zjrs
/
yctb-SpringBoot


			
				
					
						
						
							123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108
							
<%@ page language="java" pageEncoding="UTF-8" contentType="text/html; charset=UTF-8"%>
<%@ page import="cn.sinobest.framework.util.ConfUtil,
				 cn.sinobest.framework.util.Util,
				 cn.sinobest.framework.comm.iface.IOperator,
				 cn.sinobest.sysmngr.service.security.ISecurityService,
				 cn.sinobest.sysmngr.service.security.SecurityDes,
				 cn.sinobest.sysmngr.service.security.MySessionAttributeListener,
				 java.util.Random,
				 java.util.HashMap,
				 java.util.regex.Matcher,
				 java.util.regex.Pattern,
				 org.slf4j.Logger,
				 org.slf4j.LoggerFactory
"%>
<%!
    public String validateParamSaftyByregEx(String strParam){
       String regEx="^fwJsonpCallback[0-9]$";
       // 编译正则表达式
        Pattern pattern = Pattern.compile(regEx);
        // 忽略大小写的写法
        // Pattern pat = Pattern.compile(regEx, Pattern.CASE_INSENSITIVE);
        Matcher matcher = pattern.matcher(strParam);
        // 查找字符串中是否有匹配正则表达式的字符/字符串
        boolean rs = matcher.find();
        if(rs){
        	return strParam;
        }else{
        	return "";
        }
    }
%>
<%
		//P3P头部，确保能在跨域的情况下，能在IE下设置cookie
		response.setHeader("P3P","CP=\"CURa ADMa DEVa PSAo PSDo OUR BUS UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR\""); 
		response.setHeader("Pragma", "No-cache");
		response.setHeader("Cache-Control", "no-cache");
		response.setDateHeader("Expires", 0);
		response.setContentType("application/json;charset=UTF-8"); 
		response.setHeader("Content-Type", "text/javascript");//周治云测试，在操作系统win10+IE11下，没有这段代码，返回异常。
		
		Logger LOGGER = LoggerFactory.getLogger(this.getClass());
		//确保session不为NULL
		session=request.getSession(true);
		String sessionid=session.getId();
		
		String loginId = request.getParameter("LOGINID") == null? "":request.getParameter("LOGINID");
		String password = request.getParameter("UID") == null? "":request.getParameter("UID");
		String sid = request.getParameter("SID") == null? "":request.getParameter("SID");
		String old_callback = request.getParameter("callback")== null? "":request.getParameter("callback");
        //校验callback是否合法，防止XSS
		String callback=validateParamSaftyByregEx(old_callback);
		
		
		
		String mykey = (String)session.getAttribute("REPORT_DES_KEY");
        if(!"".equals(sid)){
        	HashMap reportKeys  = MySessionAttributeListener.getReportKeys();
        	mykey=(String)reportKeys.get(sid);
        }
        String resultstr="";
        //如果之前已经登陆成功，则直接返回成功信息
        if(null != session.getAttribute("OPERID") && !"".equals(session.getAttribute("OPERID"))){
           resultstr=callback+"({FHZ:'1',LOGINSTATE:'OK',OPERNAME:'"+session.getAttribute("OPERNAME")+"',MSG:'用户已登陆,系统不再做登陆操作',SID:'"+sessionid+"'})";
           //out.print(callback + "({FHZ:'1',LOGINSTATE:'OK',OPERNAME:'"+session.getAttribute("OPERNAME")+"',MSG:'用户已登陆,系统不再做登陆操作'})");
        }
        //如果之前并没有登陆，这是第一次请求登陆，session中并且没有密钥key，那么产生key，并把key发送到客户端
        else if (Util.isEmpty(mykey)) {
        	String des = String.valueOf(System.currentTimeMillis());
        	Random r = new Random();
        	des = String.valueOf(r.nextInt(1000000)+1) + des;
            session.setAttribute("REPORT_DES_KEY", des + "hnisi");//密钥
            resultstr=callback + "({FHZ:'-1',LOGINSTATE:'CONFIRMERROR',ERRORID:'"+des+"',MSG:'拒绝登陆',SID:'"+sessionid+"'})";
            //out.print(callback + "({FHZ:'-1',LOGINSTATE:'CONFIRMERROR',ERRORID:'"+des+"',MSG:'拒绝登陆'})");//ERRORID就是密钥
        }
        //如果这是是第一次登陆，并且key已经发送到客户端，那么校验用户密码；如果用户密码为空，则重新发送key
        else if("".equals(password)||"".equals(loginId)){
        	String des = mykey.substring(0,mykey.lastIndexOf("hnisi"));
        	resultstr=callback + "({FHZ:'-1',LOGINSTATE:'CONFIRMERROR',ERRORID:'"+des+"',MSG:'用户或密码为空',SID:'"+sessionid+"'})";
          //out.print(callback + "({FHZ:'-1',LOGINSTATE:'CONFIRMERROR',ERRORID:'"+des+"',MSG:'用户或密码为空'})");//ERRORID就是密钥
        }
        //如果这是第一次登陆，并且key已经发送到客户端，校验用户密码也通过，那么则进行登陆操作
        else{
	        SecurityDes de = new SecurityDes();
	        password = de.des(mykey, de.HexTostring(password), false);
	        LOGGER.debug(sessionid +"----------------------"+"LOGINID: " + loginId);
			         
			/////////////////////////////////////////////////////
			ISecurityService securitySBService = (ISecurityService)Util.getBean("securitySBService");
			IOperator Operator = securitySBService.login(loginId, password);
			if(Operator.getCheckResult()){
				session.setAttribute("OPERNAME", Operator.getOperName());
				session.setAttribute("OPERID",   Operator.getOperID());
				session.setAttribute("OPERATOR", Operator);
				session.setAttribute("LOGINTYPE", "loginsb");
				session.removeAttribute("REPORT_DES_KEY");
				resultstr=callback + "({FHZ:'1',LOGINSTATE:'OK',OPERNAME:'"+Operator.getOperName()+"',MSG:'登陆成功'})";
			  //out.print(callback + "({FHZ:'1',LOGINSTATE:'OK',OPERNAME:'"+Operator.getOperName()+"',MSG:'登陆成功'})");
			}else{
			      resultstr=callback + "({FHZ:'-1',LOGINSTATE:'ERROR',MSG:'"+Operator.getCheckMsg()+"',SID:'"+sessionid+"'})";
				//out.print(callback + "({FHZ:'-1',LOGINSTATE:'ERROR',MSG:'"+Operator.getCheckMsg()+"'})");
				session.invalidate();
			}
        }
      //System.out.println(resultstr);
       
%>
<%=resultstr%>