProvider.PROVIDER_NAME)) {
+            updateSoftDeviceEncTmk(cipher.getC1C3C2Bytes());
+        } else {
+            Device up = new Device();
+            up.setId(device.getId());
+            up.setEncTmk(cipher.getC1C3C2Hex());
+            up.setTmkStatus(DeviceTmkStatus.finished.name());
+            spDeviceMapper.updateById(up);
+        }
+        updateTmkInit(true, hash);
+    }
+
 
     public DeviceCheckRes checkDevice(Device check) {
 
@@ -209,6 +307,7 @@ public class TmkService {
         }
         if (isEnableSoftDevice()) {
             device = new Device();
+            device.setId(0L);
             device.setManufacturerModel(BouncyCastleProvider.PROVIDER_NAME);
             device.setEncKeyIdx(1);
             device.setServiceIp("127.0.0.1");
@@ -227,7 +326,7 @@ public class TmkService {
     private boolean enableSoftDevice;
     private byte[] softEncTmk;
 
-    public synchronized boolean isTmkInit() {
+    public synchronized boolean isTmkInitCached() {
         if (tmkInit) {
             return true;
         }
@@ -236,12 +335,17 @@ public class TmkService {
         return tmkInit;
     }
 
+    public boolean isTmkInit() {
+        ParamConf conf = paramConfMapper.selectByKey(ParamConfKeyConstant.TMK_INIT);
+        return conf != null && String.valueOf(true).equals(conf.getValue());
+    }
+
     public boolean isEnableSoftDevice() {
         ParamConf conf = paramConfMapper.selectByKey(ParamConfKeyConstant.ENABLE_SOFT_DEVICE);
         return conf != null && String.valueOf(true).equals(conf.getValue());
     }
 
-    private void updateTmkInit(boolean value) {
+    private void updateTmkInit(boolean value, byte[] hash) {
         ParamConf conf = paramConfMapper.selectByKey(ParamConfKeyConstant.TMK_INIT);
         if (conf == null) {
             conf = new ParamConf();
@@ -253,6 +357,18 @@ public class TmkService {
             conf.setValue(String.valueOf(value));
             paramConfMapper.updateById(conf);
         }
+
+        ParamConf check = paramConfMapper.selectByKey(ParamConfKeyConstant.TMK_CHECK_VALUE);
+        if (check == null) {
+            check = new ParamConf();
+            check.setValue(CodecUtils.encodeHex(hash));
+            check.setKey(ParamConfKeyConstant.TMK_CHECK_VALUE);
+            check.setCreatTime(LocalDateTime.now());
+            paramConfMapper.insert(check);
+        } else {
+            check.setValue(CodecUtils.encodeHex(hash));
+            paramConfMapper.updateById(check);
+        }
     }
 
     public synchronized byte[] getSoftDeviceEncTmk() {

chsm-common/src/main/java/com/sunyard/chsm/utils/gm/BCECUtils.java

@@ -61,7 +61,7 @@ import java.util.Arrays;
 /**
  * 这个工具类的方法，也适用于其他基于BC库的ECC算法
  */
-public class BCECUtils {
+public class BCECUtils extends GMBaseUtil {
     private static final String ALGO_NAME_EC = "EC";
     private static final String PEM_STRING_PUBLIC = "PUBLIC KEY";
     private static final String PEM_STRING_ECPRIVATEKEY = "EC PRIVATE KEY";

chsm-web-manage/Dockerfile

@@ -0,0 +1,8 @@
+FROM dragonwell8
+
+WORKDIR /app
+COPY target/chsm-web-manager.jar /app/app.jar
+ENV JVM_OPTS=""
+ENV ARGS_OPTS=""
+EXPOSE 9880
+ENTRYPOINT ["sh","-c","java $JVM_OPTS -jar app.jar $ARGS_OPTS"]

chsm-web-manage/build.cmd

@@ -0,0 +1,18 @@
+@echo off
+SETLOCAL
+
+chcp 65001
+
+del /S *.log
+
+call mvn clean -DskipTests=true package -f ../pom.xml
+
+echo ">>>>>>>>>>>begin build docker image ...<<<<<<<<<<<<<"
+docker build -t chsm-web-manager:latest .
+echo ">>>>>>>>>>>build docker image success<<<<<<<<<<<<<"
+
+docker save -o chsm-web-manager.tar chsm-web-manager:latest
+echo ">>>>>>>>>>>build docker offline tar success<<<<<<<<<<<<<"
+
+pause
+

chsm-web-manage/pom.xml

@@ -118,16 +118,7 @@
     </dependencies>
 
     <build>
-        <resources>
+        <finalName>chsm-web-manager</finalName>
-            <resource>
-                <directory>src/main/resources</directory>
-                <includes>
-                    <include>**/**</include>
-                </includes>
-                <filtering>false</filtering>
-            </resource>
-        </resources>
-
         <plugins>
             <plugin>
                 <groupId>org.springframework.boot</groupId>

chsm-web-manage/src/main/java/com/sunyard/chsm/controller/AppCertController.java

@@ -7,8 +7,10 @@ import com.sunyard.chsm.model.dto.CertDTO;
 import com.sunyard.chsm.service.AppCertService;
 import com.sunyard.ssp.common.annotation.AuditControllerLog;
 import lombok.extern.slf4j.Slf4j;
+import org.springframework.web.bind.WebDataBinder;
 import org.springframework.web.bind.annotation.DeleteMapping;
 import org.springframework.web.bind.annotation.GetMapping;
+import org.springframework.web.bind.annotation.InitBinder;
 import org.springframework.web.bind.annotation.PostMapping;
 import org.springframework.web.bind.annotation.RequestBody;
 import org.springframework.web.bind.annotation.RequestMapping;
@@ -31,6 +33,11 @@ public class AppCertController {
     @Resource
     private AppCertService appCertService;
 
+    @InitBinder
+    public void initBinder(WebDataBinder binder) {
+        binder.setDisallowedFields("qwer");
+    }
+
     /**
      * 分页查询应用证书列表
      *

chsm-web-manage/src/main/java/com/sunyard/chsm/controller/ApplicationController.java

@@ -10,8 +10,10 @@ import com.sunyard.chsm.service.ApplicationService;
 import com.sunyard.ssp.common.annotation.AuditControllerLog;
 import lombok.extern.slf4j.Slf4j;
 import org.springframework.util.Assert;
+import org.springframework.web.bind.WebDataBinder;
 import org.springframework.web.bind.annotation.DeleteMapping;
 import org.springframework.web.bind.annotation.GetMapping;
+import org.springframework.web.bind.annotation.InitBinder;
 import org.springframework.web.bind.annotation.PostMapping;
 import org.springframework.web.bind.annotation.PutMapping;
 import org.springframework.web.bind.annotation.RequestBody;
@@ -35,6 +37,11 @@ public class ApplicationController {
     @Resource
     private ApplicationService applicationService;
 
+    @InitBinder
+    public void initBinder(WebDataBinder binder) {
+        binder.setDisallowedFields("qwer");
+    }
+
     /**
      * 分页查询应用列表
      *

chsm-web-manage/src/main/java/com/sunyard/chsm/controller/CaController.java

@@ -7,8 +7,10 @@ import com.sunyard.chsm.model.dto.CertDTO;
 import com.sunyard.chsm.service.CaCertService;
 import com.sunyard.ssp.common.annotation.AuditControllerLog;
 import lombok.extern.slf4j.Slf4j;
+import org.springframework.web.bind.WebDataBinder;
 import org.springframework.web.bind.annotation.DeleteMapping;
 import org.springframework.web.bind.annotation.GetMapping;
+import org.springframework.web.bind.annotation.InitBinder;
 import org.springframework.web.bind.annotation.PostMapping;
 import org.springframework.web.bind.annotation.PutMapping;
 import org.springframework.web.bind.annotation.RequestBody;
@@ -32,6 +34,11 @@ public class CaController {
     @Resource
     private CaCertService caCertService;
 
+    @InitBinder
+    public void initBinder(WebDataBinder binder) {
+        binder.setDisallowedFields("qwer");
+    }
+
     /**
      * 分页查询CA列表
      *

chsm-web-manage/src/main/java/com/sunyard/chsm/controller/CryptoServiceController.java

@@ -10,8 +10,10 @@ import com.sunyard.chsm.service.CryptoServiceService;
 import com.sunyard.ssp.common.annotation.AuditControllerLog;
 import lombok.extern.slf4j.Slf4j;
 import org.springframework.util.Assert;
+import org.springframework.web.bind.WebDataBinder;
 import org.springframework.web.bind.annotation.DeleteMapping;
 import org.springframework.web.bind.annotation.GetMapping;
+import org.springframework.web.bind.annotation.InitBinder;
 import org.springframework.web.bind.annotation.PostMapping;
 import org.springframework.web.bind.annotation.PutMapping;
 import org.springframework.web.bind.annotation.RequestBody;
@@ -38,6 +40,11 @@ public class CryptoServiceController {
     @Resource
     private CryptoServiceService cryptoServiceService;
 
+    @InitBinder
+    public void initBinder(WebDataBinder binder) {
+        binder.setDisallowedFields("qwer");
+    }
+
     /**
      * 查询密码服务接口分组列表
      *

chsm-web-manage/src/main/java/com/sunyard/chsm/controller/DeviceController.java

@@ -9,8 +9,10 @@ import com.sunyard.chsm.model.R;
 import com.sunyard.chsm.service.DeviceService;
 import com.sunyard.ssp.common.annotation.AuditControllerLog;
 import lombok.extern.slf4j.Slf4j;
+import org.springframework.web.bind.WebDataBinder;
 import org.springframework.web.bind.annotation.DeleteMapping;
 import org.springframework.web.bind.annotation.GetMapping;
+import org.springframework.web.bind.annotation.InitBinder;
 import org.springframework.web.bind.annotation.PostMapping;
 import org.springframework.web.bind.annotation.PutMapping;
 import org.springframework.web.bind.annotation.RequestBody;
@@ -37,6 +39,11 @@ public class DeviceController {
     @Resource
     private DeviceService deviceService;
 
+    @InitBinder
+    public void initBinder(WebDataBinder binder) {
+        binder.setDisallowedFields("qwer");
+    }
+
     /**
      * 分页查询密码设备列表
      *

chsm-web-manage/src/main/java/com/sunyard/chsm/controller/DeviceGroupController.java

@@ -6,8 +6,10 @@ import com.sunyard.chsm.dto.DeviceGroupDTO;
 import com.sunyard.chsm.model.R;
 import com.sunyard.chsm.service.DeviceGroupService;
 import com.sunyard.ssp.common.annotation.AuditControllerLog;
+import org.springframework.web.bind.WebDataBinder;
 import org.springframework.web.bind.annotation.DeleteMapping;
 import org.springframework.web.bind.annotation.GetMapping;
+import org.springframework.web.bind.annotation.InitBinder;
 import org.springframework.web.bind.annotation.PostMapping;
 import org.springframework.web.bind.annotation.PutMapping;
 import org.springframework.web.bind.annotation.RequestBody;
@@ -30,6 +32,11 @@ public class DeviceGroupController {
     @Resource
     private DeviceGroupService deviceGroupService;
 
+    @InitBinder
+    public void initBinder(WebDataBinder binder) {
+        binder.setDisallowedFields("qwer");
+    }
+
     /**
      * 分页查询设备组列表
      *

chsm-web-manage/src/main/java/com/sunyard/chsm/controller/IpWhitelistController.java

@@ -6,7 +6,9 @@ import com.sunyard.chsm.dto.IpWhitelistDTO;
 import com.sunyard.chsm.model.R;
 import com.sunyard.chsm.service.IpWhitelistService;
 import com.sunyard.ssp.common.annotation.AuditControllerLog;
+import org.springframework.web.bind.WebDataBinder;
 import org.springframework.web.bind.annotation.DeleteMapping;
+import org.springframework.web.bind.annotation.InitBinder;
 import org.springframework.web.bind.annotation.PostMapping;
 import org.springframework.web.bind.annotation.PutMapping;
 import org.springframework.web.bind.annotation.RequestBody;
@@ -30,6 +32,11 @@ public class IpWhitelistController {
     @Resource
     private IpWhitelistService iIpWhitelistService;
 
+    @InitBinder
+    public void initBinder(WebDataBinder binder) {
+        binder.setDisallowedFields("qwer");
+    }
+
     /**
      * 分页查询设备组列表
      *

chsm-web-manage/src/main/java/com/sunyard/chsm/controller/KeyInfoAsymController.java

@@ -10,7 +10,9 @@ import org.springframework.core.io.ByteArrayResource;
 import org.springframework.http.HttpHeaders;
 import org.springframework.http.MediaType;
 import org.springframework.http.ResponseEntity;
+import org.springframework.web.bind.WebDataBinder;
 import org.springframework.web.bind.annotation.GetMapping;
+import org.springframework.web.bind.annotation.InitBinder;
 import org.springframework.web.bind.annotation.PostMapping;
 import org.springframework.web.bind.annotation.RequestBody;
 import org.springframework.web.bind.annotation.RequestMapping;
@@ -32,6 +34,11 @@ public class KeyInfoAsymController {
     @Resource
     private KeyInfoService keyInfoService;
 
+    @InitBinder
+    public void initBinder(WebDataBinder binder) {
+        binder.setDisallowedFields("qwer");
+    }
+
 
