远程登录二次校验，修复漏洞

远程登录二次校验，修复漏洞

OBE-BUSINESS/src/com/gx/obe/business/UserLogin.java

 package com.gx.obe.business;
 
+import java.util.Map;
+
 import com.gx.obe.components.core.Constants;
 import com.gx.obe.components.core.enumeration.CommonEnum;
 import com.gx.obe.components.core.enumeration.UserEnum;
@@ -7,6 +9,7 @@ import com.gx.obe.components.core.vo.AuthUserVo;
 import com.gx.obe.enttiytdo.BooleanResultDO;
 import com.gx.obe.enttiytdo.LoginUserDTO;
 import com.gx.obe.enttiytdo.PlatformResult;
+import com.gx.obe.http.json.JsonUtil;
 import com.gx.obe.http.util.ObjectUtil;
 import com.gx.obe.util.utils.MD5Utils;
 import com.gx.obe.util.utils.UuidUtils;
@@ -14,6 +17,7 @@ import com.gx.obe.web.entity.Result.ResultEntity;
 import com.gx.obe.web.entity.auth.AuthUser;
 import com.gx.obe.web.platform.service.PlatformUserService;
 import com.gx.obe.web.service.UserService;
+import com.gx.obe.web.utils.DESUtils;
 
 
 /** 
@@ -26,6 +30,8 @@ public class UserLogin {
 	
 	private PlatformUserService  platformUserService = new PlatformUserService();
 	
+	private boolean isRemote;
+	
 	public BooleanResultDO loginUser(String userName,String password) {
 		BooleanResultDO  result = null;
 		//验证本地用户信息（登录成功状态 用户信息）
@@ -37,9 +43,11 @@ public class UserLogin {
 		//登录成功
 		if(ResultEntity.SUCCESS == resultUser.getCode()) {
 			if(UserEnum.USER_SOURCE_REMOTE.equals(user.getSource())) {
+				isRemote=true;
 				//平台验证
 				result=  platformVerification(userName,password);
 				if(result.isStatus()) {
+					//if(result.)
 					Constants.USER = user;
 					Constants.TOKEN = resultUser.getData().getAtuokthen();
 				}
@@ -156,11 +164,33 @@ public class UserLogin {
 	 */
 	private BooleanResultDO platformVerification(String userName,String password){
 		PlatformResult<LoginUserDTO> platformResult = platformUserService.userNameLogin(userName, password);
-		if(null == platformResult) {
+		if(null == platformResult) { 
 			return new BooleanResultDO(false,"登录异常");	
 		}
 		if(Constants.PLATFOR_STATUS_OK.equals((String) platformResult.getHeader().getRet())) {
-			return new BooleanResultDO(true,"");
+			LoginUserDTO loginUserDTO = platformResult.getData();
+			if(isRemote){
+				String checkUserLogin = loginUserDTO.getCheckUserLogin();
+				String result = platformUserService.verify(checkUserLogin);
+				if(null == result) {
+					return new BooleanResultDO(false,"登录异常");	
+				}
+				try {
+					String decrypt = DESUtils.decrypt(result, "utf-8");
+					Map<String,String> resultMap = JsonUtil.strToMap(decrypt);
+					if(resultMap.get("ret").equals(Constants.PLATFOR_STATUS_OK)) {
+						return new BooleanResultDO(true,"");
+					}
+					return new BooleanResultDO(false,(String) platformResult.getHeader().getMsg()); 
+				} catch (Exception e) {
+					// TODO Auto-generated catch block
+					return new BooleanResultDO(false,"登录异常");
+				}             
+//				Map<String, Object> resultMap = JSONHelperTwo.toHashMap(decrypt);
+//				resultMap.get("ret");
+			}
+			return new BooleanResultDO(false,"登录异常");
+			
 		}else {
 			return new BooleanResultDO(false,(String) platformResult.getHeader().getMsg());	
 		}

OBE-BUSINESS/src/com/gx/obe/web/platform/service/PlatformUserService.java

@@ -5,6 +5,9 @@ import java.util.Map;
 
 import org.apache.log4j.Logger;
 
