Merge pull request #17 from buession/development

Release 2.3.2

CHANGELOG.md

@@ -2,6 +2,49 @@
 ===========================
 
 
+## [2.3.2](https://github.com/buession/buession-security/releases/tag/v2.3.2) (2023-12-27)
+
+### 🔨依赖升级
+
+- [依赖库版本升级和安全漏洞修复](https://github.com/buession/buession-parent/releases/tag/v2.3.2)
+- [owasp antisamy](https://github.com/nahsra/antisamy) 版本升级至 1.7.4
+
+
+### ⭐ 新特性
+
+- **buession-security-captcha：** GeetestClient 增加 v3、v4 版本判断方法
+- **buession-security-shiro：** 增加判断是否具备所有权限 Tag HasAllPermissionsTag
+
+
+### 🔔 变化
+
+- **buession-security-shiro：** 依赖 javax.servlet.jsp-api 更换为 jakarta.servlet.jsp-api
+
+
+### 🐞 Bug 修复
+
+- **buession-security-pac4j：** 修复 webflux 模式下 PrincipalMethodArgumentResolver 继承了错误类的 BUG
+
+
+### 漏洞修复
+
+- [owasp antisamy](https://github.com/nahsra/antisamy) 修复 [CVE-2023-43643] 漏洞
+
+
+### ⏪ 优化
+
+- **buession-security-captcha：** 代码质量优化
+- **buession-security-pac4j：** 代码质量优化
+
+
+### 📔 文档
+
+- **buession-security-shiro：** 完善注释
+
+
+---
+
+
 ## [2.3.1](https://github.com/buession/buession-security/releases/tag/v2.3.1) (2023-11-17)
 
 ### 🔨依赖升级

buession-security-captcha/pom.xml

@@ -7,7 +7,7 @@
 		<groupId>com.buession.security</groupId>
 		<artifactId>buession-security-parent</artifactId>
 		<relativePath>../buession-security-parent</relativePath>
-		<version>2.3.1</version>
+		<version>2.3.2</version>
 	</parent>
 	<artifactId>buession-security-captcha</artifactId>
 	<url>https://security.buession.com/</url>

buession-security-captcha/src/main/java/com/buession/security/captcha/aliyun/AliYunCaptchaClient.java

@@ -224,21 +224,10 @@ public String getEndpoint() {
 	 * @return 检测结果
 	 */
 	private static boolean checkParam(final AliYunRequestData requestData) throws RequiredParameterCaptchaException {
-		if(Validate.hasText(requestData.getToken()) == false){
-			throw new RequiredParameterCaptchaException("Token");
-		}
-
-		if(Validate.hasText(requestData.getSig()) == false){
-			throw new RequiredParameterCaptchaException("Sig");
-		}
-
-		if(Validate.hasText(requestData.getSessionId()) == false){
-			throw new RequiredParameterCaptchaException("SessionId");
-		}
-
-		if(Validate.hasText(requestData.getScene()) == false){
-			throw new RequiredParameterCaptchaException("Scene");
-		}
+		Assert.isBlank(requestData.getToken(), ()->new RequiredParameterCaptchaException("Token"));
+		Assert.isBlank(requestData.getSig(), ()->new RequiredParameterCaptchaException("Sig"));
+		Assert.isBlank(requestData.getSessionId(), ()->new RequiredParameterCaptchaException("SessionId"));
+		Assert.isBlank(requestData.getScene(), ()->new RequiredParameterCaptchaException("Scene"));
 
 		return true;
 	}

buession-security-captcha/src/main/java/com/buession/security/captcha/core/RequiredParameterCaptchaException.java

@@ -19,7 +19,7 @@
  * +-------------------------------------------------------------------------------------------------------+
  * | License: http://www.apache.org/licenses/LICENSE-2.0.txt 										       |
  * | Author: Yong.Teng <[email protected]> 													       |
- * | Copyright @ 2013-2022 Buession.com Inc.														       |
+ * | Copyright @ 2013-2023 Buession.com Inc.														       |
  * +-------------------------------------------------------------------------------------------------------+
  */
 package com.buession.security.captcha.core;
@@ -34,27 +34,28 @@ public class RequiredParameterCaptchaException extends CaptchaException {
 
 	private final String parameter;
 