     /**
      * 分页查询非对称密钥列表

chsm-web-manage/src/main/java/com/sunyard/chsm/controller/KeyInfoController.java

@@ -8,7 +8,9 @@ import com.sunyard.chsm.model.dto.KeyInfoDTO;
 import com.sunyard.chsm.service.KeyInfoService;
 import com.sunyard.ssp.common.annotation.AuditControllerLog;
 import com.sunyard.ssp.common.exception.SspwebException;
+import org.springframework.web.bind.WebDataBinder;
 import org.springframework.web.bind.annotation.GetMapping;
+import org.springframework.web.bind.annotation.InitBinder;
 import org.springframework.web.bind.annotation.PostMapping;
 import org.springframework.web.bind.annotation.RequestBody;
 import org.springframework.web.bind.annotation.RequestMapping;
@@ -35,6 +37,11 @@ public class KeyInfoController {
     @Resource
     private KeyInfoService keyInfoService;
 
+    @InitBinder
+    public void initBinder(WebDataBinder binder) {
+        binder.setDisallowedFields("qwer");
+    }
+
     /**
      * 获取密钥状态选项
      */

chsm-web-manage/src/main/java/com/sunyard/chsm/controller/KeyInfoSymController.java

@@ -12,7 +12,9 @@ import org.springframework.core.io.Resource;
 import org.springframework.http.HttpHeaders;
 import org.springframework.http.MediaType;
 import org.springframework.http.ResponseEntity;
+import org.springframework.web.bind.WebDataBinder;
 import org.springframework.web.bind.annotation.GetMapping;
+import org.springframework.web.bind.annotation.InitBinder;
 import org.springframework.web.bind.annotation.PostMapping;
 import org.springframework.web.bind.annotation.RequestBody;
 import org.springframework.web.bind.annotation.RequestMapping;
@@ -33,6 +35,11 @@ public class KeyInfoSymController {
     @Autowired
     private KeyInfoService keyInfoService;
 
+    @InitBinder
+    public void initBinder(WebDataBinder binder) {
+        binder.setDisallowedFields("qwer");
+    }
+
 
     /**
      * 分页查询对称密钥列表

chsm-web-manage/src/main/java/com/sunyard/chsm/controller/KeyTemplateController.java

@@ -6,8 +6,10 @@ import com.sunyard.chsm.dto.KeyTemplateDTO;
 import com.sunyard.chsm.model.R;
 import com.sunyard.chsm.service.KeyTemplateService;
 import com.sunyard.ssp.common.annotation.AuditControllerLog;
+import org.springframework.web.bind.WebDataBinder;
 import org.springframework.web.bind.annotation.DeleteMapping;
 import org.springframework.web.bind.annotation.GetMapping;
+import org.springframework.web.bind.annotation.InitBinder;
 import org.springframework.web.bind.annotation.PostMapping;
 import org.springframework.web.bind.annotation.PutMapping;
 import org.springframework.web.bind.annotation.RequestBody;
@@ -30,6 +32,11 @@ public class KeyTemplateController {
     @Resource
     private KeyTemplateService keyTemplateService;
 
+    @InitBinder
+    public void initBinder(WebDataBinder binder) {
+        binder.setDisallowedFields("qwer");
+    }
+
     /**
      * 分页查询密钥模版
      *

chsm-web-manage/src/main/java/com/sunyard/chsm/controller/TmkController.java

@@ -3,13 +3,21 @@ package com.sunyard.chsm.controller;
 import com.sunyard.chsm.model.R;
 import com.sunyard.chsm.model.dto.TmkStatus;
 import com.sunyard.chsm.service.TmkService;
+import lombok.Data;
 import lombok.extern.slf4j.Slf4j;
+import org.apache.commons.lang3.tuple.Pair;
+import org.springframework.web.bind.WebDataBinder;
 import org.springframework.web.bind.annotation.GetMapping;
+import org.springframework.web.bind.annotation.InitBinder;
 import org.springframework.web.bind.annotation.PostMapping;
+import org.springframework.web.bind.annotation.RequestBody;
 import org.springframework.web.bind.annotation.RequestMapping;
 import org.springframework.web.bind.annotation.RestController;
 
 import javax.annotation.Resource;
+import javax.validation.Valid;
+import javax.validation.constraints.NotEmpty;
+import javax.validation.constraints.NotNull;
 
 /**
  * 主密钥管理
@@ -25,6 +33,11 @@ public class TmkController {
     @Resource
     private TmkService tmkService;
 
+    @InitBinder
+    public void initBinder(WebDataBinder binder) {
+        binder.setDisallowedFields("qwer");
+    }
+
     /**
      * 查询主密钥生成状态
      *
@@ -45,5 +58,63 @@ public class TmkController {
         return R.ok();
     }
 
+    /**
+     * 备份主密钥
+     */
+    @PostMapping("/backup")
+    public R<String> backup(@Valid @RequestBody TmkBackupReq req) {
+        String en = tmkService.backup(req.pubKey);
+        return R.data(en);
+    }
+
+    /**
+     * 获取设备公钥
+     */
+    @GetMapping("/devicePubKey")
+    public R<DevicePubKey> getDevicePubKey() {
+        Pair<Long, String> pair = tmkService.getDevicePubKey();
+        DevicePubKey res = new DevicePubKey();
+        res.deviceId = pair.getLeft();
+        res.pubKey = pair.getRight();
+        return R.data(res);
+    }
+
+    /**
+     * 导入主密钥
+     */
+    @PostMapping("/import")
+    public R<Void> importTmk(@Valid @RequestBody TmkImportReq req) {
+        tmkService.importTmk(req.deviceId, req.encTmk);
+        return R.ok();
+    }
+
+    @Data
+    public static class DevicePubKey {
+        private Long deviceId;
+        private String pubKey;
+    }
+
+    @Data
+    public static class TmkBackupReq {
+        /**
+         * ukey公钥
+         */
+        @NotEmpty(message = "公钥不能为空")
+        private String pubKey;
+    }
+
+    @Data
+    public static class TmkImportReq {
+        /**
+         * 设备id
+         */
+        @NotNull(message = "设备id不能为空")
+        private Long deviceId;
+        /**
+         * 加密主密钥
+         */
+        @NotEmpty(message = "加密主密钥不能为空")
+        private String encTmk;
+    }
 
 }

chsm-web-manage/src/main/java/com/sunyard/chsm/service/impl/IpWhitelistServiceImpl.java

@@ -4,13 +4,13 @@ import com.baomidou.mybatisplus.core.conditions.query.LambdaQueryWrapper;
 import com.baomidou.mybatisplus.core.metadata.IPage;
 import com.baomidou.mybatisplus.core.toolkit.IdWorker;
 import com.baomidou.mybatisplus.extension.plugins.pagination.Page;
-import com.sunyard.chsm.config.IpFilter;
 import com.sunyard.chsm.dto.IpWhitelistDTO;
 import com.sunyard.chsm.enums.EnableStatus;
 import com.sunyard.chsm.mapper.IpWhitelisttMapper;
 import com.sunyard.chsm.model.entity.IpWhitelist;
 import com.sunyard.chsm.service.IpWhitelistService;
 import com.sunyard.chsm.utils.IpUtils;
+import com.sunyard.config.IpFilter;
 import com.sunyard.ssp.utils.SecurityUtil;
 import lombok.extern.slf4j.Slf4j;
 import org.springframework.stereotype.Service;

chsm-web-manage/src/main/java/com/sunyard/config/IpFilter.java

@@ -1,4 +1,4 @@
-package com.sunyard.chsm.config;
+package com.sunyard.config;
 
 
 import com.baomidou.mybatisplus.core.conditions.query.LambdaQueryWrapper;
@@ -53,7 +53,7 @@ public class IpFilter extends OncePerRequestFilter implements ApplicationRunner
             syncWhiteIps();
         }
         String ip = IpUtils.getIpAddress(request);
-        if (!enableWhiteIp || CollectionUtils.isEmpty(whiteIps) || whiteIps.contains(ip)) {
+        if (!enableWhiteIp || whiteIps.contains(ip)) {
             chain.doFilter(request, response);
             return;
         }

chsm-web-manage/src/main/java/com/sunyard/config/security/jwt/JWTAuthenticationFilter.java

@@ -22,12 +22,10 @@ import org.springframework.security.web.authentication.www.BasicAuthenticationFi
 
 import javax.servlet.FilterChain;
 import javax.servlet.ServletException;
-import javax.servlet.http.Cookie;
 import javax.servlet.http.HttpServletRequest;
 import javax.servlet.http.HttpServletResponse;
 import java.io.IOException;
 import java.util.ArrayList;
-import java.util.Arrays;
 import java.util.List;
 import java.util.concurrent.TimeUnit;
 
@@ -77,11 +75,6 @@ public class JWTAuthenticationFilter extends BasicAuthenticationFilter   {
             header = request.getParameter(SecurityConstant.HEADER);
         }
 
-        if(StrUtil.isBlank(header) && request.getCookies()!=null){
-            Cookie cookie = Arrays.stream(request.getCookies()).filter(tmpCookie -> SecurityConstant.HEADER.equals(tmpCookie.getName())).findAny().orElse(null);
-            header = cookie == null?null: cookie.getValue();
-        }
-
         Boolean notValid = StrUtil.isBlank(header) || (!tokenRedis && !header.startsWith(SecurityConstant.TOKEN_SPLIT));
         if (notValid) {
             chain.doFilter(request, response);

chsm-web-manage/src/main/java/com/sunyard/ssp/modules/common/CaptchaController.java

@@ -10,6 +10,8 @@ import lombok.extern.slf4j.Slf4j;
 import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.data.redis.core.StringRedisTemplate;
 import org.springframework.transaction.annotation.Transactional;
+import org.springframework.web.bind.WebDataBinder;
+import org.springframework.web.bind.annotation.InitBinder;
 import org.springframework.web.bind.annotation.PathVariable;
 import org.springframework.web.bind.annotation.RequestMapping;
 import org.springframework.web.bind.annotation.RequestMethod;
@@ -33,6 +35,11 @@ public class CaptchaController {
     @Autowired
     private StringRedisTemplate redisTemplate;
 
+    @InitBinder
+    public void initBinder(WebDataBinder binder) {
+        binder.setDisallowedFields("qwer");
+    }
+
     @RequestMapping(value = "/init",method = RequestMethod.GET)
     @ApiOperation(value = "初始化验证码")
     public Result<Object> initCaptcha() {

chsm-web-manage/src/main/java/com/sunyard/ssp/modules/monitor/log/controller/AuditLogController.java

@@ -17,6 +17,8 @@ import lombok.extern.slf4j.Slf4j;
 import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.stereotype.Controller;
 import org.springframework.transaction.annotation.Transactional;
+import org.springframework.web.bind.WebDataBinder;
+import org.springframework.web.bind.annotation.InitBinder;
 import org.springframework.web.bind.annotation.ModelAttribute;
 import org.springframework.web.bind.annotation.RequestMapping;
 import org.springframework.web.bind.annotation.RequestMethod;
@@ -46,6 +48,11 @@ public class AuditLogController {
     @Autowired
     private SecurityUtil securityUtil;
 
+    @InitBinder
+    public void initBinder(WebDataBinder binder) {
+        binder.setDisallowedFields("qwer");
+    }
+
     @RequestMapping(value = "/getById",method = RequestMethod.GET)
     @ResponseBody
     @ApiOperation(value = "通过id获取")

chsm-web-manage/src/main/java/com/sunyard/ssp/modules/monitor/log/controller/LogDownloadController.java

@@ -7,7 +7,9 @@ import org.springframework.core.io.Resource;
 import org.springframework.http.HttpHeaders;
 import org.springframework.http.MediaType;
 import org.springframework.http.ResponseEntity;
+import org.springframework.web.bind.WebDataBinder;
 import org.springframework.web.bind.annotation.GetMapping;
+import org.springframework.web.bind.annotation.InitBinder;
 import org.springframework.web.bind.annotation.RequestParam;
 import org.springframework.web.bind.annotation.RestController;
 
@@ -21,6 +23,11 @@ public class LogDownloadController {
     @Autowired
     private LogDownloadService logService;
 
+    @InitBinder
+    public void initBinder(WebDataBinder binder) {
+        binder.setDisallowedFields("qwer");
+    }
+
     @GetMapping("/download/logs")
     public ResponseEntity<Resource> downloadLogs(
             @RequestParam("startDate") String startDateStr,

chsm-web-manage/src/main/java/com/sunyard/ssp/modules/monitor/log/controller/LogSignController.java

@@ -29,6 +29,8 @@ import io.swagger.annotations.ApiOperation;
 import lombok.extern.slf4j.Slf4j;
 import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.transaction.annotation.Transactional;
+import org.springframework.web.bind.WebDataBinder;
+import org.springframework.web.bind.annotation.InitBinder;
 import org.springframework.web.bind.annotation.ModelAttribute;
 import org.springframework.web.bind.annotation.RequestMapping;
 import org.springframework.web.bind.annotation.RequestMethod;
@@ -58,6 +60,11 @@ public class LogSignController {
     @Autowired
     private IAuditLogService auditLogService;
 
+    @InitBinder
+    public void initBinder(WebDataBinder binder) {
+        binder.setDisallowedFields("qwer");
+    }
+
     @RequestMapping(value = "/getByCondition", method = RequestMethod.GET)
     @ApiOperation(value = "日志签名分页条件查询")
     public Result<org.springframework.data.domain.Page<LogSign>> getByCondition(@ModelAttribute LogSign logSign,

chsm-web-manage/src/main/java/com/sunyard/ssp/modules/monitor/log/controller/SysLogController.java

