漏洞名称:暴力破解漏洞
处理方案 redis 设置对应的缓存有效期为60秒
然后每次登录的时候查询登录失败次数
超过5次不查询数据库,直接返回报错
@Configuration
@EnableCaching
public class RedisConfig implements Serializable {
/**
* 最新版,设置redis缓存过期时间
*/
@Bean
public RedisCacheManager cacheManager(RedisConnectionFactory redisConnectionFactory) {
return new RedisCacheManager(
RedisCacheWriter.nonLockingRedisCacheWriter(redisConnectionFactory),
this.getRedisCacheConfigurationWithTtl( 60*60), // 默认策略,未配置的 key 会使用这个
this.getRedisCacheConfigurationMap() // 指定 key 策略
);
}
private Map<String, RedisCacheConfiguration> getRedisCacheConfigurationMap() {
Map<String, RedisCacheConfiguration> redisCacheConfigurationMap = new HashMap<>();
//自定义设置缓存时间
redisCacheConfigurationMap.put("loginFailNum", this.getRedisCacheConfigurationWithTtl(60*1));
return redisCacheConfigurationMap;
}
private RedisCacheConfiguration getRedisCacheConfigurationWithTtl(Integer seconds) {
Jackson2JsonRedisSerializer<Object> jackson2JsonRedisSerializer = new Jackson2JsonRedisSerializer<>(Object.class);
ObjectMapper om = new ObjectMapper();
om.setVisibility(PropertyAccessor.ALL, JsonAutoDetect.Visibility.ANY);
om.enableDefaultTyping(ObjectMapper.DefaultTyping.NON_FINAL);
jackson2JsonRedisSerializer.setObjectMapper(om);
RedisCacheConfiguration redisCacheConfiguration = RedisCacheConfiguration.defaultCacheConfig();
redisCacheConfiguration = redisCacheConfiguration.serializeValuesWith(
RedisSerializationContext
.SerializationPair
.fromSerializer(jackson2JsonRedisSerializer)
).entryTtl(Duration.ofSeconds(seconds));
return redisCacheConfiguration;
}
}
//登录的时候查询登录失败次数
@Override
@Cacheable(value = "loginFailNum",key = "'loginFail_' + #mobilePhone")
public Integer getLoginFail(String mobilePhone) {
return 0;
}
// 失败次数加一
@Override
@CachePut(value = "loginFailNum",key = "'loginFail_' + #mobilePhone")
public Integer setLoginFail(String mobilePhone,Integer loginFailNum) {
return loginFailNum + 1;
}
@RequestMapping(value = "/login", method = RequestMethod.POST)
@JSON(type = Admin.class)
public AdminVo login(
@RequestParam
@NotBlank(message = "手机不能为空") String mobilePhone,
@RequestParam
@NotBlank(message = "密码不能为空") String password ) {
// tokenService.deleteUser(mobilePhone);
Integer value = tokenService.getLoginFail(mobilePhone);
if (value == null || value >= 5) {
throw new BusinessException(ResultCode.FAIL);
}
List<Admin> list= xxxDao.loginAdmin(mobilePhone, password);
if (null == list|| list.isEmpty()) {
tokenService.setLoginFail(mobilePhone,value);
// 登录失败
} else {
// 登录成功
}
}