+import com.google.gson.JsonElement;
+import com.google.gson.JsonObject;
+import com.google.gson.JsonParser;
 import com.gx.obe.WebserviceConstants;
 import com.gx.obe.components.core.Constants;
 import com.gx.obe.config.utils.PropertiesUtils;
@@ -48,4 +51,27 @@ public class PlatformUserService {
  			return null;
  		}
 	}
+
+
+	/**
+	 * 二次验证
+	 * @param checkUserLogin
+	 */
+	public String verify(String checkUserLogin) {
+		// TODO Auto-generated method stub
+		String method = PropertiesUtils.getWebserviceProperty("userHS.do?checkEncryptionInfo", "userHS.do?checkEncryptionInfo");
+		String stPlatformUrl = Constants.getPlatformUrl(method);
+		Map<String, Object> param = new HashMap<String, Object>();
+		param.put("checkUserLogin", checkUserLogin);
+		HttpResponse httpResponse = NetworkRequest.postHttpResponse(stPlatformUrl, param);
+			if(HttpStatus.HTTP_OK == httpResponse.getStatus()) {
+				String bodyJson = httpResponse.body();
+				JsonParser jsonParser=new JsonParser();
+				JsonObject bodyObject = jsonParser.parse(bodyJson).getAsJsonObject();
+				JsonObject dataObject = bodyObject.getAsJsonObject("data");
+				String data  = dataObject.get("data").getAsString();
+				return data;
+			}
+			return null;
+	}
 }