-	public RequiredParameterCaptchaException(String parameter){
+	public RequiredParameterCaptchaException(String parameter) {
 		super("Parameter \"" + parameter + "\" cloud not be empty or null.");
 		this.parameter = parameter;
 	}
 
-	public RequiredParameterCaptchaException(String parameter, String message){
+	public RequiredParameterCaptchaException(String parameter, String message) {
 		super(message);
 		this.parameter = parameter;
 	}
 
-	public RequiredParameterCaptchaException(String parameter, Throwable cause){
+	public RequiredParameterCaptchaException(String parameter, Throwable cause) {
 		super("Parameter \"" + parameter + "\" cloud not be empty or null.", cause);
 		this.parameter = parameter;
 	}
 
-	public RequiredParameterCaptchaException(String parameter, String message, Throwable cause){
+	public RequiredParameterCaptchaException(String parameter, String message, Throwable cause) {
 		super(message, cause);
 		this.parameter = parameter;
 	}
 
-	public String getParameter(){
+	public String getParameter() {
 		return parameter;
 	}
+
 }

buession-security-captcha/src/main/java/com/buession/security/captcha/geetest/GeetestClient.java

@@ -19,7 +19,7 @@
  * +-------------------------------------------------------------------------------------------------------+
  * | License: http://www.apache.org/licenses/LICENSE-2.0.txt 										       |
  * | Author: Yong.Teng <[email protected]> 													       |
- * | Copyright @ 2013-2022 Buession.com Inc.														       |
+ * | Copyright @ 2013-2023 Buession.com Inc.														       |
  * +-------------------------------------------------------------------------------------------------------+
  */
 package com.buession.security.captcha.geetest;
@@ -37,8 +37,30 @@ public interface GeetestClient extends CaptchaClient {
 	void setHttpClient(HttpClient httpClient);
 
 	@Override
-	default Manufacturer getManufacturer(){
+	default Manufacturer getManufacturer() {
 		return Manufacturer.GEETEST;
 	}
 
+	/**
+	 * 返回是否为 V3 版本
+	 *
+	 * @return true / false
+	 *
+	 * @since 2.3.2
+	 */
+	default boolean isV3() {
+		return "v3".equalsIgnoreCase(getVersion());
+	}
+
+	/**
+	 * 返回是否为 V3 版本
+	 *
+	 * @return true / false
+	 *
+	 * @since 2.3.2
+	 */
+	default boolean isV4() {
+		return "v4".equalsIgnoreCase(getVersion());
+	}
+
 }

buession-security-captcha/src/main/java/com/buession/security/captcha/geetest/api/v3/GeetestV3Client.java

@@ -26,6 +26,7 @@
 
 import com.buession.core.builder.MapBuilder;
 import com.buession.core.id.SimpleIdGenerator;
+import com.buession.core.utils.Assert;
 import com.buession.core.validator.Validate;
 import com.buession.httpclient.HttpClient;
 import com.buession.httpclient.core.Response;
@@ -189,17 +190,9 @@ public String getVersion() {
 	 */
 	private static boolean checkParam(final GeetestV3RequestData requestData)
 			throws RequiredParameterCaptchaException {
-		if(Validate.hasText(requestData.getChallenge()) == false){
-			throw new RequiredParameterCaptchaException("challenge");
-		}
-
-		if(Validate.hasText(requestData.getValidate()) == false){
-			throw new RequiredParameterCaptchaException("validate");
-		}
-
-		if(Validate.hasText(requestData.getSeccode()) == false){
-			throw new RequiredParameterCaptchaException("seccode");
-		}
+		Assert.isBlank(requestData.getChallenge(), ()->new RequiredParameterCaptchaException("challenge"));
+		Assert.isBlank(requestData.getValidate(), ()->new RequiredParameterCaptchaException("validate"));
+		Assert.isBlank(requestData.getSeccode(), ()->new RequiredParameterCaptchaException("seccode"));
 
 		return true;
 	}

buession-security-captcha/src/main/java/com/buession/security/captcha/geetest/api/v4/GeetestV4Client.java

