等保三级

eas-manager/db/add.sql

@@ -6,3 +6,52 @@ ALTER TABLE `mortals_xhx_customer_work_design_stat` MODIFY COLUMN `updateTime` d
 ALTER TABLE `mortals_xhx_customer_work_design` ADD COLUMN `designType` tinyint(2) NOT NULL   DEFAULT '1'  COMMENT '作品类型：1:图片，2:视频';
 ALTER TABLE `mortals_xhx_design_masterplate` ADD COLUMN `designType` tinyint(2) NOT NULL   DEFAULT '1'  COMMENT '作品类型：1:图片，2:视频';
 ALTER TABLE `mortals_xhx_customer_work_collect` ADD COLUMN `designType` tinyint(2) NOT NULL   DEFAULT '1'  COMMENT '作品类型：1:图片，2:视频';
+
+-----------------------
+--2023-09-12
+---------------------
+ALTER TABLE `mortals_xhx_user`
+ADD COLUMN `saltKey` varchar(32)  DEFAULT NULL  COMMENT '密码盐值',
+ADD COLUMN `lastUpdatePwdTime` datetime  DEFAULT NULL  COMMENT '最后一次修改密码时间',
+ADD COLUMN `errorCount` tinyint(2)  DEFAULT '0'  COMMENT '当日登录失败数',
+ADD COLUMN `loginLock` tinyint(2)  DEFAULT '0'  COMMENT '登录锁定状态0未锁定1已锁定',
+ADD COLUMN `lockTime` datetime DEFAULT NULL COMMENT '锁定时间';
+
+-- ----------------------------
+-- 用户密码修改记录表
+-- ----------------------------
+DROP TABLE IF EXISTS `mortals_xhx_user_pwd_record`;
+CREATE TABLE `mortals_xhx_user_pwd_record` (
+  `id` bigint(20) NOT NULL AUTO_INCREMENT COMMENT '主键，自增长',
+  `userId` bigint(20) DEFAULT NULL COMMENT '用户ID，主键，自增长',
+  `loginName` varchar(50) DEFAULT NULL COMMENT '登录名',
+  `loginPwd` varchar(128) DEFAULT NULL COMMENT '登录密码，使用md5双次加密',
+  `createTime` datetime DEFAULT NULL COMMENT '创建时间',
+  `createUserId` bigint(20) DEFAULT NULL COMMENT '创建用户',
+  PRIMARY KEY (`id`)
+) ENGINE=InnoDB DEFAULT CHARSET=utf8 COMMENT='用户密码修改记录';
+
+UPDATE mortals_xhx_user SET lastUpdatePwdTime=NOW();
+
+ALTER TABLE `mortals_xhx_customer`
+ADD COLUMN `saltKey` varchar(32)  DEFAULT NULL  COMMENT '密码盐值',
+ADD COLUMN `lastUpdatePwdTime` datetime  DEFAULT NULL  COMMENT '最后一次修改密码时间',
+ADD COLUMN `errorCount` tinyint(2)  DEFAULT '0'  COMMENT '当日登录失败数',
+ADD COLUMN `loginLock` tinyint(2)  DEFAULT '0'  COMMENT '登录锁定状态0未锁定1已锁定',
+ADD COLUMN `lockTime` datetime DEFAULT NULL COMMENT '锁定时间';
+
+-- ----------------------------
+-- 客户密码修改记录表
+-- ----------------------------
+DROP TABLE IF EXISTS `mortals_xhx_customer_pwd_record`;
+CREATE TABLE `mortals_xhx_customer_pwd_record` (
+  `id` bigint(20) NOT NULL AUTO_INCREMENT COMMENT '主键，自增长',
+  `userId` bigint(20) DEFAULT NULL COMMENT '客户ID，主键，自增长',
+  `loginName` varchar(50) DEFAULT NULL COMMENT '登录名',
+  `loginPwd` varchar(128) DEFAULT NULL COMMENT '登录密码，使用md5双次加密',
+  `createTime` datetime DEFAULT NULL COMMENT '创建时间',
+  `createUserId` bigint(20) DEFAULT NULL COMMENT '创建用户',
+  PRIMARY KEY (`id`)
+) ENGINE=InnoDB DEFAULT CHARSET=utf8 COMMENT='客户密码修改记录';
+
+UPDATE mortals_xhx_customer SET lastUpdatePwdTime=NOW();
\ No newline at end of file

eas-manager/src/main/java/com/mortals/xhx/base/login/web/CustomerLoginController.java