OBE-BUSINESS/src/com/gx/obe/web/utils/DESUtils.java

+package com.gx.obe.web.utils;
+
+import javax.crypto.Cipher;
+import javax.crypto.SecretKey;
+import javax.crypto.SecretKeyFactory;
+import javax.crypto.spec.DESKeySpec;
+import java.security.SecureRandom;
+
+/**
+ * DES加密工具
+ */
+public class DESUtils {
+    private final static String DES = "DES";
+	public final static String key = "HLJ$@&!^%$ZJK";
+	/**
+	 * 加密
+	 * 
+	 * @param src 数据源
+	 * @param key 密钥，长度必须是8的倍数
+	 * @return 返回加密后的数据
+	 * @throws Exception
+	 */
+	public static byte[] encrypt(byte[] src, byte[] key)
+			throws RuntimeException {
+		// DES算法要求有一个可信任的随机数源
+		try {
+			SecureRandom sr = new SecureRandom();
+			// 从原始密匙数据创建DESKeySpec对象
+			DESKeySpec dks = new DESKeySpec(key);
+			// 创建一个密匙工厂，然后用它把DESKeySpec转换成
+			// 一个SecretKey对象
+			SecretKeyFactory keyFactory = SecretKeyFactory.getInstance(DES);
+			SecretKey securekey = keyFactory.generateSecret(dks);
+			// Cipher对象实际完成加密操作
+			Cipher cipher = Cipher.getInstance(DES);
+			// 用密匙初始化Cipher对象
+			cipher.init(Cipher.ENCRYPT_MODE, securekey, sr);
+			// 现在，获取数据并加密
+			// 正式执行加密操作
+			return cipher.doFinal(src);
+		} catch (Exception e) {
+			throw new RuntimeException(e);
+		}
+	}
+
+	/**
+	 * 解密
+	 * 
+	 * @param src
+	 *            数据源
+	 * @param key
+	 *            密钥，长度必须是8的倍数
+	 * @return 返回解密后的原始数据
+	 * @throws Exception
+	 */
+	public static byte[] decrypt(byte[] src, byte[] key)
+			throws RuntimeException {
+		try {
+			// DES算法要求有一个可信任的随机数源
+			SecureRandom sr = new SecureRandom();
+			// 从原始密匙数据创建一个DESKeySpec对象
+			DESKeySpec dks = new DESKeySpec(key);
+			// 创建一个密匙工厂，然后用它把DESKeySpec对象转换成
+			// 一个SecretKey对象
+			SecretKeyFactory keyFactory = SecretKeyFactory.getInstance(DES);
+			SecretKey securekey = keyFactory.generateSecret(dks);
+			// Cipher对象实际完成解密操作
+			Cipher cipher = Cipher.getInstance(DES);
+			// 用密匙初始化Cipher对象
+			cipher.init(Cipher.DECRYPT_MODE, securekey, sr);
+			// 现在，获取数据并解密
+			// 正式执行解密操作
+			return cipher.doFinal(src);
+		} catch (Exception e) {
+			throw new RuntimeException(e);
+		}
+	}
+
+	/**
+	 * 数据解密
+	 * 
+	 * @param data
+	 * @return
+	 * @throws Exception
+	 */
+	public final static String decrypt(String data, String enc)
+			throws Exception {
+		return new String(decrypt(hex2byte(data.getBytes(enc)), key.getBytes(enc)),enc);
+	}
+	
+	/**
+	 * 数据解密
+	 * 
+	 * @param data
+	 * @return
+	 * @throws Exception
+	 */
+	public final static String decrypt(String data)
+			throws Exception {
+		return new String(decrypt(hex2byte(data.getBytes()), key.getBytes()));
+	}
+
+	/**
+	 * 数据加密
+	 * 
+	 * @param data
+	 * @return
+	 * @throws Exception
+	 */
+	public final static String encrypt(String data) {
+		if (data != null)
+			try {
+				return byte2hex(encrypt(data.getBytes(), key.getBytes()));
+			} catch (Exception e) {
+				throw new RuntimeException(e);
+			}
+		return null;
+	}
+	/**
+	 * 数据加密
+	 * 
+	 * @param data
+	 * @param enc
+	 *            密钥
+	 * @return
+	 * @throws Exception
+	 */
+	public final static String encrypt(String data, String enc) {
+		if (data != null)
+			try {
+				return byte2hex(encrypt(data.getBytes(enc), key.getBytes(enc)));
+			} catch (Exception e) {
+				throw new RuntimeException(e);
+			}
+		return null;
+	}
+	/**
+	 * 二行制转字符串
+	 * 
+	 * @param b
+	 * @return
+	 */
+	private static String byte2hex(byte[] b) {
+		StringBuilder hs = new StringBuilder();
+		String stmp;
+		for (int n = 0; b != null && n < b.length; n++) {
+			stmp = Integer.toHexString(b[n] & 0XFF);
+			if (stmp.length() == 1)
+				hs.append('0');
+			hs.append(stmp);
+		}
+		return hs.toString().toUpperCase();
+	}
+
+	private static byte[] hex2byte(byte[] b) {
+		if ((b.length % 2) != 0)
+			throw new IllegalArgumentException();
+		byte[] b2 = new byte[b.length / 2];
+		for (int n = 0; n < b.length; n += 2) {
+			String item = new String(b, n, 2);
+			b2[n / 2] = (byte) Integer.parseInt(item, 16);
+		}
+		return b2;
+	}
+   
+	public static void main(String[] args) throws Exception {
+		String content = "";
+		System.out.println("加密前：" + content);
+		// 加密
+		String encryptResult = encrypt(content);
+		System.out.println("加密后：" + encryptResult);
+		// 解密
+		String decryptResult = decrypt(encryptResult);
+		System.out.println("解密后：" + decryptResult);
+	}
+
+}

OBE-COMPONENTS-CORE/src/com/gx/obe/enttiytdo/LoginUserDTO.java

@@ -4,6 +4,10 @@ public class LoginUserDTO {
 
 	String orgName;
 	String userName;
+	String accessToken;
+	String checkUserLogin;
+	String data;
+	
 	public String getOrgName() {
 		return orgName;
 	}
@@ -16,5 +20,25 @@ public class LoginUserDTO {
 	public void setUserName(String userName) {
 		this.userName = userName;
 	}
+	public String getAccessToken() {
+		return accessToken;
+	}
+	public void setAccessToken(String accessToken) {
+		this.accessToken = accessToken;
+	}
+	public String getCheckUserLogin() {
+		return checkUserLogin;
+	}
+	public void setCheckUserLogin(String checkUserLogin) {
+		this.checkUserLogin = checkUserLogin;
+	}
+	public String getData() {
+		return data;
+	}
+	public void setData(String data) {
+		this.data = data;
+	}
+	
+	
 	
 }