API 调用签名校验时，限定参与签名的参数列表，更安全

2025-10-21 19:17:25 +08:00 · 2024-04-27 04:52:15 +08:00
parent 2db7ab6f4b
commit c8a5b922a2
1 changed files with 6 additions and 3 deletions
--- a/sa-token-plugin/sa-token-sso/src/main/java/cn/dev33/satoken/sso/SaSsoProcessor.java
+++ b/sa-token-plugin/sa-token-sso/src/main/java/cn/dev33/satoken/sso/SaSsoProcessor.java
@@ -140,7 +140,8 @@ public class SaSsoProcessor {
 		String sloCallback = req.getParam(paramName.ssoLogoutCall);

 		// 2、校验签名
-		ssoTemplate.getSignTemplate().checkRequest(req);
+		ssoTemplate.getSignTemplate().checkRequest(req,
+				paramName.client, paramName.ticket, paramName.ssoLogoutCall);

 		// 3、校验ticket，获取 loginId
 		Object loginId = ssoTemplate.checkTicket(ticket, client);
@@ -210,7 +211,7 @@ public class SaSsoProcessor {
 		String loginId = req.getParam(paramName.loginId);
 		
 		// step.1 校验签名 
-		ssoTemplate.getSignTemplate().checkRequest(req);
+		ssoTemplate.getSignTemplate().checkRequest(req, paramName.loginId);
 		
 		// step.2 单点注销 
 		ssoTemplate.ssoLogout(loginId);
@@ -390,8 +391,10 @@ public class SaSsoProcessor {
 		// 获取参数 
 		String loginId = req.getParamNotNull(paramName.loginId);
 		
+		// 校验参数签名
+		ssoTemplate.getSignTemplate().checkRequest(req, paramName.loginId);
+
 		// 注销当前应用端会话
-		ssoTemplate.getSignTemplate().checkRequest(req);
 		stpLogic.logout(loginId);
 		
 		// 响应