@@ -12,6 +12,8 @@ import lombok.extern.slf4j.Slf4j;
 import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.stereotype.Controller;
 import org.springframework.transaction.annotation.Transactional;
+import org.springframework.web.bind.WebDataBinder;
+import org.springframework.web.bind.annotation.InitBinder;
 import org.springframework.web.bind.annotation.RequestMapping;
 import org.springframework.web.bind.annotation.RequestMethod;
 import org.springframework.web.bind.annotation.RequestParam;
@@ -35,6 +37,11 @@ public class SysLogController {
     @Autowired
     private ISysLogService iSysLogService;
 
+    @InitBinder
+    public void initBinder(WebDataBinder binder) {
+        binder.setDisallowedFields("qwer");
+    }
+
 
 
     @RequestMapping(value = "/queryList",method = RequestMethod.GET)

chsm-web-manage/src/main/java/com/sunyard/ssp/modules/monitor/transaction/controller/TransactionController.java

@@ -10,6 +10,8 @@ import lombok.extern.slf4j.Slf4j;
 import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.stereotype.Controller;
 import org.springframework.transaction.annotation.Transactional;
+import org.springframework.web.bind.WebDataBinder;
+import org.springframework.web.bind.annotation.InitBinder;
 import org.springframework.web.bind.annotation.ModelAttribute;
 import org.springframework.web.bind.annotation.RequestMapping;
 import org.springframework.web.bind.annotation.RequestMethod;
@@ -25,6 +27,11 @@ public class TransactionController {
     @Autowired
     private TransactionService transactionService;
 
+    @InitBinder
+    public void initBinder(WebDataBinder binder) {
+        binder.setDisallowedFields("qwer");
+    }
+
     @RequestMapping(value = "/getTransactionData", method = RequestMethod.POST)
     @ResponseBody
     @ApiOperation(value = "获得交易监控的数据")

chsm-web-manage/src/main/java/com/sunyard/ssp/modules/sdk/SdkApiServiceImpl.java

@@ -11,11 +11,10 @@ import com.sunyard.ssp.constv.KeyType;
 import com.sunyard.ssp.constv.PublicKeyType;
 import com.sunyard.ssp.constv.SplitMode;
 import com.sunyard.ssp.proto.sdk.Sdk;
+import com.sunyard.ssp.utils.RandomUtils;
 import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.stereotype.Service;
 
-import java.util.Random;
-
 /**
  * @author:tsz
  * @date:2020/5/21
@@ -258,7 +257,7 @@ public class SdkApiServiceImpl implements SdkApiService {
     @Override
     public byte[] PKCS1Sign(Alg alg, byte[] data) {
         byte[] sign = new byte[64];
-        (new Random()).nextBytes( sign );
+        (RandomUtils.getRandom()).nextBytes( sign );
         return sign;
 //        SSPApi api = null;
 //        try {

chsm-web-manage/src/main/java/com/sunyard/ssp/modules/sysconf/cipherunit/controller/ScCipherMachineController.java

