diff --git a/pom.xml b/pom.xml
index 152f413f..cde7c6bd 100644
--- a/pom.xml
+++ b/pom.xml
@@ -30,7 +30,7 @@
3.5.2
2.13.0
2.3
- 2.0.34
+ 2.0.39
0.9.1
8.2.2
4.1.2
diff --git a/ruoyi-common/ruoyi-common-core/src/main/java/com/ruoyi/common/core/constant/Constants.java b/ruoyi-common/ruoyi-common-core/src/main/java/com/ruoyi/common/core/constant/Constants.java
index c7e1f34e..da271c42 100644
--- a/ruoyi-common/ruoyi-common-core/src/main/java/com/ruoyi/common/core/constant/Constants.java
+++ b/ruoyi-common/ruoyi-common-core/src/main/java/com/ruoyi/common/core/constant/Constants.java
@@ -117,6 +117,11 @@ public class Constants
*/
public static final String RESOURCE_PREFIX = "/profile";
+ /**
+ * 自动识别json对象白名单配置(仅允许解析的包名,范围越小越安全)
+ */
+ public static final String[] JSON_WHITELIST_STR = { "org.springframework", "com.ruoyi" };
+
/**
* 定时任务白名单配置(仅允许访问的包名,如其他需要可以自行添加)
*/
diff --git a/ruoyi-common/ruoyi-common-redis/src/main/java/com/ruoyi/common/redis/configure/FastJson2JsonRedisSerializer.java b/ruoyi-common/ruoyi-common-redis/src/main/java/com/ruoyi/common/redis/configure/FastJson2JsonRedisSerializer.java
index 76fe2751..7450399b 100644
--- a/ruoyi-common/ruoyi-common-redis/src/main/java/com/ruoyi/common/redis/configure/FastJson2JsonRedisSerializer.java
+++ b/ruoyi-common/ruoyi-common-redis/src/main/java/com/ruoyi/common/redis/configure/FastJson2JsonRedisSerializer.java
@@ -6,6 +6,8 @@ import org.springframework.data.redis.serializer.SerializationException;
import com.alibaba.fastjson2.JSON;
import com.alibaba.fastjson2.JSONReader;
import com.alibaba.fastjson2.JSONWriter;
+import com.alibaba.fastjson2.filter.Filter;
+import com.ruoyi.common.core.constant.Constants;
/**
* Redis使用FastJson序列化
@@ -16,8 +18,9 @@ public class FastJson2JsonRedisSerializer implements RedisSerializer
{
public static final Charset DEFAULT_CHARSET = Charset.forName("UTF-8");
- private Class clazz;
+ static final Filter AUTO_TYPE_FILTER = JSONReader.autoTypeFilter(Constants.JSON_WHITELIST_STR);
+ private Class clazz;
public FastJson2JsonRedisSerializer(Class clazz)
{
@@ -44,6 +47,6 @@ public class FastJson2JsonRedisSerializer implements RedisSerializer
}
String str = new String(bytes, DEFAULT_CHARSET);
- return JSON.parseObject(str, clazz, JSONReader.Feature.SupportAutoType);
+ return JSON.parseObject(str, clazz, AUTO_TYPE_FILTER);
}
}
diff --git a/ruoyi-common/ruoyi-common-security/src/main/java/com/ruoyi/common/security/service/TokenService.java b/ruoyi-common/ruoyi-common-security/src/main/java/com/ruoyi/common/security/service/TokenService.java
index 139ee8b5..29717928 100644
--- a/ruoyi-common/ruoyi-common-security/src/main/java/com/ruoyi/common/security/service/TokenService.java
+++ b/ruoyi-common/ruoyi-common-security/src/main/java/com/ruoyi/common/security/service/TokenService.java
@@ -4,6 +4,8 @@ import java.util.HashMap;
import java.util.Map;
import java.util.concurrent.TimeUnit;
import javax.servlet.http.HttpServletRequest;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.stereotype.Component;
import com.ruoyi.common.core.constant.CacheConstants;
@@ -25,6 +27,8 @@ import com.ruoyi.system.api.model.LoginUser;
@Component
public class TokenService
{
+ private static final Logger log = LoggerFactory.getLogger(TokenService.class);
+
@Autowired
private RedisService redisService;
@@ -106,6 +110,7 @@ public class TokenService
}
catch (Exception e)
{
+ log.error("获取用户信息异常'{}'", e.getMessage());
}
return user;
}