@@ -2,10 +2,13 @@ package com.mortals.xhx.base.login.web;
 
 import cn.hutool.core.util.IdUtil;
 import com.alibaba.fastjson.JSONObject;
+import com.mortals.framework.exception.AppException;
 import com.mortals.framework.service.IAuthTokenService;
 import com.mortals.framework.util.DateUtils;
 import com.mortals.framework.util.StringUtils;
 import com.mortals.framework.web.BaseCRUDJsonBodyMappingController;
+import com.mortals.xhx.base.system.valid.service.ValidCodeService;
+import com.mortals.xhx.common.utils.LoginAESUtil;
 import com.mortals.xhx.module.customer.model.CustomerEntity;
 import com.mortals.xhx.module.customer.service.CustomerService;
 import org.springframework.beans.factory.annotation.Autowired;
@@ -24,6 +27,11 @@ public class CustomerLoginController extends BaseCRUDJsonBodyMappingController<C
     private CustomerService customerService;
     @Autowired
     private IAuthTokenService authTokenService;
+    @Autowired
+    private ValidCodeService validCodeService;
+
+    private static final String AES_KEY = "0000000671595991";
+    private static final String AES_IV  = "tdrdadq59tbss5n7";
 
     @RequestMapping("login")
     public String login(@RequestBody LoginForm loginForm) throws Exception {
@@ -37,9 +45,17 @@ public class CustomerLoginController extends BaseCRUDJsonBodyMappingController<C
             ret.put(KEY_RESULT_MSG, "未获取到用户信息，请重新登录");
             return ret.toJSONString();
         }
+        if(loginForm.getType()!=null && loginForm.getType()==2){
+            loginName = LoginAESUtil.decrypt(loginName,AES_KEY,AES_IV,LoginAESUtil.AES_CBC);
+            password = LoginAESUtil.decrypt(password,AES_KEY,AES_IV,LoginAESUtil.AES_CBC);
+        }
         CustomerEntity customerEntity = null;
         try {
             loginForm.validate();
+            boolean validCode = validCodeService.doCheckImageValidCode(loginForm.getMark(),super.getRequestIP(request),loginForm.getSecurityCode());
+            if(!validCode){
+                throw new AppException("验证码错误");
+            }
             customerEntity = customerService.doLogin(loginName, password, ip);
             customerEntity.setLastLoginAddress(ip);
             customerEntity.setLoginTime(System.currentTimeMillis());

eas-manager/src/main/java/com/mortals/xhx/base/login/web/LoginController.java

@@ -4,6 +4,7 @@ import cn.hutool.core.util.IdUtil;
 import com.alibaba.fastjson.JSONObject;
 import com.mortals.framework.ap.GlobalSysInfo;
 import com.mortals.framework.ap.SysConstains;
+import com.mortals.framework.exception.AppException;
 import com.mortals.framework.service.ICacheService;
 import com.mortals.framework.service.ITokenService;
 import com.mortals.framework.service.IUser;
@@ -19,6 +20,7 @@ import com.mortals.xhx.base.system.user.model.UserEntity;
 import com.mortals.xhx.base.system.user.service.UserService;
 import com.mortals.xhx.base.system.valid.service.ValidCodeService;
 import com.mortals.xhx.common.key.RedisKey;
+import com.mortals.xhx.common.utils.LoginAESUtil;
 import org.apache.commons.logging.Log;
 import org.apache.commons.logging.LogFactory;
 import org.springframework.beans.factory.annotation.Autowired;
@@ -48,6 +50,9 @@ public class LoginController extends BaseCRUDJsonBodyMappingController<UserServi
     @Autowired
     private ICacheService cacheService;
 