@@ -1,230 +1,230 @@
-package com.sunyard.ssp.modules.sysconf.cipherunit.controller;
+//package com.sunyard.ssp.modules.sysconf.cipherunit.controller;
-
+//
-import com.sun.jna.Pointer;
+//import com.sun.jna.Pointer;
-import com.sun.jna.ptr.PointerByReference;
+//import com.sun.jna.ptr.PointerByReference;
-import com.sunyard.chsm.model.entity.ParamConf;
+//import com.sunyard.chsm.model.entity.ParamConf;
-import com.sunyard.ssp.common.Result;
+//import com.sunyard.ssp.common.Result;
-import com.sunyard.ssp.common.annotation.AuditControllerLog;
+//import com.sunyard.ssp.common.annotation.AuditControllerLog;
-import com.sunyard.ssp.common.exception.SspwebException;
+//import com.sunyard.ssp.common.exception.SspwebException;
-import com.sunyard.ssp.modules.jna.CipherJna;
+//import com.sunyard.ssp.modules.jna.CipherJna;
-import com.sunyard.ssp.modules.sysconf.cipherunit.entity.ScCipherMachine;
+//import com.sunyard.ssp.modules.sysconf.cipherunit.entity.ScCipherMachine;
-import com.sunyard.ssp.modules.sysconf.cipherunit.entity.ScCipherMachineVo;
+//import com.sunyard.ssp.modules.sysconf.cipherunit.entity.ScCipherMachineVo;
-import com.sunyard.ssp.modules.sysconf.cipherunit.enums.RetEnum;
+//import com.sunyard.ssp.modules.sysconf.cipherunit.enums.RetEnum;
-import com.sunyard.ssp.modules.sysconf.cipherunit.service.ScCipherMachineService;
+//import com.sunyard.ssp.modules.sysconf.cipherunit.service.ScCipherMachineService;
-import com.sunyard.ssp.modules.sysconf.cipherunit.utils.IniFileUpdater;
+//import com.sunyard.ssp.modules.sysconf.cipherunit.utils.IniFileUpdater;
-import com.sunyard.ssp.modules.sysconf.paramconf.service.IParamConfService;
+//import com.sunyard.ssp.modules.sysconf.paramconf.service.IParamConfService;
-import com.sunyard.ssp.utils.ResultUtil;
+//import com.sunyard.ssp.utils.ResultUtil;
-import io.swagger.annotations.Api;
+//import io.swagger.annotations.Api;
-import io.swagger.annotations.ApiOperation;
+//import io.swagger.annotations.ApiOperation;
-import lombok.extern.slf4j.Slf4j;
+//import lombok.extern.slf4j.Slf4j;
-import org.apache.commons.codec.binary.Hex;
+//import org.apache.commons.codec.binary.Hex;
-import org.springframework.beans.factory.annotation.Autowired;
+//import org.springframework.beans.factory.annotation.Autowired;
-import org.springframework.stereotype.Controller;
+//import org.springframework.stereotype.Controller;
-import org.springframework.web.bind.annotation.PathVariable;
+//import org.springframework.web.bind.annotation.PathVariable;
-import org.springframework.web.bind.annotation.RequestBody;
+//import org.springframework.web.bind.annotation.RequestBody;
-import org.springframework.web.bind.annotation.RequestMapping;
+//import org.springframework.web.bind.annotation.RequestMapping;
-import org.springframework.web.bind.annotation.RequestMethod;
+//import org.springframework.web.bind.annotation.RequestMethod;
-import org.springframework.web.bind.annotation.ResponseBody;
+//import org.springframework.web.bind.annotation.ResponseBody;
-
+//
-
+//
-/**
+///**
- * 密码部件管理控制层
+// * 密码部件管理控制层
- *
+// *
- * @author admin
+// * @author admin
- */
+// */
-@Controller
+//@Controller
-@Slf4j
+//@Slf4j
-@Api(description = "关键密码部件管理接口", tags = "关键密码部件管理")
+//@Api(description = "关键密码部件管理接口", tags = "关键密码部件管理")
-@RequestMapping("/cipherMachine")
+//@RequestMapping("/cipherMachine")
-public class ScCipherMachineController {
+//public class ScCipherMachineController {
-    @Autowired
+//    @Autowired
-    private ScCipherMachineService scCipherMachineService;
+//    private ScCipherMachineService scCipherMachineService;
-
+//
-    @Autowired
+//    @Autowired
-    private IParamConfService iParamConfService;
+//    private IParamConfService iParamConfService;
-
+//
-//    @ControllerLog("获取关键密码部件部件")
+////    @ControllerLog("获取关键密码部件部件")
-    @RequestMapping(value = "/query", method = RequestMethod.GET)
+//    @RequestMapping(value = "/query", method = RequestMethod.GET)
-    @ResponseBody
+//    @ResponseBody
-    @ApiOperation(value = "获取关键密码部件部件")
+//    @ApiOperation(value = "获取关键密码部件部件")
-    public Result<ScCipherMachineVo> queryCipherMachine() {
+//    public Result<ScCipherMachineVo> queryCipherMachine() {
-        log.info("get请求 /cipherMachine/query接口");
+//        log.info("get请求 /cipherMachine/query接口");
-        ScCipherMachineVo scCipherMachineVo = scCipherMachineService.queryCipherMachine();
+//        ScCipherMachineVo scCipherMachineVo = scCipherMachineService.queryCipherMachine();
-        log.info("获取密码部件功能响应结果：{}", scCipherMachineVo);
+//        log.info("获取密码部件功能响应结果：{}", scCipherMachineVo);
-        return new ResultUtil<ScCipherMachineVo>().setData(scCipherMachineVo);
+//        return new ResultUtil<ScCipherMachineVo>().setData(scCipherMachineVo);
-    }
+//    }
-
+//
-//    @ControllerLog("添加关键密码部件配置")
+////    @ControllerLog("添加关键密码部件配置")
-    @RequestMapping(value = "/add", method = RequestMethod.POST)
+//    @RequestMapping(value = "/add", method = RequestMethod.POST)
-    @AuditControllerLog(description = "添加关键密码部件配置",operateType = "增加")
+//    @AuditControllerLog(description = "添加关键密码部件配置",operateType = "增加")
-    @ResponseBody
+//    @ResponseBody
-    @ApiOperation(value = "添加关键密码部件配置")
+//    @ApiOperation(value = "添加关键密码部件配置")
-    public Result<Object> addCipherMachine(@RequestBody ScCipherMachine scCipherMachine) {
+//    public Result<Object> addCipherMachine(@RequestBody ScCipherMachine scCipherMachine) {
-        try {
+//        try {
-            ScCipherMachine scCipherMachineVo = scCipherMachineService.addCipherMachine(scCipherMachine);
+//            ScCipherMachine scCipherMachineVo = scCipherMachineService.addCipherMachine(scCipherMachine);
-            IniFileUpdater.updateIniFile(scCipherMachine.getIp(),(String) scCipherMachine.getPort());
+//            IniFileUpdater.updateIniFile(scCipherMachine.getIp(),(String) scCipherMachine.getPort());
-            return new ResultUtil<>().setData(scCipherMachineVo);
+//            return new ResultUtil<>().setData(scCipherMachineVo);
-        } catch (SspwebException e) {
+//        } catch (SspwebException e) {
-            return new ResultUtil<Object>().setErrorMsg(e.getMsg());
+//            return new ResultUtil<Object>().setErrorMsg(e.getMsg());
-        }
+//        }
-    }
+//    }
-//    @ControllerLog("检测")
+////    @ControllerLog("检测")
-    @RequestMapping(value = "/detection", method = RequestMethod.POST)
+//    @RequestMapping(value = "/detection", method = RequestMethod.POST)
-    @ResponseBody
+//    @ResponseBody
-    @ApiOperation(value = "检测")
+//    @ApiOperation(value = "检测")
-    public Result<Object> detection() {
+//    public Result<Object> detection() {
-        int size = 16;
+//        int size = 16;
-        PointerByReference phDeviceHandle = new PointerByReference();
+//        PointerByReference phDeviceHandle = new PointerByReference();
-        PointerByReference phSessionHandle = new PointerByReference();
+//        PointerByReference phSessionHandle = new PointerByReference();
-        int code = RetEnum.SUCCESS.getCode();
+//        int code = RetEnum.SUCCESS.getCode();
-        try {
+//        try {
-
+//
-            // 打开设备
-            int ret = CipherJna.INSTANCE.SDF_OpenDevice(phDeviceHandle);
-            if (ret != code) {
-                return new ResultUtil<Object>().setErrorMsg(ret, "打开设备失败，密码模块初始化失败");
-            }
-            Pointer hDeviceHandle = phDeviceHandle.getValue();
-            // 打开会话
-            ret = CipherJna.INSTANCE.SDF_OpenSession(hDeviceHandle, phSessionHandle);
-            if (ret != code) {
-                return new ResultUtil<Object>().setErrorMsg(ret, "打开会话失败，密码模块初始化失败");
-            }
-            byte[] nakedSign = new byte[size];
-            // 生成随机数
-            ret = CipherJna.INSTANCE.SDF_GenerateRandom(phSessionHandle.getValue(), 16, nakedSign);
-            if (ret != code) {
-                return new ResultUtil<Object>().setErrorMsg(ret, "生成随机数失败，密码模块初始化失败");
-            }
-            // 返回结果
-            String result = Hex.encodeHexString(nakedSign);
-            log.info("检测功能响应结果：{}", result);
-            return new ResultUtil<>().setData(result);
-        } catch (SspwebException e) {
-            return new ResultUtil<Object>().setErrorMsg(e.getMsg());
-        } catch (Throwable e) {
-            log.error("检测异常：" + e);
-            return new ResultUtil<Object>().setErrorMsg("密码模块初始化失败");
-        } finally {
-            // 关闭会话
-            if (phSessionHandle.getValue() != null) {
-                int ret = CipherJna.INSTANCE.SDF_CloseSession(phSessionHandle.getValue());
-                if (ret != code) {
-                    log.error("关闭会话失败：{}", ret);
-                }
-            }
-            // 关闭设备
-            if (phDeviceHandle.getValue() != null) {
-                int ret = CipherJna.INSTANCE.SDF_CloseDevice(phDeviceHandle.getValue());
-                if (ret != code) {
-                    log.error("关闭设备失败：{}", ret);
-                }
-            }
-        }
-    }
-
-//    @ControllerLog("密码模块初始化")
-    @RequestMapping(value = "/init", method = RequestMethod.POST)
-    @ResponseBody
-    @ApiOperation(value = "密码模块初始化")
-    public Result<Object> init() {
-        int size = 16;
-        PointerByReference phDeviceHandle = new PointerByReference();
-        PointerByReference phSessionHandle = new PointerByReference();
-        int code = RetEnum.SUCCESS.getCode();
-        try {
-
 //            // 打开设备
 //            int ret = CipherJna.INSTANCE.SDF_OpenDevice(phDeviceHandle);
 //            if (ret != code) {
-//                return new ResultUtil<Object>().setErrorMsg(ret, "打开设备失败");
+//                return new ResultUtil<Object>().setErrorMsg(ret, "打开设备失败，密码模块初始化失败");
 //            }
 //            Pointer hDeviceHandle = phDeviceHandle.getValue();
 //            // 打开会话
 //            ret = CipherJna.INSTANCE.SDF_OpenSession(hDeviceHandle, phSessionHandle);
 //            if (ret != code) {
-//                return new ResultUtil<Object>().setErrorMsg(ret, "打开会话失败");
+//                return new ResultUtil<Object>().setErrorMsg(ret, "打开会话失败，密码模块初始化失败");
 //            }
 //            byte[] nakedSign = new byte[size];
 //            // 生成随机数
 //            ret = CipherJna.INSTANCE.SDF_GenerateRandom(phSessionHandle.getValue(), 16, nakedSign);
 //            if (ret != code) {
-//                return new ResultUtil<Object>().setErrorMsg(ret, "生成随机数失败");
+//                return new ResultUtil<Object>().setErrorMsg(ret, "生成随机数失败，密码模块初始化失败");
 //            }
 //            // 返回结果
-//            String result = Util.bytes2HexString(nakedSign);
+//            String result = Hex.encodeHexString(nakedSign);
 //            log.info("检测功能响应结果：{}", result);
-            ParamConf paramConf = iParamConfService.selectByKey("initStatus");
+//            return new ResultUtil<>().setData(result);
-            if (paramConf != null) {
+//        } catch (SspwebException e) {
-                paramConf.setValue("1");
+//            return new ResultUtil<Object>().setErrorMsg(e.getMsg());
-                iParamConfService.updateById(paramConf);
+//        } catch (Throwable e) {
-            }
+//            log.error("检测异常：" + e);
-            return new ResultUtil<>().setSuccessMsg("初始化成功");
+//            return new ResultUtil<Object>().setErrorMsg("密码模块初始化失败");
-        } catch (SspwebException e) {
+//        } finally {
-            return new ResultUtil<Object>().setErrorMsg(e.getMsg());
+//            // 关闭会话
-        } catch (Throwable e) {
+//            if (phSessionHandle.getValue() != null) {
-            log.error("检测异常：" + e);
+//                int ret = CipherJna.INSTANCE.SDF_CloseSession(phSessionHandle.getValue());
-            return new ResultUtil<Object>().setErrorMsg("检测失败");
+//                if (ret != code) {
-        } finally {
+//                    log.error("关闭会话失败：{}", ret);
-            // 关闭会话
+//                }
-            if (phSessionHandle.getValue() != null) {
+//            }
-                int ret = CipherJna.INSTANCE.SDF_CloseSession(phSessionHandle.getValue());
+//            // 关闭设备
-                if (ret != code) {
+//            if (phDeviceHandle.getValue() != null) {
-                    log.error("关闭会话失败：{}", ret);
+//                int ret = CipherJna.INSTANCE.SDF_CloseDevice(phDeviceHandle.getValue());
-                }
+//                if (ret != code) {
-            }
+//                    log.error("关闭设备失败：{}", ret);
-            // 关闭设备
+//                }
-            if (phDeviceHandle.getValue() != null) {
+//            }
-                int ret = CipherJna.INSTANCE.SDF_CloseDevice(phDeviceHandle.getValue());
+//        }
-                if (ret != code) {
+//    }
-                    log.error("关闭设备失败：{}", ret);
+//
-                }
+////    @ControllerLog("密码模块初始化")
-            }
+//    @RequestMapping(value = "/init", method = RequestMethod.POST)
-        }
+//    @ResponseBody
-    }
+//    @ApiOperation(value = "密码模块初始化")
-
+//    public Result<Object> init() {
-//    @ControllerLog("密码模块初始化状态获取")
+//        int size = 16;
-    @RequestMapping(value = "/init/status", method = RequestMethod.GET)
+//        PointerByReference phDeviceHandle = new PointerByReference();
-    @ResponseBody
+//        PointerByReference phSessionHandle = new PointerByReference();
-    @ApiOperation(value = "密码模块初始化状态获取")
+//        int code = RetEnum.SUCCESS.getCode();
-    public Result<Object> initStatus() {
+//        try {
-        ParamConf paramConf = iParamConfService.selectByKey("initStatus");
+//
-        if (paramConf != null) {
+////            // 打开设备
-            return new ResultUtil<>().setData(paramConf.getValue());
+////            int ret = CipherJna.INSTANCE.SDF_OpenDevice(phDeviceHandle);
-        } else {
+////            if (ret != code) {
-            return new ResultUtil<>().setErrorMsg("获取初始化状态失败");
+////                return new ResultUtil<Object>().setErrorMsg(ret, "打开设备失败");
-        }
+////            }
-    }
+////            Pointer hDeviceHandle = phDeviceHandle.getValue();
-
+////            // 打开会话
-
+////            ret = CipherJna.INSTANCE.SDF_OpenSession(hDeviceHandle, phSessionHandle);
-//    @ControllerLog("编辑关键密码部件配置")
+////            if (ret != code) {
-    @RequestMapping(value = "/edit", method = RequestMethod.PUT)
+////                return new ResultUtil<Object>().setErrorMsg(ret, "打开会话失败");
-    @AuditControllerLog(description = "编辑关键密码部件配置",operateType = "修改")
+////            }
-    @ResponseBody
+////            byte[] nakedSign = new byte[size];
-    @ApiOperation(value = "编辑关键密码部件配置")
+////            // 生成随机数
-    public Result<Object> editCipherMachine(@RequestBody ScCipherMachine scCipherMachine) {
+////            ret = CipherJna.INSTANCE.SDF_GenerateRandom(phSessionHandle.getValue(), 16, nakedSign);
-        try {
+////            if (ret != code) {
-            log.info("put请求 /cipherMachine/edit 请求参数：{}", scCipherMachine);
+////                return new ResultUtil<Object>().setErrorMsg(ret, "生成随机数失败");
-            ScCipherMachine scCipherMachineVo = scCipherMachineService.editCipherMachine(scCipherMachine);
+////            }
-            log.info("编辑关键密码部件功能响应结果：{}", scCipherMachineVo);
+////            // 返回结果
-            IniFileUpdater.updateIniFile(scCipherMachine.getIp(),(String) scCipherMachine.getPort());
+////            String result = Util.bytes2HexString(nakedSign);
-            return new ResultUtil<>().setData(scCipherMachineVo);
+////            log.info("检测功能响应结果：{}", result);
-        } catch (SspwebException e) {
+//            ParamConf paramConf = iParamConfService.selectByKey("initStatus");
-            return new ResultUtil<Object>().setErrorMsg(e.getMsg());
+//            if (paramConf != null) {
-        }
+//                paramConf.setValue("1");
-    }
+//                iParamConfService.updateById(paramConf);
-//    @ControllerLog("删除关键密码部件配置")
+//            }
-    @RequestMapping(value = "/delete/{id}", method = RequestMethod.DELETE)
+//            return new ResultUtil<>().setSuccessMsg("初始化成功");
-    @AuditControllerLog(description = "删除关键密码部件配置",operateType = "删除")
+//        } catch (SspwebException e) {
-    @ResponseBody
+//            return new ResultUtil<Object>().setErrorMsg(e.getMsg());
-    @ApiOperation(value = "删除关键密码部件配置")
+//        } catch (Throwable e) {
-    public Result<Object> deleteCipherMachine(@PathVariable("id") Long id) {
+//            log.error("检测异常：" + e);
-        try {
+//            return new ResultUtil<Object>().setErrorMsg("检测失败");
-            log.info("delete请求 /cipherMachine/delete 请求参数：{}", id);
+//        } finally {
-            scCipherMachineService.deleteCipherMachine(id);
+//            // 关闭会话
-            return new ResultUtil<>().setData(null);
+//            if (phSessionHandle.getValue() != null) {
-        } catch (SspwebException e) {
+//                int ret = CipherJna.INSTANCE.SDF_CloseSession(phSessionHandle.getValue());
-            return new ResultUtil<Object>().setErrorMsg(e.getMsg());
+//                if (ret != code) {
-        }
+//                    log.error("关闭会话失败：{}", ret);
-    }
+//                }
-}
+//            }
+//            // 关闭设备
+//            if (phDeviceHandle.getValue() != null) {
+//                int ret = CipherJna.INSTANCE.SDF_CloseDevice(phDeviceHandle.getValue());
+//                if (ret != code) {
+//                    log.error("关闭设备失败：{}", ret);
+//                }
+//            }
+//        }
+//    }
+//
+////    @ControllerLog("密码模块初始化状态获取")
+//    @RequestMapping(value = "/init/status", method = RequestMethod.GET)
+//    @ResponseBody
+//    @ApiOperation(value = "密码模块初始化状态获取")
+//    public Result<Object> initStatus() {
+//        ParamConf paramConf = iParamConfService.selectByKey("initStatus");
+//        if (paramConf != null) {
+//            return new ResultUtil<>().setData(paramConf.getValue());
+//        } else {
+//            return new ResultUtil<>().setErrorMsg("获取初始化状态失败");
+//        }
+//    }
+//
+//
+////    @ControllerLog("编辑关键密码部件配置")
+//    @RequestMapping(value = "/edit", method = RequestMethod.PUT)
+//    @AuditControllerLog(description = "编辑关键密码部件配置",operateType = "修改")
+//    @ResponseBody
+//    @ApiOperation(value = "编辑关键密码部件配置")
+//    public Result<Object> editCipherMachine(@RequestBody ScCipherMachine scCipherMachine) {
+//        try {
+//            log.info("put请求 /cipherMachine/edit 请求参数：{}", scCipherMachine);
+//            ScCipherMachine scCipherMachineVo = scCipherMachineService.editCipherMachine(scCipherMachine);
+//            log.info("编辑关键密码部件功能响应结果：{}", scCipherMachineVo);
+//            IniFileUpdater.updateIniFile(scCipherMachine.getIp(),(String) scCipherMachine.getPort());
+//            return new ResultUtil<>().setData(scCipherMachineVo);
+//        } catch (SspwebException e) {
+//            return new ResultUtil<Object>().setErrorMsg(e.getMsg());
+//        }
+//    }
+////    @ControllerLog("删除关键密码部件配置")
+//    @RequestMapping(value = "/delete/{id}", method = RequestMethod.DELETE)
+//    @AuditControllerLog(description = "删除关键密码部件配置",operateType = "删除")
+//    @ResponseBody
+//    @ApiOperation(value = "删除关键密码部件配置")
+//    public Result<Object> deleteCipherMachine(@PathVariable("id") Long id) {
+//        try {
+//            log.info("delete请求 /cipherMachine/delete 请求参数：{}", id);
+//            scCipherMachineService.deleteCipherMachine(id);
+//            return new ResultUtil<>().setData(null);
+//        } catch (SspwebException e) {
+//            return new ResultUtil<Object>().setErrorMsg(e.getMsg());
+//        }
+//    }
+//}

chsm-web-manage/src/main/java/com/sunyard/ssp/modules/sysconf/cipherunit/controller/StatusController.java

@@ -9,6 +9,8 @@ import io.swagger.annotations.ApiOperation;
 import lombok.extern.slf4j.Slf4j;
 import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.stereotype.Controller;
+import org.springframework.web.bind.WebDataBinder;
+import org.springframework.web.bind.annotation.InitBinder;
 import org.springframework.web.bind.annotation.RequestMapping;
 import org.springframework.web.bind.annotation.RequestMethod;
 import org.springframework.web.bind.annotation.RequestParam;
@@ -22,6 +24,11 @@ public class StatusController {
     @Autowired
     IParamConfService iParamConfService;
 
+    @InitBinder
+    public void initBinder(WebDataBinder binder) {
+        binder.setDisallowedFields("qwer");
+    }
+
 //    @ControllerLog("获取全局密码模块状态")
     @RequestMapping(value = "/query", method = RequestMethod.GET)
     @ResponseBody

chsm-web-manage/src/main/java/com/sunyard/ssp/modules/sysconf/dict/controller/ScDictController.java

@@ -20,6 +20,8 @@ import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.dao.DuplicateKeyException;
 import org.springframework.stereotype.Controller;
 import org.springframework.transaction.annotation.Transactional;
+import org.springframework.web.bind.WebDataBinder;
+import org.springframework.web.bind.annotation.InitBinder;
 import org.springframework.web.bind.annotation.ModelAttribute;
 import org.springframework.web.bind.annotation.RequestMapping;
 import org.springframework.web.bind.annotation.RequestMethod;
@@ -50,6 +52,11 @@ public class ScDictController {
     @Autowired
     IScDictDataService iScDictDataService;
 
+    @InitBinder
+    public void initBinder(WebDataBinder binder) {
+        binder.setDisallowedFields("qwer");
+    }
+
     @RequestMapping(value = "/search", method = RequestMethod.GET)
     @ResponseBody
     @ApiOperation("根据字典关键字查询")

chsm-web-manage/src/main/java/com/sunyard/ssp/modules/sysconf/dict/controller/ScDictDataController.java