@@ -25,7 +25,7 @@
 package com.buession.security.captcha.geetest.api.v4;
 
 import com.buession.core.builder.MapBuilder;
-import com.buession.core.validator.Validate;
+import com.buession.core.utils.Assert;
 import com.buession.httpclient.HttpClient;
 import com.buession.httpclient.core.EncodedFormRequestBody;
 import com.buession.httpclient.core.Response;
@@ -62,7 +62,7 @@ public final class GeetestV4Client extends AbstractGeetestClient {
 	 * @param secretKey
 	 * 		私钥
 	 */
-	public GeetestV4Client(final String appId, final String secretKey){
+	public GeetestV4Client(final String appId, final String secretKey) {
 		super(appId, secretKey);
 	}
 
@@ -76,12 +76,12 @@ public GeetestV4Client(final String appId, final String secretKey){
 	 * @param httpClient
 	 *        {@link HttpClient}
 	 */
-	public GeetestV4Client(final String appId, final String secretKey, final HttpClient httpClient){
+	public GeetestV4Client(final String appId, final String secretKey, final HttpClient httpClient) {
 		super(appId, secretKey, httpClient);
 	}
 
 	@Override
-	public InitResponse initialize(RequestData requestData){
+	public InitResponse initialize(RequestData requestData) {
 		if(logger.isDebugEnabled()){
 			logger.debug("验证初始化");
 		}
@@ -90,7 +90,7 @@ public InitResponse initialize(RequestData requestData){
 	}
 
 	@Override
-	public Status validate(RequestData requestData) throws CaptchaException{
+	public Status validate(RequestData requestData) throws CaptchaException {
 		if(logger.isDebugEnabled()){
 			logger.debug("二次验证, 请求参数：{}.", requestData);
 		}
@@ -134,7 +134,7 @@ public Status validate(RequestData requestData) throws CaptchaException{
 	}
 
 	@Override
-	public String getVersion(){
+	public String getVersion() {
 		return "v4";
 	}
 
@@ -147,22 +147,11 @@ public String getVersion(){
 	 * @return 检测结果
 	 */
 	private static boolean checkParam(final GeetestV4RequestData requestData)
-			throws RequiredParameterCaptchaException{
-		if(Validate.hasText(requestData.getLotNumber()) == false){
-			throw new RequiredParameterCaptchaException("lot_number");
-		}
-
-		if(Validate.hasText(requestData.getCaptchaOutput()) == false){
-			throw new RequiredParameterCaptchaException("captcha_output");
-		}
-
-		if(Validate.hasText(requestData.getPassToken()) == false){
-			throw new RequiredParameterCaptchaException("pass_token");
-		}
-
-		if(Validate.hasText(requestData.getGenTime()) == false){
-			throw new RequiredParameterCaptchaException("gen_time");
-		}
+			throws RequiredParameterCaptchaException {
+		Assert.isBlank(requestData.getLotNumber(), ()->new RequiredParameterCaptchaException("lot_number"));
+		Assert.isBlank(requestData.getCaptchaOutput(), ()->new RequiredParameterCaptchaException("captcha_output"));
+		Assert.isBlank(requestData.getPassToken(), ()->new RequiredParameterCaptchaException("pass_token"));
+		Assert.isBlank(requestData.getGenTime(), ()->new RequiredParameterCaptchaException("gen_time"));
 
 		return true;
 	}

buession-security-captcha/src/main/java/com/buession/security/captcha/tencent/TencentCaptchaClient.java

@@ -25,7 +25,6 @@
 package com.buession.security.captcha.tencent;
 
 import com.buession.core.utils.Assert;
-import com.buession.core.validator.Validate;
 import com.buession.httpclient.HttpClient;
 import com.buession.httpclient.core.Response;
 import com.buession.lang.Status;
@@ -71,7 +70,7 @@ public class TencentCaptchaClient extends AbstractCaptchaClient {
 	 * @param secretKey
 	 * 		原始的 SecretKey
 	 */
-	public TencentCaptchaClient(final String secretId, final String secretKey){
+	public TencentCaptchaClient(final String secretId, final String secretKey) {
 		Assert.isBlank(secretId, "Secret Id cloud not be empty or null");
 		Assert.isBlank(secretKey, "Secret Key cloud not be empty or null");
 		this.secretId = secretId;
@@ -88,13 +87,13 @@ public TencentCaptchaClient(final String secretId, final String secretKey){
 	 * @param httpClient
 	 *        {@link HttpClient} 实例
 	 */
-	public TencentCaptchaClient(final String secretId, final String secretKey, final HttpClient httpClient){
+	public TencentCaptchaClient(final String secretId, final String secretKey, final HttpClient httpClient) {
 		this(secretId, secretKey);
 		setHttpClient(httpClient);
 	}
 
