Java redis 暴力破解漏洞 简单限制用户登录

漏洞名称:暴力破解漏洞
处理方案 redis 设置对应的缓存有效期为60秒
然后每次登录的时候查询登录失败次数
超过5次不查询数据库,直接返回报错

@Configuration
@EnableCaching
public class RedisConfig implements Serializable {
 


    /**
     * 最新版,设置redis缓存过期时间
     */

    @Bean
    public RedisCacheManager cacheManager(RedisConnectionFactory redisConnectionFactory) {
        return new RedisCacheManager(
                RedisCacheWriter.nonLockingRedisCacheWriter(redisConnectionFactory),
                this.getRedisCacheConfigurationWithTtl( 60*60), // 默认策略,未配置的 key 会使用这个
                this.getRedisCacheConfigurationMap() // 指定 key 策略
        );
    }

    private Map<String, RedisCacheConfiguration> getRedisCacheConfigurationMap() {
        Map<String, RedisCacheConfiguration> redisCacheConfigurationMap = new HashMap<>();
 
        //自定义设置缓存时间
 
        redisCacheConfigurationMap.put("loginFailNum", this.getRedisCacheConfigurationWithTtl(60*1));
        return redisCacheConfigurationMap;
    }

    private RedisCacheConfiguration getRedisCacheConfigurationWithTtl(Integer seconds) {
        Jackson2JsonRedisSerializer<Object> jackson2JsonRedisSerializer = new Jackson2JsonRedisSerializer<>(Object.class);
        ObjectMapper om = new ObjectMapper();
        om.setVisibility(PropertyAccessor.ALL, JsonAutoDetect.Visibility.ANY);
        om.enableDefaultTyping(ObjectMapper.DefaultTyping.NON_FINAL);
        jackson2JsonRedisSerializer.setObjectMapper(om);
        RedisCacheConfiguration redisCacheConfiguration = RedisCacheConfiguration.defaultCacheConfig();
        redisCacheConfiguration = redisCacheConfiguration.serializeValuesWith(
                RedisSerializationContext
                        .SerializationPair
                        .fromSerializer(jackson2JsonRedisSerializer)
        ).entryTtl(Duration.ofSeconds(seconds));

        return redisCacheConfiguration;
    }
}

	//登录的时候查询登录失败次数
 	@Override
    @Cacheable(value = "loginFailNum",key = "'loginFail_' + #mobilePhone")
    public Integer getLoginFail(String  mobilePhone) {
        return 0;
    }
	// 失败次数加一
    @Override
    @CachePut(value = "loginFailNum",key = "'loginFail_' + #mobilePhone")
    public Integer setLoginFail(String  mobilePhone,Integer loginFailNum) {
        return loginFailNum + 1;
    }
@RequestMapping(value = "/login", method = RequestMethod.POST)
    @JSON(type = Admin.class)
    public AdminVo login(
            @RequestParam
            @NotBlank(message = "手机不能为空") String mobilePhone,
            @RequestParam
            @NotBlank(message = "密码不能为空") String password ) {
//        tokenService.deleteUser(mobilePhone);
        Integer value = tokenService.getLoginFail(mobilePhone);
        if (value == null || value >= 5) {
            throw new BusinessException(ResultCode.FAIL);
        }
        List<Admin> list= xxxDao.loginAdmin(mobilePhone, password);
        if (null == list|| list.isEmpty()) {
            tokenService.setLoginFail(mobilePhone,value);
            // 登录失败
        } else {
            // 登录成功
        }
    }


  • 0
    点赞
  • 0
    收藏
    觉得还不错? 一键收藏
  • 0
    评论

“相关推荐”对你有帮助么?

  • 非常没帮助
  • 没帮助
  • 一般
  • 有帮助
  • 非常有帮助
提交
评论
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包
实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值