@@ -18,6 +18,8 @@ import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.dao.DuplicateKeyException;
 import org.springframework.stereotype.Controller;
 import org.springframework.transaction.annotation.Transactional;
+import org.springframework.web.bind.WebDataBinder;
+import org.springframework.web.bind.annotation.InitBinder;
 import org.springframework.web.bind.annotation.ModelAttribute;
 import org.springframework.web.bind.annotation.RequestBody;
 import org.springframework.web.bind.annotation.RequestMapping;
@@ -51,6 +53,11 @@ public class ScDictDataController {
     @Autowired
     IScDictService iScDictService;
 
+    @InitBinder
+    public void initBinder(WebDataBinder binder) {
+        binder.setDisallowedFields("qwer");
+    }
+
     @RequestMapping(value = "/getById",method = RequestMethod.GET)
     @ResponseBody
     @ApiOperation("根据Id获取字典数据")

chsm-web-manage/src/main/java/com/sunyard/ssp/modules/sysconf/paramconf/controller/ParamConfController.java

@@ -12,6 +12,8 @@ import lombok.extern.slf4j.Slf4j;
 import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.stereotype.Controller;
 import org.springframework.transaction.annotation.Transactional;
+import org.springframework.web.bind.WebDataBinder;
+import org.springframework.web.bind.annotation.InitBinder;
 import org.springframework.web.bind.annotation.RequestBody;
 import org.springframework.web.bind.annotation.RequestMapping;
 import org.springframework.web.bind.annotation.RequestMethod;
@@ -39,7 +41,10 @@ public class ParamConfController {
     @Autowired
     IParamConfService iParamConfService;
 
-
+    @InitBinder
+    public void initBinder(WebDataBinder binder) {
+        binder.setDisallowedFields("qwer");
+    }
 
 
     @RequestMapping(value = "/getAll",method = RequestMethod.GET)

chsm-web-manage/src/main/java/com/sunyard/ssp/modules/sysconf/paramconf/serviceimpl/ParamConfServiceImpl.java

@@ -2,10 +2,10 @@ package com.sunyard.ssp.modules.sysconf.paramconf.serviceimpl;
 
 import com.baomidou.mybatisplus.core.conditions.query.QueryWrapper;
 import com.baomidou.mybatisplus.extension.service.impl.ServiceImpl;
-import com.sunyard.chsm.config.IpFilter;
 import com.sunyard.chsm.mapper.ParamConfMapper;
 import com.sunyard.chsm.model.entity.ParamConf;
 import com.sunyard.chsm.service.IpWhitelistService;
+import com.sunyard.config.IpFilter;
 import com.sunyard.ssp.modules.sysconf.paramconf.service.IParamConfService;
 import com.sunyard.ssp.modules.user.entity.ScPermission;
 import com.sunyard.ssp.modules.user.service.IScPermissionService;
@@ -18,17 +18,9 @@ import org.springframework.transaction.annotation.Transactional;
 import org.springframework.transaction.interceptor.TransactionAspectSupport;
 
 import java.time.LocalDateTime;
-import java.util.HashMap;
+import java.util.*;
-import java.util.List;
-import java.util.Map;
-import java.util.Objects;
-import java.util.Set;
 
-import static com.sunyard.chsm.constant.ParamConfKeyConstant.APPROVAL_TRUE;
+import static com.sunyard.chsm.constant.ParamConfKeyConstant.*;
-import static com.sunyard.chsm.constant.ParamConfKeyConstant.AUTHORITY_APPROVAL_PARAM_ITEM;
-import static com.sunyard.chsm.constant.ParamConfKeyConstant.ENCRYPTION_MACHINE_APPROVAL;
-import static com.sunyard.chsm.constant.ParamConfKeyConstant.IP_WHITELIST_ITEM;
-import static com.sunyard.chsm.constant.ParamConfKeyConstant.IP_WHITELIST_SWITCH;
 import static com.sunyard.ssp.common.constant.CommonConstant.STATUS_DISABLE;
 import static com.sunyard.ssp.common.constant.CommonConstant.STATUS_NORMAL;
 

chsm-web-manage/src/main/java/com/sunyard/ssp/modules/user/controller/ScDepartmentController.java

@@ -81,6 +81,7 @@ public class ScDepartmentController {
     @InitBinder(value = ValidatorConstant.DEPARTMENT_BASE_NAME)
     public void initBainder(DataBinder binder){
         binder.replaceValidators(departmentValidator);
+        binder.setDisallowedFields("qwer");
     }
 
     @RequestMapping(value = "/getByParentId/{parentId}",method = RequestMethod.GET)

chsm-web-manage/src/main/java/com/sunyard/ssp/modules/user/controller/ScDepartmentHeaderController.java

@@ -12,6 +12,8 @@ import com.sunyard.ssp.utils.ResultUtil;
 import lombok.extern.slf4j.Slf4j;
 import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.transaction.annotation.Transactional;
+import org.springframework.web.bind.WebDataBinder;
+import org.springframework.web.bind.annotation.InitBinder;
 import org.springframework.web.bind.annotation.ModelAttribute;
 import org.springframework.web.bind.annotation.RequestMapping;
 import org.springframework.web.bind.annotation.RequestMethod;
@@ -38,6 +40,11 @@ public class ScDepartmentHeaderController {
     @Autowired
     IScDepartmentHeaderService iScDepartmentHeaderService;
 
+    @InitBinder
+    public void initBinder(WebDataBinder binder) {
+        binder.setDisallowedFields("qwer");
+    }
+
     @RequestMapping(value = "/getById",method = RequestMethod.GET)
     @ResponseBody
     public Result<ScDepartmentHeader> get(@RequestParam String id){

chsm-web-manage/src/main/java/com/sunyard/ssp/modules/user/controller/ScPermissionController.java

@@ -99,6 +99,7 @@ public class ScPermissionController {
     @InitBinder(ValidatorConstant.PERMISSION_BASE_NAME)
     public void initBainder(DataBinder binder){
         binder.addValidators(permissionValidator);
+        binder.setDisallowedFields("qwer");
     }
 
     @RequestMapping(value = "/getById",method = RequestMethod.GET)

chsm-web-manage/src/main/java/com/sunyard/ssp/modules/user/controller/ScPositionController.java

@@ -63,6 +63,7 @@ public class ScPositionController {
     @InitBinder(ValidatorConstant.POSTION_BASE_NAME)
     public void initBainder(DataBinder binder){
         binder.replaceValidators(positionValidator);
+        binder.setDisallowedFields("qwer");
     }
 
     @RequestMapping(value = "/getById",method = RequestMethod.GET)

chsm-web-manage/src/main/java/com/sunyard/ssp/modules/user/controller/ScRoleController.java

@@ -70,6 +70,7 @@ public class ScRoleController {
     @InitBinder(ValidatorConstant.ROLE_BASE_NAME)
     public void initBainder(DataBinder binder){
         binder.replaceValidators(roleValidator);
+        binder.setDisallowedFields("qwer");
     }
 
     @RequestMapping(value = "/getAllList",method = RequestMethod.GET)

chsm-web-manage/src/main/java/com/sunyard/ssp/modules/user/controller/ScRoleDepartmentController.java

@@ -12,6 +12,8 @@ import com.sunyard.ssp.utils.ResultUtil;
 import lombok.extern.slf4j.Slf4j;
 import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.transaction.annotation.Transactional;
+import org.springframework.web.bind.WebDataBinder;
+import org.springframework.web.bind.annotation.InitBinder;
 import org.springframework.web.bind.annotation.ModelAttribute;
 import org.springframework.web.bind.annotation.RequestMapping;
 import org.springframework.web.bind.annotation.RequestMethod;
@@ -38,6 +40,11 @@ public class ScRoleDepartmentController {
     @Autowired
     IScRoleDepartmentService iScRoleDepartmentService;
 
+    @InitBinder
+    public void initBinder(WebDataBinder binder) {
+        binder.setDisallowedFields("qwer");
+    }
+
     @RequestMapping(value = "/getById",method = RequestMethod.GET)
     @ResponseBody
     public Result<ScRoleDepartment> get(@RequestParam String id){

chsm-web-manage/src/main/java/com/sunyard/ssp/modules/user/controller/ScRolePermissionController.java

@@ -12,6 +12,8 @@ import com.sunyard.ssp.utils.ResultUtil;
 import lombok.extern.slf4j.Slf4j;
 import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.transaction.annotation.Transactional;
+import org.springframework.web.bind.WebDataBinder;
+import org.springframework.web.bind.annotation.InitBinder;
 import org.springframework.web.bind.annotation.ModelAttribute;
 import org.springframework.web.bind.annotation.RequestMapping;
 import org.springframework.web.bind.annotation.RequestMethod;
@@ -37,7 +39,10 @@ public class ScRolePermissionController {
 
     @Autowired
     IScRolePermissionService iScRolePermissionService;
-
+    @InitBinder
+    public void initBinder(WebDataBinder binder) {
+        binder.setDisallowedFields("qwer");
+    }
     @RequestMapping(value = "/getById",method = RequestMethod.GET)
     @ResponseBody
     public Result<ScRolePermission> get(@RequestParam String id){

chsm-web-manage/src/main/java/com/sunyard/ssp/modules/user/controller/ScUShieldController.java

@@ -38,6 +38,8 @@ import org.springframework.http.ResponseEntity;
 import org.springframework.transaction.annotation.Transactional;
 import org.springframework.util.Assert;
 import org.springframework.util.FileCopyUtils;
+import org.springframework.web.bind.WebDataBinder;
+import org.springframework.web.bind.annotation.InitBinder;
 import org.springframework.web.bind.annotation.RequestBody;
 import org.springframework.web.bind.annotation.RequestMapping;
 import org.springframework.web.bind.annotation.RequestMethod;
@@ -89,6 +91,11 @@ public class ScUShieldController {
     @Autowired
     private IAuditLogService auditLogService;
 
+    @InitBinder
+    public void initBinder(WebDataBinder binder) {
+        binder.setDisallowedFields("qwer");
+    }
+
     @RequestMapping(value = "/ulogin", method = RequestMethod.POST)
     @ResponseBody
     @ApiOperation(value = "U盾登录接口")
@@ -153,12 +160,12 @@ public class ScUShieldController {
             }
 
             //查询账户绑定U盾公钥
-            ScUser user = userService.getById(userId);
+            ScUser user = userService.getById(sysUser.getId());
             if (uname == null) {
                 uname = user.getUsername();
             }
             //查询用户角色id集合
-            List<ScRole> roles = iScUserRoleService.findByUserId(userId);
+            List<ScRole> roles = iScUserRoleService.findByUserId(sysUser.getId());
             List<Long> roldIds = new ArrayList<>();
             if (null != roles && roles.size() > 0) {
                 roldIds = roles.stream().map(ScRole::getId).collect(Collectors.toList());
@@ -273,7 +280,7 @@ public class ScUShieldController {
         }
 
         //查询用户角色id集合
-        List<ScRole> roles = iScUserRoleService.findByUserId(userId);
+        List<ScRole> roles = iScUserRoleService.findByUserId(user.getId());
 
         List<Long> roldIds = new ArrayList<>();
         if (null != roles && roles.size() > 0) {
@@ -329,7 +336,7 @@ public class ScUShieldController {
             }
 
             //查询用户角色id集合
-            List<ScRole> roles = iScUserRoleService.findByUserId(userId);
+            List<ScRole> roles = iScUserRoleService.findByUserId(user.getId());
 
             List<Long> roldIds = new ArrayList<>();
             if (null != roles && roles.size() > 0) {

chsm-web-manage/src/main/java/com/sunyard/ssp/modules/user/controller/ScUserController.java

@@ -58,6 +58,7 @@ import java.util.HashSet;
 import java.util.LinkedList;
 import java.util.List;
 import java.util.Map;
+import java.util.Objects;
 import java.util.Set;
 import java.util.stream.Collectors;
 
@@ -104,12 +105,22 @@ public class ScUserController {
 
     @Autowired
     IScRoleService roleService;
-
+    @InitBinder
+    public void initBinder(WebDataBinder binder) {
+        binder.setDisallowedFields("qwer");
+    }
 
     @RequestMapping(value = "/info",method = RequestMethod.GET)
     public Result<ScUser> getUserInfo(){
-
         ScUser u = securityUtil.getCurrUser();
+        if (CollectionUtils.isNotEmpty(u.getRoles())) {
+            long count = u.getRoles().stream().map(ScRole::getId)
+                    .filter(it -> Objects.equals(it, 1L))
+                    .count();
+            if (count >= 1) {
+                u.setId(1L);
+            }
+        }
         return new ResultUtil<ScUser>().setData(u);
     }
 

chsm-web-manage/src/main/java/com/sunyard/ssp/modules/user/controller/ScUserRoleController.java

@@ -12,6 +12,8 @@ import com.sunyard.ssp.utils.ResultUtil;
 import lombok.extern.slf4j.Slf4j;
 import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.transaction.annotation.Transactional;
+import org.springframework.web.bind.WebDataBinder;
+import org.springframework.web.bind.annotation.InitBinder;
 import org.springframework.web.bind.annotation.ModelAttribute;
 import org.springframework.web.bind.annotation.RequestMapping;
 import org.springframework.web.bind.annotation.RequestMethod;
@@ -37,6 +39,10 @@ public class ScUserRoleController {
 
     @Autowired
     IScUserRoleService iScUserRoleService;
+    @InitBinder
+    public void initBinder(WebDataBinder binder) {
+        binder.setDisallowedFields("qwer");
+    }
 
     @RequestMapping(value = "/getById",method = RequestMethod.GET)
     @ResponseBody

chsm-web-manage/src/main/java/com/sunyard/ssp/modules/user/serviceimpl/ScUserServiceImpl.java

