update

stmms-biz/src/main/java/cn/com/qmth/stmms/biz/user/model/User.java

@@ -1,15 +1,23 @@
 package cn.com.qmth.stmms.biz.user.model;
 
+import java.io.Serializable;
+import java.util.Calendar;
+import java.util.Date;
+
+import javax.persistence.Column;
+import javax.persistence.Entity;
+import javax.persistence.EnumType;
+import javax.persistence.Enumerated;
+import javax.persistence.GeneratedValue;
+import javax.persistence.Id;
+import javax.persistence.Table;
+import javax.persistence.Transient;
+
 import cn.com.qmth.stmms.common.annotation.ExcelField;
 import cn.com.qmth.stmms.common.enums.Role;
 import cn.com.qmth.stmms.common.enums.UserSource;
 import cn.com.qmth.stmms.common.utils.AccessControlUtils;
 
-import javax.persistence.*;
-
-import java.io.Serializable;
-import java.util.Date;
-
 @Entity
 @Table(name = "b_user")
 public class User implements Serializable {
@@ -107,6 +115,12 @@ public class User implements Serializable {
     @Column(name = "access_token_refresh_time", nullable = true)
     private Date accessTokenRefreshTime;
 
+    @Column(name = "scan_token", length = 64, nullable = true)
+    private String scanToken;
+
+    @Column(name = "scan_token_invalid_time", nullable = true)
+    private Date scanTokenInvalidTime;
+
     @ExcelField(title = "角色", align = 2, sort = 30)
     @Transient
     private String roleName;
@@ -239,4 +253,21 @@ public class User implements Serializable {
     public void setRoleName(String roleName) {
         this.roleName = roleName;
     }
+
+    public String getScanToken() {
+        return scanToken;
+    }
+
+    public Date getScanTokenInvalidTime() {
+        return scanTokenInvalidTime;
+    }
+
+    public void refreshScanToken() {
+        this.scanToken = AccessControlUtils.randomString();
+        Calendar rightNow = Calendar.getInstance();
+        rightNow.setTime(new Date());
+        rightNow.add(Calendar.DAY_OF_YEAR, +2);
+        this.scanTokenInvalidTime = rightNow.getTime();
+    }
+
 }

stmms-common/src/main/java/cn/com/qmth/stmms/common/utils/AccessControlUtils.java

@@ -34,5 +34,4 @@ public class AccessControlUtils {
     public static boolean expired(Date refreshTime) {
         return expired(refreshTime, DEFAULT_EXPIRE_SECONDS);
     }
-
 }

stmms-web/src/main/java/cn/com/qmth/stmms/api/controller/LoginController.java

@@ -67,23 +67,23 @@ public class LoginController extends BaseApiController {
         return obj;
     }
 
-    @RequestMapping(value = "/admin/login", method = RequestMethod.GET)
+    @RequestMapping(value = "/admin/login", method = RequestMethod.POST)
     @ResponseBody
     public JSONObject adminLogin(HttpServletRequest request, @RequestParam String loginName,
             @RequestParam String password) {
         User user = userService.findByLoginName(loginName);
-        if (user == null || !password.equals(EncryptUtils.md5(user.getPassword()))) {
+        if (user == null || !user.getPassword().equals(EncryptUtils.md5(password))) {
             throw ApiException.AUTHORIZATION_UNEXIST;
         }
         if (!user.isEnable()) {
             throw ApiException.USER_DISABLED;
         }
-        if (!Role.SCHOOL_ADMIN.equals(user.getRole())) {
+        if (!Role.SCHOOL_ADMIN.equals(user.getRole()) || !Role.SCAN_ADMIN.equals(user.getRole())) {
             throw ApiException.USER_ROLE_INVALID;
         }
         user.setLastLoginTime(new Date());
         user.setLastLoginIp(RequestIPUtil.getIpAddress(request));
-        user.refreshAccessToken();
+        user.refreshScanToken();
         user = userService.save(user);
         JSONObject obj = new JSONObject();
         obj.accumulate("id", user.getId());
@@ -92,7 +92,7 @@ public class LoginController extends BaseApiController {
         obj.accumulate("schoolId", user.getSchoolId());
         School shcool = schoolService.findById(user.getSchoolId());
         obj.accumulate("schoolName", shcool.getName());
-        obj.accumulate("token", user.getAccessToken());
+        obj.accumulate("token", user.getScanToken());
         return obj;
     }
 }

stmms-web/src/main/java/cn/com/qmth/stmms/api/interceptor/ApiInterceptor.java

@@ -1,5 +1,15 @@
 package cn.com.qmth.stmms.api.interceptor;
 