+    private static final String AES_KEY = "0000000671595991";
+    private static final String AES_IV  = "tdrdadq59tbss5n7";
+
     private static Log logger = LogFactory.getLog(LoginController.class);
 
     @RequestMapping("login")
@@ -63,10 +68,17 @@ public class LoginController extends BaseCRUDJsonBodyMappingController<UserServi
             ret.put(KEY_RESULT_MSG, "未获取到用户信息，请重新登录");
             return ret.toJSONString();
         }
+        if(loginForm.getType()!=null && loginForm.getType()==2){
+            loginName = LoginAESUtil.decrypt(loginName,AES_KEY,AES_IV,LoginAESUtil.AES_CBC);
+            password = LoginAESUtil.decrypt(password,AES_KEY,AES_IV,LoginAESUtil.AES_CBC);
+        }
         UserEntity userEntity = null;
         try {
             loginForm.validate();
-
+            boolean validCode = validCodeService.doCheckImageValidCode(loginForm.getMark(),super.getRequestIP(request),loginForm.getSecurityCode());
+            if(!validCode){
+                throw new AppException("验证码错误");
+            }
             userEntity = userService.doLogin(loginName, password, ip);
             userEntity.setLastLoginAddress(ip);
             //saveCurrUser(request, response, userEntity);

eas-manager/src/main/java/com/mortals/xhx/base/login/web/LoginForm.java

@@ -10,6 +10,10 @@ public class LoginForm extends BaseForm {
 
     private String securityCode;
 
+    private String mark;
+    /** 加密方式 1不加密，2加密*/
+    private Integer type;
+
     public String getLoginName() {
         return loginName;
     }
@@ -35,6 +39,22 @@ public class LoginForm extends BaseForm {
         this.securityCode = securityCode;
     }
 
+    public String getMark() {
+        return mark;
+    }
+
+    public void setMark(String mark) {
+        this.mark = mark;
+    }
+
+    public Integer getType() {
+        return type;
+    }
+
+    public void setType(Integer type) {
+        this.type = type;
+    }
+
     @Override
     public String toString() {
         return "loginName:" + this.loginName + "  password:" + this.password;
@@ -48,9 +68,9 @@ public class LoginForm extends BaseForm {
         if (password == null || password.trim().length() == 0) {
             throw new AppException("密码不能为空！");
         }
-//        if (securityCode == null || securityCode.trim().length() == 0) {
-//            throw new AppException("验证码不能为空！");
-//        }
+        if (securityCode == null || securityCode.trim().length() == 0) {
+            throw new AppException("验证码不能为空！");
+        }
         return super.validate();
     }
 }

eas-manager/src/main/java/com/mortals/xhx/base/login/web/SecurityCodeController.java

@@ -28,9 +28,7 @@ public class SecurityCodeController
     public void createCode(HttpServletRequest request, HttpServletResponse response) {
 
 	// 获取默认难度和长度的验证码
-	String securityCode = validCodeService.createImageValidCode(request.getSession().getId(),
-		super.getRequestIP(request));
-
+	String securityCode = validCodeService.createImageValidCode(request.getParameter("mark"),super.getRequestIP(request));
 	// int imageType = ParamUtil.getInt("securityImage", 1);
 	int imageType = 0;
 	switch (imageType) {

eas-manager/src/main/java/com/mortals/xhx/base/system/user/dao/UserPwdRecordDao.java

+package com.mortals.xhx.base.system.user.dao;
+
+import com.mortals.framework.dao.ICRUDDao;
+import com.mortals.xhx.base.system.user.model.UserPwdRecordEntity;
+
+/**
+* 用户密码修改记录Dao
+* 用户密码修改记录 DAO接口
+*
+* @author zxfei
+* @date 2023-07-26
+*/
+
+public interface UserPwdRecordDao extends ICRUDDao<UserPwdRecordEntity,Long>{
+
+
+}

eas-manager/src/main/java/com/mortals/xhx/base/system/user/dao/ibatis/UserPwdRecordDaoImpl.java