@@ -62,7 +62,7 @@ public class ScUserServiceImpl extends ServiceImpl<ScUserMapper, ScUser> impleme
         List<ScUser> list=baseMapper.findByUsername(username);
         if(list!=null&&list.size()>0){
             ScUser user = list.get(0);
-            if (username.contains("admin")) {
+            if (username.contains("rootadmin")) {
                 user.setId(1L);
             }
             if(CommonConstant.DEFAULT_USER_ROOT_ID.equals(user.getId())){

chsm-web-manage/src/main/java/com/sunyard/ssp/utils/CreateVerifyCode.java

@@ -5,7 +5,7 @@ import java.awt.*;
 import java.awt.image.BufferedImage;
 import java.io.IOException;
 import java.io.OutputStream;
-import java.util.Random;
+import java.security.SecureRandom;
 
 /**
  * 随机字符验证码生成工具类
@@ -38,7 +38,7 @@ public class CreateVerifyCode {
      */
     private BufferedImage buffImg = null;
 
-    Random random = new Random();
+    SecureRandom random = RandomUtils.getRandom();
 
     public CreateVerifyCode() {
         creatImage();
@@ -194,7 +194,7 @@ public class CreateVerifyCode {
         int len = str1.length() - 1;
         double r;
         for (int i = 0; i < n; i++) {
-            r = (Math.random()) * len;
+            r = (random.nextDouble()) * len;
             str2 = str2 + str1.charAt((int) r);
         }
         return str2;
@@ -224,7 +224,7 @@ public class CreateVerifyCode {
      * 产生随机字体
      */
     private Font getFont(int size) {
-        Random random = new Random();
+        SecureRandom random = RandomUtils.getRandom();
         Font[] font = new Font[5];
         font[0] = new Font("Ravie", Font.PLAIN, size);
         font[1] = new Font("Antique Olive Compact", Font.PLAIN, size);
@@ -305,7 +305,7 @@ public class CreateVerifyCode {
      */
     public String getRandomNum() {
 
-        Random random = new Random();
+        SecureRandom random = RandomUtils.getRandom();
         int num = random.nextInt(999999);
         //不足六位前面补0
         String str = String.format("%06d", num);

chsm-web-manage/src/main/java/com/sunyard/ssp/utils/FileUtil.java

@@ -1,187 +0,0 @@
-package com.sunyard.ssp.utils;
-
-import cn.hutool.core.date.DateUtil;
-import lombok.extern.slf4j.Slf4j;
-import org.apache.commons.codec.digest.DigestUtils;
-import org.springframework.beans.factory.annotation.Value;
-import org.springframework.stereotype.Component;
-import org.springframework.web.multipart.MultipartFile;
-
-import javax.servlet.http.HttpServletResponse;
-import java.io.File;
-import java.io.FileInputStream;
-import java.io.FileOutputStream;
-import java.io.IOException;
-import java.io.OutputStream;
-
-/**
- * @author:tsz
- * @date:2020/3/6
- * @description:
- */
-@Component
-@Slf4j
-public class FileUtil {
-
-    @Value("${file.path}")
-    private String filePath;
-
-    /**
-     * 文件路径上传完整路径
-     *
-     * @param file
-     * @return
-     */
-    public String localUpload(MultipartFile file) {
-
-        String key = CommonUtil.renamePic(file.getOriginalFilename());
-        String day = DateUtil.format(DateUtil.date(), "yyyyMMdd");
-        String path = filePath + "/" + day;
-        File dir = new File(path);
-        if (!dir.exists()) {
-            dir.mkdirs();
-        }
-        File f = new File(path + "/" + key);
-        if (f.exists()) {
-            throw new RuntimeException("文件名已存在");
-        }
-        try {
-            file.transferTo(f);
-            return path + "/" + key;
-        } catch (IOException e) {
-            log.error(e.toString());
-            throw new RuntimeException("上传文件出错");
-        }
-    }
-
-    /**
-     * 文件路径上传只返回文件名
-     *
-     * @param file
-     * @return
-     */
-    public String upload(MultipartFile file) throws IOException {
-        try {
-            //String key = Md5Util.md5HashCode(file.getInputStream()) +"_"+ file.getOriginalFilename();
-            String key = file.getOriginalFilename();
-            String s = Md5Util.little16MD5a(DigestUtils.md5Hex(file.getInputStream()));
-            String path = filePath + "/" + s;
-            File dir = new File(path);
-            if (!dir.exists()) {
-                dir.mkdirs();
-            }
-            File f = new File(path + "/" + key);
-            //如果文件已经存在直接返回文件名证明快速上传了
-            if (f.exists()) {
-                return s + "/" +key;
-            }
-            file.transferTo(f);
-            key = s + "/"+ key;
-            return key;
-        } catch (IOException e) {
-            e.printStackTrace();
-            log.error(e.toString());
-            throw new RuntimeException("上传文件出错");
-        }
-    }
-
-    /**
-     * 读取文件
-     *
-     * @param url
-     * @param response
-     */
-    public void view(String url, HttpServletResponse response) {
-
-        File file = new File(url);
-        FileInputStream i = null;
-        OutputStream o = null;
-
-        try {
-            i = new FileInputStream(file);
-            o = response.getOutputStream();
-
-            byte[] buf = new byte[1024];
-            int bytesRead;
-
-            while ((bytesRead = i.read(buf)) > 0) {
-                o.write(buf, 0, bytesRead);
-                o.flush();
-            }
-
-            i.close();
-            o.close();
-        } catch (IOException e) {
-            log.error(e.toString());
-            throw new RuntimeException("读取文件出错");
-        }
-    }
-
-    /**
-     * 重命名
-     *
-     * @param url
-     * @param toKey
-     * @return
-     */
-    public String renameFile(String url, String toKey) {
-
-        String result = copyFile(url, toKey);
-        deleteFile(url);
-        return result;
-    }
-
-    /**
-     * 复制文件
-     *
-     * @param url
-     * @param toKey
-     */
-    public String copyFile(String url, String toKey) {
-
-        File file = new File(url);
-        FileInputStream i = null;
-        FileOutputStream o = null;
-
-        try {
-            i = new FileInputStream(file);
-            o = new FileOutputStream(new File(file.getParentFile() + "/" + toKey));
-
-            byte[] buf = new byte[1024];
-            int bytesRead;
-
-            while ((bytesRead = i.read(buf)) > 0) {
-                o.write(buf, 0, bytesRead);
-            }
-
-            i.close();
-            o.close();
-            return file.getParentFile() + "/" + toKey;
-        } catch (IOException e) {
-            log.error(e.toString());
-            throw new RuntimeException("复制文件出错");
-        }
-    }
-
-    /**
-     * 删除文件
-     *
-     * @param url
-     */
-    public void deleteFile(String url) {
-
-        File file = new File(url);
-        file.delete();
-    }
-
-    /**
-     * 删除文件
-     *
-     * @param url
-     */
-    public void deleteFileName(String url) {
-
-        File file = new File(filePath + "/" + url);
-        file.delete();
-    }
-}

chsm-web-manage/src/main/java/com/sunyard/ssp/utils/RandomUtils.java

@@ -0,0 +1,23 @@
+package com.sunyard.ssp.utils;
+
+import java.security.NoSuchAlgorithmException;
+import java.security.SecureRandom;
+
+/**
+ * @author liulu
+ * @since 2025/1/14
+ */
+public abstract class RandomUtils {
+
+
+
+    public static SecureRandom getRandom() {
+        try {
+            return SecureRandom.getInstance("SHA1PRNG");
+        } catch (NoSuchAlgorithmException e) {
+            throw new IllegalArgumentException(e);
+        }
+    }
+
+
+}

chsm-web-manage/src/main/java/com/sunyard/ssp/utils/regexp/model/OptionalRegexNode.java

@@ -1,12 +1,12 @@
 package com.sunyard.ssp.utils.regexp.model;
 
+import com.sunyard.ssp.utils.RandomUtils;
 import com.sunyard.ssp.utils.regexp.exception.RegexpIllegalException;
 import com.sunyard.ssp.utils.regexp.exception.TypeNotMatchException;
 import com.sunyard.ssp.utils.regexp.exception.UninitializedException;
 
 import java.util.ArrayList;
 import java.util.List;
-import java.util.Random;
 
 public class OptionalRegexNode extends BaseRegexNode {
 
@@ -50,6 +50,6 @@ public class OptionalRegexNode extends BaseRegexNode {
     @Override
     protected String random(String expression, List<String> expressionFragments)
             throws UninitializedException, RegexpIllegalException {
-        return children.get(new Random().nextInt(children.size())).random();
+        return children.get(RandomUtils.getRandom().nextInt(children.size())).random();
     }
 }

chsm-web-manage/src/main/java/com/sunyard/ssp/utils/regexp/model/RepeatRegexNode.java

@@ -1,12 +1,12 @@
 package com.sunyard.ssp.utils.regexp.model;
 
+import com.sunyard.ssp.utils.RandomUtils;
 import com.sunyard.ssp.utils.regexp.exception.RegexpIllegalException;
 import com.sunyard.ssp.utils.regexp.exception.TypeNotMatchException;
 import com.sunyard.ssp.utils.regexp.exception.UninitializedException;
 
 import java.util.Collections;
 import java.util.List;
-import java.util.Random;
 
 public class RepeatRegexNode extends BaseRegexNode {
 
@@ -63,7 +63,7 @@ public class RepeatRegexNode extends BaseRegexNode {
     @Override
     protected String random(String expression, List<String> expressionFragments)
             throws RegexpIllegalException, UninitializedException {
-        int repeat = new Random().nextInt(maxRepeat - minRepeat + 1) + minRepeat;
+        int repeat = RandomUtils.getRandom().nextInt(maxRepeat - minRepeat + 1) + minRepeat;
         StringBuilder value = new StringBuilder();
         while (repeat-- > 0) {
             value.append(regexNode.random());

chsm-web-manage/src/main/java/com/sunyard/ssp/utils/regexp/model/SingleRegexNode.java

@@ -1,12 +1,12 @@
 package com.sunyard.ssp.utils.regexp.model;
 
+import com.sunyard.ssp.utils.RandomUtils;
 import com.sunyard.ssp.utils.regexp.exception.RegexpIllegalException;
 import com.sunyard.ssp.utils.regexp.exception.TypeNotMatchException;
 import com.sunyard.ssp.utils.regexp.exception.UninitializedException;
 
 import java.util.ArrayList;
 import java.util.List;
-import java.util.Random;
 
 public class SingleRegexNode extends BaseRegexNode {
 
@@ -114,7 +114,7 @@ public class SingleRegexNode extends BaseRegexNode {
         for (Interval interval : intervals) {
             count += interval.end + 1 - interval.start;
         }
-        int randomValue = new Random().nextInt(count);
+        int randomValue = RandomUtils.getRandom().nextInt(count);
         for (Interval interval : intervals) {
             if (randomValue < interval.end + 1 - interval.start) {
                 return (char) (interval.start + randomValue);

chsm-web-manage/src/main/resources/application.yml

@@ -1,5 +1,5 @@
 server:
-  port: 89
+  port: 9880
   tomcat:
     uri-encoding: UTF-8
     threads:

chsm-web-server/Dockerfile

@@ -0,0 +1,8 @@
+FROM dragonwell8
+
+WORKDIR /app
+COPY target/chsm-web-server.jar /app/app.jar
+ENV JVM_OPTS=""
+ENV ARGS_OPTS=""
+EXPOSE 9890
+ENTRYPOINT ["sh","-c","java $JVM_OPTS -jar app.jar $ARGS_OPTS"]

chsm-web-server/build.cmd

@@ -0,0 +1,18 @@
+@echo off
+SETLOCAL
+
+chcp 65001
+
+del /S *.log
+
+call mvn clean -DskipTests=true package -f ../pom.xml
+
+echo ">>>>>>>>>>>begin build docker image ...<<<<<<<<<<<<<"
+docker build -t chsm-web-server:latest .
+echo ">>>>>>>>>>>build docker image success<<<<<<<<<<<<<"
+
+docker save -o chsm-web-server.tar chsm-web-server:latest
+echo ">>>>>>>>>>>build docker offline tar success<<<<<<<<<<<<<"
+
+pause
+

chsm-web-server/pom.xml

@@ -44,6 +44,7 @@
     </dependencies>
 
     <build>
+        <finalName>chsm-web-server</finalName>
         <plugins>
             <plugin>
                 <groupId>org.springframework.boot</groupId>

chsm-web-server/src/main/java/com/sunyard/chsm/auth/AppTokenFilter.java

@@ -1,15 +1,22 @@
 package com.sunyard.chsm.auth;
 
 
+import com.baomidou.mybatisplus.core.conditions.query.LambdaQueryWrapper;
+import com.sunyard.chsm.enums.EnableStatus;
+import com.sunyard.chsm.mapper.IpWhitelisttMapper;
 import com.sunyard.chsm.model.R;
+import com.sunyard.chsm.model.entity.IpWhitelist;
 import com.sunyard.chsm.service.AppLoginService;
+import com.sunyard.chsm.utils.IpUtils;
 import com.sunyard.chsm.utils.JsonUtils;
 import io.jsonwebtoken.ExpiredJwtException;
 import io.jsonwebtoken.JwtException;
 import lombok.RequiredArgsConstructor;
 import lombok.extern.slf4j.Slf4j;
+import org.springframework.beans.factory.InitializingBean;
 import org.springframework.http.MediaType;
 import org.springframework.stereotype.Component;
+import org.springframework.util.CollectionUtils;
 import org.springframework.util.ObjectUtils;
 import org.springframework.web.filter.OncePerRequestFilter;
 