 	@Override
-	public Status validate(RequestData requestData) throws CaptchaException{
+	public Status validate(RequestData requestData) throws CaptchaException {
 		if(logger.isDebugEnabled()){
 			logger.debug("二次验证, 请求参数：{}.", requestData);
 		}
@@ -135,12 +134,12 @@ public Status validate(RequestData requestData) throws CaptchaException{
 	}
 
 	@Override
-	public Manufacturer getManufacturer(){
+	public Manufacturer getManufacturer() {
 		return Manufacturer.TENCENT;
 	}
 
 	@Override
-	public String getVersion(){
+	public String getVersion() {
 		return "2019-07-22";
 	}
 
@@ -153,14 +152,9 @@ public String getVersion(){
 	 * @return 检测结果
 	 */
 	private static boolean checkParam(final TencentRequestData requestData)
-			throws RequiredParameterCaptchaException{
-		if(Validate.hasText(requestData.getTicket()) == false){
-			throw new RequiredParameterCaptchaException("Ticket");
-		}
-
-		if(Validate.hasText(requestData.getRandstr()) == false){
-			throw new RequiredParameterCaptchaException("Randstr");
-		}
+			throws RequiredParameterCaptchaException {
+		Assert.isBlank(requestData.getTicket(), ()->new RequiredParameterCaptchaException("Ticket"));
+		Assert.isBlank(requestData.getRandstr(), ()->new RequiredParameterCaptchaException("Randstr"));
 
 		return true;
 	}

buession-security-captcha/src/main/java/com/buession/security/captcha/validator/reactive/ReactiveGeetestCaptchaValidator.java

@@ -19,7 +19,7 @@
  * +-------------------------------------------------------------------------------------------------------+
  * | License: http://www.apache.org/licenses/LICENSE-2.0.txt 										       |
  * | Author: Yong.Teng <[email protected]> 													       |
- * | Copyright @ 2013-2022 Buession.com Inc.														       |
+ * | Copyright @ 2013-2023 Buession.com Inc.														       |
  * +-------------------------------------------------------------------------------------------------------+
  */
 package com.buession.security.captcha.validator.reactive;
@@ -57,15 +57,15 @@ public class ReactiveGeetestCaptchaValidator extends GeetestCaptchaValidator imp
 	 *        {@link GeetestParameter} 实例
 	 */
 	public ReactiveGeetestCaptchaValidator(final GeetestCaptchaClient geetestCaptchaClient,
-										   final GeetestParameter parameter){
+										   final GeetestParameter parameter) {
 		super(geetestCaptchaClient, parameter);
 	}
 
 	@Override
-	public Status validate(final ServerHttpRequest request) throws CaptchaException{
+	public Status validate(final ServerHttpRequest request) throws CaptchaException {
 		MultiValueMap<String, String> parameters = request.getQueryParams();
 
-		if("v3".equals(captchaClient.getVersion())){
+		if(captchaClient.isV3()){
 			final GeetestV3Parameter geetestV3Parameter = (GeetestV3Parameter) parameter;
 			final GeetestV3RequestData requestData = new GeetestV3RequestData();
 
@@ -84,7 +84,7 @@ public Status validate(final ServerHttpRequest request) throws CaptchaException{
 			}
 
 			return validate(requestData);
-		}else if("v4".equals(captchaClient.getVersion())){
+		}else if(captchaClient.isV4()){
 			final GeetestV4Parameter geetestV4Parameter = (GeetestV4Parameter) parameter;
 			final GeetestV4RequestData requestData = new GeetestV4RequestData();