+import java.util.Date;
+
+import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletResponse;
+
+import org.apache.commons.lang.StringUtils;
+import org.springframework.beans.factory.annotation.Autowired;
+import org.springframework.web.method.HandlerMethod;
+import org.springframework.web.servlet.handler.HandlerInterceptorAdapter;
+
 import cn.com.qmth.stmms.api.exception.ApiException;
 import cn.com.qmth.stmms.biz.school.model.School;
 import cn.com.qmth.stmms.biz.school.service.SchoolService;
@@ -13,16 +23,8 @@ import cn.com.qmth.stmms.common.enums.Role;
 import cn.com.qmth.stmms.common.session.service.SessionService;
 import cn.com.qmth.stmms.common.signature.SignatureInfo;
 import cn.com.qmth.stmms.common.signature.SignatureType;
-import cn.com.qmth.stmms.common.utils.AccessControlUtils;
 import cn.com.qmth.stmms.common.utils.EncryptUtils;
 import cn.com.qmth.stmms.common.utils.RequestUtils;
-import org.apache.commons.lang.StringUtils;
-import org.springframework.beans.factory.annotation.Autowired;
-import org.springframework.web.method.HandlerMethod;
-import org.springframework.web.servlet.handler.HandlerInterceptorAdapter;
-
-import javax.servlet.http.HttpServletRequest;
-import javax.servlet.http.HttpServletResponse;
 
 /**
  * API接口访问拦截器
@@ -44,8 +46,7 @@ public class ApiInterceptor extends HandlerInterceptorAdapter {
     private SessionService sessionService;
 
     @Override
-    public boolean preHandle(HttpServletRequest request, HttpServletResponse response, Object handler)
-            throws Exception {
+    public boolean preHandle(HttpServletRequest request, HttpServletResponse response, Object handler) throws Exception {
         HandlerMethod method = (HandlerMethod) handler;
         try {
             return validate(request, response, method.getMethodAnnotation(RoleRequire.class));
@@ -78,14 +79,14 @@ public class ApiInterceptor extends HandlerInterceptorAdapter {
                     return buildApiUser(request, response, school);
                 } else if (info.getType() == SignatureType.TOKEN) {
                     User user = userService.findByLoginName(info.getInvoker());
-                    if (user == null || user.getAccessTokenRefreshTime() == null || AccessControlUtils
-                            .expired(user.getAccessTokenRefreshTime()) || !info.validate(user.getAccessToken())) {
+                    if (user == null || user.getScanTokenInvalidTime() == null
+                            || new Date().after(user.getScanTokenInvalidTime()) || !info.validate(user.getScanToken())) {
                         throw ApiException.SIGNATURE_INVALID;
                     }
                     if (!user.isEnable()) {
                         throw ApiException.USER_DISABLED;
                     }
-                    if (matchRole(authConfig, user.getRole())) {
+                    if (!matchRole(authConfig, user.getRole())) {
                         throw ApiException.USER_ROLE_INVALID;
                     }
                     return buildApiUser(request, response, user);

stmms-web/src/main/webapp/WEB-INF/spring-mvc.xml

@@ -73,6 +73,7 @@
         </mvc:interceptor>
         <mvc:interceptor>
             <mvc:mapping path="/api/**"/>
+             <mvc:exclude-mapping path="/api/admin/login"/>
             <bean id="apiInterceptor" class="cn.com.qmth.stmms.api.interceptor.ApiInterceptor"/>
         </mvc:interceptor>
     </mvc:interceptors>