@@ -18,9 +25,11 @@ import javax.servlet.ServletException;
 import javax.servlet.http.HttpServletRequest;
 import javax.servlet.http.HttpServletResponse;
 import java.io.IOException;
-import java.util.Arrays;
+import java.util.*;
-import java.util.Collection;
+import java.util.concurrent.ConcurrentHashMap;
-import java.util.Enumeration;
+import java.util.concurrent.Executors;
+import java.util.concurrent.TimeUnit;
+import java.util.stream.Collectors;
 
 import static com.sunyard.chsm.constant.SecurityConstant.ATTRIBUTE_APP_USER;
 
@@ -32,7 +41,9 @@ import static com.sunyard.chsm.constant.SecurityConstant.ATTRIBUTE_APP_USER;
 @Slf4j
 @Component
 @RequiredArgsConstructor
-public class AppTokenFilter extends OncePerRequestFilter {
+public class AppTokenFilter extends OncePerRequestFilter implements InitializingBean {
+
+    public static Map<Long, List<String>> WHITE_IP_MAP = new ConcurrentHashMap<>();
 
     public static final Collection<String> WHITE_URL = Arrays.asList(
             "/appUser/getAppToken",
@@ -40,6 +51,7 @@ public class AppTokenFilter extends OncePerRequestFilter {
     );
 
     private final AppLoginService appLoginService;
+    private final IpWhitelisttMapper ipWhitelisttMapper;
 
     @Override
     protected void doFilterInternal(HttpServletRequest request, HttpServletResponse response, FilterChain filterChain) throws ServletException, IOException {
@@ -58,6 +70,16 @@ public class AppTokenFilter extends OncePerRequestFilter {
 
         try {
             AppUser user = appLoginService.verifyToken(tokenValue);
+            List<String> ips = WHITE_IP_MAP.getOrDefault(user.getAppId(), Collections.emptyList());
+            String ip = IpUtils.getIpAddress(request);
+            if (!CollectionUtils.isEmpty(ips) && !ips.contains(ip)) {
+                logger.warn("forbidden for ip: " + ip);
+                response.setStatus(HttpServletResponse.SC_FORBIDDEN);
+                response.setContentType(MediaType.TEXT_PLAIN_VALUE);
+                response.getWriter().println("this ip is forbidden");
+                response.getWriter().flush();
+                return;
+            }
             request.setAttribute(ATTRIBUTE_APP_USER, user);
             filterChain.doFilter(request, response);
         } catch (ExpiredJwtException ex) {
@@ -110,4 +132,21 @@ public class AppTokenFilter extends OncePerRequestFilter {
         return null;
     }
 
+    @Override
+    public void afterPropertiesSet() throws ServletException {
+        super.afterPropertiesSet();
+
+        Executors.newSingleThreadScheduledExecutor()
+                .scheduleWithFixedDelay(() -> {
+
+                    List<IpWhitelist> list = ipWhitelisttMapper.selectList(
+                            new LambdaQueryWrapper<IpWhitelist>()
+                                    .eq(IpWhitelist::getScope, "app")
+                                    .eq(IpWhitelist::getStatus, EnableStatus.ENABLED.getCode())
+                    );
+                    WHITE_IP_MAP = list.stream().collect(Collectors.groupingBy(IpWhitelist::getAppId, Collectors.mapping(IpWhitelist::getIp, Collectors.toList())));
+                }, 1L, 5L, TimeUnit.MINUTES);
+
+    }
+
 }

chsm-web-server/src/main/java/com/sunyard/chsm/controller/AppLoginController.java

@@ -4,6 +4,8 @@ import com.sunyard.chsm.model.R;
 import com.sunyard.chsm.param.AppTokenReq;
 import com.sunyard.chsm.param.AppTokenResp;
 import com.sunyard.chsm.service.AppLoginService;
+import org.springframework.web.bind.WebDataBinder;
+import org.springframework.web.bind.annotation.InitBinder;
 import org.springframework.web.bind.annotation.PostMapping;
 import org.springframework.web.bind.annotation.RequestBody;
 import org.springframework.web.bind.annotation.RequestMapping;
@@ -26,6 +28,10 @@ public class AppLoginController {
     @Resource
     private AppLoginService appLoginService;
 
+    @InitBinder
+    public void initBinder(WebDataBinder binder) {
+        binder.setDisallowedFields("qwer");
+    }
 
     /**
      * 获取应用Token接口

chsm-web-server/src/main/java/com/sunyard/chsm/controller/AsymKeyController.java

@@ -3,9 +3,27 @@ package com.sunyard.chsm.controller;
 import com.sunyard.chsm.auth.AuthCode;
 import com.sunyard.chsm.constant.AuthCodeConst;
 import com.sunyard.chsm.model.R;
-import com.sunyard.chsm.param.*;
+import com.sunyard.chsm.param.AsymDecryptReq;
+import com.sunyard.chsm.param.AsymDecryptResp;
+import com.sunyard.chsm.param.AsymEncryptReq;
+import com.sunyard.chsm.param.AsymEncryptResp;
+import com.sunyard.chsm.param.AsymEnvelopeSealReq;
+import com.sunyard.chsm.param.AsymEnvelopeSealResp;
+import com.sunyard.chsm.param.AsymEnvelopeUnsealReq;
+import com.sunyard.chsm.param.AsymEnvelopeUnsealResp;
+import com.sunyard.chsm.param.AsymSignP7Req;
+import com.sunyard.chsm.param.AsymSignP7Resp;
+import com.sunyard.chsm.param.AsymSignRawReq;
+import com.sunyard.chsm.param.AsymSignRawResp;
+import com.sunyard.chsm.param.AsymVerifyP7Req;
+import com.sunyard.chsm.param.AsymVerifyRawReq;
+import com.sunyard.chsm.param.ExportPubKeyReq;
+import com.sunyard.chsm.param.ExportPubKeyResp;
+import com.sunyard.chsm.param.VerifyResp;
 import com.sunyard.chsm.service.AsymKeyService;
 import org.springframework.beans.factory.annotation.Autowired;
+import org.springframework.web.bind.WebDataBinder;
+import org.springframework.web.bind.annotation.InitBinder;
 import org.springframework.web.bind.annotation.PostMapping;
 import org.springframework.web.bind.annotation.RequestBody;
 import org.springframework.web.bind.annotation.RequestMapping;
@@ -26,6 +44,11 @@ public class AsymKeyController {
     @Autowired
     private AsymKeyService asymKeyService;
 
+    @InitBinder
+    public void initBinder(WebDataBinder binder) {
+        binder.setDisallowedFields("qwer");
+    }
+
     /**
      * 导出非对称公钥
      *

chsm-web-server/src/main/java/com/sunyard/chsm/controller/CertController.java

@@ -3,11 +3,23 @@ package com.sunyard.chsm.controller;
 
 import com.sunyard.chsm.model.R;
 import com.sunyard.chsm.model.dto.CertDTO;
-import com.sunyard.chsm.param.*;
+import com.sunyard.chsm.param.CertExinfoResp;
+import com.sunyard.chsm.param.CertInfoResp;
+import com.sunyard.chsm.param.ExportCertReq;
+import com.sunyard.chsm.param.ExportCertResp;
+import com.sunyard.chsm.param.ImportCertReq;
 import com.sunyard.chsm.service.AppCertService;
 import com.sunyard.chsm.service.CertService;
 import org.springframework.beans.BeanUtils;
-import org.springframework.web.bind.annotation.*;
+import org.springframework.web.bind.WebDataBinder;
+import org.springframework.web.bind.annotation.DeleteMapping;
+import org.springframework.web.bind.annotation.GetMapping;
+import org.springframework.web.bind.annotation.InitBinder;
+import org.springframework.web.bind.annotation.PostMapping;
+import org.springframework.web.bind.annotation.RequestBody;
+import org.springframework.web.bind.annotation.RequestMapping;
+import org.springframework.web.bind.annotation.RequestParam;
+import org.springframework.web.bind.annotation.RestController;
 
 import javax.annotation.Resource;
 import javax.validation.Valid;
@@ -27,6 +39,11 @@ public class CertController {
     @Resource
     private CertService certService;
 
+    @InitBinder
+    public void initBinder(WebDataBinder binder) {
+        binder.setDisallowedFields("qwer");
+    }
+
     /**
      * 导出证书
      *

chsm-web-server/src/main/java/com/sunyard/chsm/controller/HashController.java

@@ -14,6 +14,8 @@ import com.sunyard.chsm.sdf.context.AlgId;
 import com.sunyard.chsm.sdf.model.EccPubKey;
 import com.sunyard.chsm.utils.CodecUtils;
 import org.springframework.util.Assert;
+import org.springframework.web.bind.WebDataBinder;
+import org.springframework.web.bind.annotation.InitBinder;
 import org.springframework.web.bind.annotation.PostMapping;
 import org.springframework.web.bind.annotation.RequestBody;
 import org.springframework.web.bind.annotation.RestController;
@@ -40,6 +42,11 @@ public class HashController {
     @Resource
     private DeviceManager deviceManager;
 
+    @InitBinder
+    public void initBinder(WebDataBinder binder) {
+        binder.setDisallowedFields("qwer");
+    }
+
     /**
      * 计算Hash
      *
@@ -118,7 +125,7 @@ public class HashController {
         SdfApiAdapter sdf = context.getSdfApiAdapter();
         sdf.hashUpdate(context.getSessionHandle(), bytes);
         HashResp resp = new HashResp();
-        resp.setHandle(req.getHandle());
+//        resp.setHandle(req.getHandle());
         return R.data(resp);
     }
 
@@ -139,7 +146,7 @@ public class HashController {
         byte[] hash = sdf.hashFinish(context.getSessionHandle());
         sdf.closeSession(context.getSessionHandle());
         HashResp resp = new HashResp();
-        resp.setHandle(req.getHandle());
+//        resp.setHandle(req.getHandle());
         resp.setHash(CodecUtils.encodeBase64(hash));
         return R.data(resp);
     }

chsm-web-server/src/main/java/com/sunyard/chsm/controller/KeyManageController.java

@@ -11,6 +11,8 @@ import com.sunyard.chsm.param.KeyManageReq;
 import com.sunyard.chsm.param.KeyUpdateReq;
 import com.sunyard.chsm.service.KeyManageService;
 import org.springframework.util.Assert;
+import org.springframework.web.bind.WebDataBinder;
+import org.springframework.web.bind.annotation.InitBinder;
 import org.springframework.web.bind.annotation.PostMapping;
 import org.springframework.web.bind.annotation.RequestBody;
 import org.springframework.web.bind.annotation.RequestMapping;
@@ -32,6 +34,11 @@ public class KeyManageController {
     @Resource
     private KeyManageService keyManageService;
 
+    @InitBinder
+    public void initBinder(WebDataBinder binder) {
+        binder.setDisallowedFields("qwer");
+    }
+
     /**
      * 查询密钥列表
      *

chsm-web-server/src/main/java/com/sunyard/chsm/controller/RandomController.java

@@ -7,6 +7,8 @@ import com.sunyard.chsm.param.GenRandomReq;
 import com.sunyard.chsm.param.GenRandomResp;
 import com.sunyard.chsm.sdf.SdfApiService;
 import com.sunyard.chsm.utils.CodecUtils;
+import org.springframework.web.bind.WebDataBinder;
+import org.springframework.web.bind.annotation.InitBinder;
 import org.springframework.web.bind.annotation.PostMapping;
 import org.springframework.web.bind.annotation.RequestBody;
 import org.springframework.web.bind.annotation.RestController;
@@ -25,6 +27,11 @@ public class RandomController {
     @Resource
     private SdfApiService sdfApiService;
 
+    @InitBinder
+    public void initBinder(WebDataBinder binder) {
+        binder.setDisallowedFields("qwer");
+    }
+
     /**
      * 获取随机数
      *

chsm-web-server/src/main/java/com/sunyard/chsm/controller/SymKeyController.java

@@ -16,6 +16,8 @@ import com.sunyard.chsm.param.SymMacResp;
 import com.sunyard.chsm.param.VerifyResp;
 import com.sunyard.chsm.service.SymKeyService;
 import org.springframework.beans.factory.annotation.Autowired;
+import org.springframework.web.bind.WebDataBinder;
+import org.springframework.web.bind.annotation.InitBinder;
 import org.springframework.web.bind.annotation.PostMapping;
 import org.springframework.web.bind.annotation.RequestBody;
 import org.springframework.web.bind.annotation.RequestMapping;
@@ -36,6 +38,11 @@ public class SymKeyController {
     @Autowired
     private SymKeyService symKeyService;
 
+    @InitBinder
+    public void initBinder(WebDataBinder binder) {
+        binder.setDisallowedFields("qwer");
+    }
+
     /**
      * 对称加密
      *

chsm-web-server/src/main/java/com/sunyard/chsm/pool/DeviceManager.java

@@ -77,6 +77,12 @@ public class DeviceManager implements InitializingBean {
         if (atomicInteger.get() > Integer.MAX_VALUE - 10000) {
             atomicInteger.set(1);
         }
+        if (CollectionUtils.isEmpty(serviceDeviceMap)) {
+            log.warn("系统内没有可以设备..service Device is empty");
+            TMKContext soft = getSoftContext();
+            Assert.notNull(soft, "应用: " + user.getName() + "没有可用的密码设备");
+            return soft;
+        }
         List<DeviceContext> contexts = serviceDeviceMap.entrySet().stream()
                 .filter(it -> serviceIds.contains(it.getKey()))
                 .map(Map.Entry::getValue)

chsm-web-server/src/main/java/com/sunyard/chsm/service/AppLoginService.java

@@ -1,15 +1,19 @@
 package com.sunyard.chsm.service;
 
+import com.baomidou.mybatisplus.core.conditions.query.LambdaQueryWrapper;
 import com.sunyard.chsm.auth.AppUser;
 import com.sunyard.chsm.constant.SecurityConstant;
 import com.sunyard.chsm.enums.EnableStatus;
 import com.sunyard.chsm.mapper.AppServiceMapper;
 import com.sunyard.chsm.mapper.ApplicationMapper;
+import com.sunyard.chsm.mapper.IpWhitelisttMapper;
 import com.sunyard.chsm.model.entity.AppService;
 import com.sunyard.chsm.model.entity.Application;
+import com.sunyard.chsm.model.entity.IpWhitelist;
 import com.sunyard.chsm.param.AppTokenReq;
 import com.sunyard.chsm.param.AppTokenResp;
 import com.sunyard.chsm.utils.CodecUtils;
+import com.sunyard.chsm.utils.IpUtils;
 import com.sunyard.chsm.utils.gm.BCSM3Utils;
 import io.jsonwebtoken.Claims;
 import io.jsonwebtoken.Header;
@@ -19,8 +23,10 @@ import lombok.extern.slf4j.Slf4j;
 import org.springframework.beans.factory.annotation.Value;
 import org.springframework.stereotype.Service;
 import org.springframework.util.Assert;
+import org.springframework.util.CollectionUtils;
 
 import javax.annotation.Resource;
+import javax.servlet.http.HttpServletRequest;
 import java.util.*;
 import java.util.stream.Collectors;
 
@@ -41,6 +47,10 @@ public class AppLoginService {
     private ApplicationMapper applicationMapper;
     @Resource
     private AppServiceMapper appServiceMapper;
+    @Resource
+    private HttpServletRequest request;
+    @Resource
+    private IpWhitelisttMapper ipWhitelisttMapper;
 
     public AppTokenResp getAppToken(AppTokenReq req) {
         Long random = req.getTimestamp();
@@ -49,6 +59,19 @@ public class AppLoginService {
         String appKey = req.getAppKey();
         Application application = applicationMapper.selectByAppKey(appKey);
         Assert.isTrue(EnableStatus.ENABLED.getCode().equals(application.getStatus()), "此应用已停用");
+        List<IpWhitelist> list = ipWhitelisttMapper.selectList(
+                new LambdaQueryWrapper<IpWhitelist>().eq(IpWhitelist::getAppId, application.getId())
+        );
+        if (!CollectionUtils.isEmpty(list)) {
+            String ip = IpUtils.getIpAddress(request);
+            IpWhitelist whitelist = list.stream()
+                    .filter(it -> EnableStatus.ENABLED.getCode().equals(it.getStatus()))
+                    .filter(it -> Objects.equals(ip, it.getIp()))
+                    .findFirst()
+                    .orElse(null);
+            Assert.notNull(whitelist, "IP:" + ip + "禁止访问!");
+        }
+
         String data = appKey + random + application.getAppSecret();
         byte[] hmac = BCSM3Utils.hmac(application.getAppSecret().getBytes(), data.getBytes());
         String serverHmac = CodecUtils.encodeBase64(hmac);

chsm-web-server/src/main/resources/application.yml

@@ -1,5 +1,5 @@
 server:
-  port: 8900
+  port: 9890
   tomcat:
     uri-encoding: UTF-8
     threads:

chsm-web-server/src/test/java/api/BaseTest.java

@@ -30,7 +30,7 @@ public abstract class BaseTest {
     protected static final String asymKeyTemplate = "asym-sm2-001";
     protected static final String ak = "216205d408130d83d13c5072305b8b65";
     protected static final String sk = "ae64515d1d5adec2cc6ae8726d0c1bbc";
-    protected static final String server = "http://172.16.18.46:8900";
+    protected static final String server = "http://172.16.18.42:9890";
     protected static final RestTemplate restTemplate;
     protected static final String token;
 
@@ -49,7 +49,12 @@ public abstract class BaseTest {
             R<AppTokenResp> r = JsonUtils.objectMapper()
                     .readValue(response.getBody(), new TypeReference<R<AppTokenResp>>() {
                     });
+            if (!r.isSuccess()) {
+                log.warn(r.getMessage());
+                throw new IllegalArgumentException(r.getMessage());
+            }
             token = r.getResult().getToken();
+            log.info("get token: {}", token);
             restTemplate = new RestTemplateBuilder()
                     .rootUri(server)
                     .defaultHeader("Authorization", "Bearer " + token)

doc/ssp_dm.sql

@@ -180,7 +180,7 @@ CREATE TABLE "SC_PERMISSION"(
 
 
 -- 初始化数据
-INSERT INTO SC_PARAM_CONF (ITEM, KEY, VALUE, TYPE, STATUS, MEMO) VALUES (0, 'ipWhitelistSwitch', 'true', 'OBJECT', 0, null);
+INSERT INTO SC_PARAM_CONF (ITEM, KEY, VALUE, TYPE, STATUS, MEMO) VALUES (0, 'ipWhitelistSwitch', 'false', 'OBJECT', 0, null);
 INSERT INTO SC_PARAM_CONF (ITEM, KEY, VALUE, TYPE, STATUS, MEMO) VALUES (1, 'communicateTimeOut', '30', 'OBJECT', 0, null);
 INSERT INTO SC_PARAM_CONF (ITEM, KEY, VALUE, TYPE, STATUS, MEMO) VALUES (1, 'heartDetectTime', '5', 'OBJECT', 0, null);
 INSERT INTO SC_PARAM_CONF (ITEM, KEY, VALUE, TYPE, STATUS, MEMO) VALUES (1, 'ftpUploadPath', '/app/upload', 'OBJECT', 0, null);
@@ -216,7 +216,7 @@ INSERT INTO SC_DICT (ID, TYPE, TITLE, SCOPE, SORT_ORDER, DESCRIPTION) VALUES (42
 INSERT INTO SC_DICT (ID, TYPE, TITLE, SCOPE, SORT_ORDER, DESCRIPTION) VALUES (76, 'Publickey_format', '公钥格式', 1, 0, null);
 INSERT INTO SC_DICT (ID, TYPE, TITLE, SCOPE, SORT_ORDER, DESCRIPTION) VALUES (81, 'version', '系统版本号', 1, 0, '');
 
-SET IDENTITY_INSERT SC_DICT_DATA ON
+SET IDENTITY_INSERT SC_DICT_DATA ON;
 INSERT INTO SC_DICT_DATA (ID, DICT_ID, TITLE, VALUE, SORT_ORDER, STATUS, DESCRIPTION) VALUES (25, 76, 'DER', 'DER', 1, 0, null);
 INSERT INTO SC_DICT_DATA (ID, DICT_ID, TITLE, VALUE, SORT_ORDER, STATUS, DESCRIPTION) VALUES (26, 76, 'BASE64', 'BASE64', 2, 0, null);
 INSERT INTO SC_DICT_DATA (ID, DICT_ID, TITLE, VALUE, SORT_ORDER, STATUS, DESCRIPTION) VALUES (27, 38, '30秒', '30000', 1, 0, null);
@@ -289,13 +289,14 @@ INSERT INTO SC_ROLE (ID, NAME, DEFAULT_ROLE, DESCRIPTION, DATA_TYPE) VALUES (33,
 
 INSERT INTO SC_USER_ROLE (ROLE_ID, USER_ID) VALUES (1, 1);
 
-
 INSERT INTO SC_ROLE_PERMISSION (PERMISSION_ID, ROLE_ID) VALUES (182, 33);
 INSERT INTO SC_ROLE_PERMISSION (PERMISSION_ID, ROLE_ID) VALUES (185, 33);
 INSERT INTO SC_ROLE_PERMISSION (PERMISSION_ID, ROLE_ID) VALUES (188, 33);
 INSERT INTO SC_ROLE_PERMISSION (PERMISSION_ID, ROLE_ID) VALUES (189, 33);
 INSERT INTO SC_ROLE_PERMISSION (PERMISSION_ID, ROLE_ID) VALUES (194, 33);
 INSERT INTO SC_ROLE_PERMISSION (PERMISSION_ID, ROLE_ID) VALUES (195, 33);
+INSERT INTO SC_ROLE_PERMISSION (PERMISSION_ID, ROLE_ID) VALUES (20, 25);
+INSERT INTO SC_ROLE_PERMISSION (PERMISSION_ID, ROLE_ID) VALUES (216, 25);
 INSERT INTO SC_ROLE_PERMISSION (PERMISSION_ID, ROLE_ID) VALUES (212, 25);
 INSERT INTO SC_ROLE_PERMISSION (PERMISSION_ID, ROLE_ID) VALUES (213, 25);
 INSERT INTO SC_ROLE_PERMISSION (PERMISSION_ID, ROLE_ID) VALUES (214, 25);
@@ -303,6 +304,8 @@ INSERT INTO SC_ROLE_PERMISSION (PERMISSION_ID, ROLE_ID) VALUES (215, 25);
 INSERT INTO SC_ROLE_PERMISSION (PERMISSION_ID, ROLE_ID) VALUES (209, 25);
 INSERT INTO SC_ROLE_PERMISSION (PERMISSION_ID, ROLE_ID) VALUES (210, 25);
 INSERT INTO SC_ROLE_PERMISSION (PERMISSION_ID, ROLE_ID) VALUES (211, 25);
+INSERT INTO SC_ROLE_PERMISSION (PERMISSION_ID, ROLE_ID) VALUES (20, 32);
+INSERT INTO SC_ROLE_PERMISSION (PERMISSION_ID, ROLE_ID) VALUES (24, 32);
 INSERT INTO SC_ROLE_PERMISSION (PERMISSION_ID, ROLE_ID) VALUES (207, 32);
 INSERT INTO SC_ROLE_PERMISSION (PERMISSION_ID, ROLE_ID) VALUES (208, 32);
 INSERT INTO SC_ROLE_PERMISSION (PERMISSION_ID, ROLE_ID) VALUES (205, 32);
@@ -317,27 +320,6 @@ INSERT INTO SC_ROLE_PERMISSION (PERMISSION_ID, ROLE_ID) VALUES (20, 1);
 INSERT INTO SC_ROLE_PERMISSION (PERMISSION_ID, ROLE_ID) VALUES (216, 1);
 INSERT INTO SC_ROLE_PERMISSION (PERMISSION_ID, ROLE_ID) VALUES (24, 1);
 INSERT INTO SC_ROLE_PERMISSION (PERMISSION_ID, ROLE_ID) VALUES (5, 1);
-INSERT INTO SC_ROLE_PERMISSION (PERMISSION_ID, ROLE_ID) VALUES (32, 1);
-INSERT INTO SC_ROLE_PERMISSION (PERMISSION_ID, ROLE_ID) VALUES (207, 1);
-INSERT INTO SC_ROLE_PERMISSION (PERMISSION_ID, ROLE_ID) VALUES (208, 1);
-INSERT INTO SC_ROLE_PERMISSION (PERMISSION_ID, ROLE_ID) VALUES (205, 1);
-INSERT INTO SC_ROLE_PERMISSION (PERMISSION_ID, ROLE_ID) VALUES (206, 1);
-INSERT INTO SC_ROLE_PERMISSION (PERMISSION_ID, ROLE_ID) VALUES (202, 1);
-INSERT INTO SC_ROLE_PERMISSION (PERMISSION_ID, ROLE_ID) VALUES (203, 1);
-INSERT INTO SC_ROLE_PERMISSION (PERMISSION_ID, ROLE_ID) VALUES (204, 1);
-INSERT INTO SC_ROLE_PERMISSION (PERMISSION_ID, ROLE_ID) VALUES (212, 1);
-INSERT INTO SC_ROLE_PERMISSION (PERMISSION_ID, ROLE_ID) VALUES (213, 1);
-INSERT INTO SC_ROLE_PERMISSION (PERMISSION_ID, ROLE_ID) VALUES (214, 1);
-INSERT INTO SC_ROLE_PERMISSION (PERMISSION_ID, ROLE_ID) VALUES (215, 1);
-INSERT INTO SC_ROLE_PERMISSION (PERMISSION_ID, ROLE_ID) VALUES (209, 1);
-INSERT INTO SC_ROLE_PERMISSION (PERMISSION_ID, ROLE_ID) VALUES (210, 1);
-INSERT INTO SC_ROLE_PERMISSION (PERMISSION_ID, ROLE_ID) VALUES (211, 1);
-INSERT INTO SC_ROLE_PERMISSION (PERMISSION_ID, ROLE_ID) VALUES (182, 1);
-INSERT INTO SC_ROLE_PERMISSION (PERMISSION_ID, ROLE_ID) VALUES (185, 1);
-INSERT INTO SC_ROLE_PERMISSION (PERMISSION_ID, ROLE_ID) VALUES (194, 1);
-INSERT INTO SC_ROLE_PERMISSION (PERMISSION_ID, ROLE_ID) VALUES (195, 1);
-INSERT INTO SC_ROLE_PERMISSION (PERMISSION_ID, ROLE_ID) VALUES (188, 1);
-INSERT INTO SC_ROLE_PERMISSION (PERMISSION_ID, ROLE_ID) VALUES (189, 1);