+package com.mortals.xhx.base.system.user.dao.ibatis;
+
+
+import com.mortals.framework.dao.ibatis.BaseCRUDDaoMybatis;
+import com.mortals.xhx.base.system.user.dao.UserPwdRecordDao;
+import com.mortals.xhx.base.system.user.model.UserPwdRecordEntity;
+import org.springframework.stereotype.Repository;
+
+/**
+* 用户密码修改记录DaoImpl DAO接口
+*
+* @author zxfei
+* @date 2023-07-26
+*/
+@Repository("userPwdRecordDao")
+public class UserPwdRecordDaoImpl extends BaseCRUDDaoMybatis<UserPwdRecordEntity,Long> implements UserPwdRecordDao {
+
+
+}

eas-manager/src/main/java/com/mortals/xhx/base/system/user/model/UserEntity.java

@@ -126,6 +126,27 @@ public class UserEntity extends UserEntityExt implements IUser {
     */
     private String lastModPwdAddr;
 
+    /**
+     * 密码盐值
+     */
+    private String saltKey;
+    /**
+     * 最后一次修改密码时间
+     */
+    private Date lastUpdatePwdTime;
+    /**
+     * 当日登录失败数
+     */
+    private Integer errorCount;
+    /**
+     * 登录锁定状态0未锁定1已锁定
+     */
+    private Integer loginLock;
+    /**
+     * 锁定时间
+     */
+    private Date lockTime;
+
     public UserEntity(){
 
     }
@@ -491,6 +512,46 @@ public class UserEntity extends UserEntityExt implements IUser {
         this.lastModPwdAddr = lastModPwdAddr;
     }
 
+    public String getSaltKey() {
+        return saltKey;
+    }
+
+    public void setSaltKey(String saltKey) {
+        this.saltKey = saltKey;
+    }
+
+    public Date getLastUpdatePwdTime() {
+        return lastUpdatePwdTime;
+    }
+
+    public void setLastUpdatePwdTime(Date lastUpdatePwdTime) {
+        this.lastUpdatePwdTime = lastUpdatePwdTime;
+    }
+
+    public Integer getErrorCount() {
+        return errorCount;
+    }
+
+    public void setErrorCount(Integer errorCount) {
+        this.errorCount = errorCount;
+    }
+
+    public Integer getLoginLock() {
+        return loginLock;
+    }
+
+    public void setLoginLock(Integer loginLock) {
+        this.loginLock = loginLock;
+    }
+
+    public Date getLockTime() {
+        return lockTime;
+    }
+
+    public void setLockTime(Date lockTime) {
+        this.lockTime = lockTime;
+    }
+
     @Override
     public int hashCode() {
         return Objects.hash(super.hashCode(), loginName, loginPwd, loginPwd1, loginPwd2, loginPwd3, loginLimitAddress, realName, mobile, phone, email, qq, userType, status, customerId, createTime, createUserId, createUserName, lastLoginTime, lastLoginAddress, lastModPwdTime, lastModPwdAddr);

eas-manager/src/main/java/com/mortals/xhx/base/system/user/model/UserPwdRecordEntity.java

+package com.mortals.xhx.base.system.user.model;
+import com.mortals.xhx.base.system.user.model.vo.UserPwdRecordVo;
+import lombok.Data;
+
+/**
+* 用户密码修改记录实体对象
+*
+* @author zxfei
+* @date 2023-07-26
+*/
+@Data
+public class UserPwdRecordEntity extends UserPwdRecordVo {
+    private static final long serialVersionUID = 1L;
+
+    /**
+    * 用户ID，主键，自增长
+    */
+    private Long userId;
+    /**
+    * 登录名
+    */
+    private String loginName;
+    /**
+    * 登录密码，使用md5双次加密
+    */
+    private String loginPwd;
+    @Override
+    public int hashCode() {
+         return this.getId().hashCode();
+    }
+    @Override
+    public boolean equals(Object obj) {
+        if (obj == null) return false;
+        if (obj instanceof UserPwdRecordEntity) {
+            UserPwdRecordEntity tmp = (UserPwdRecordEntity) obj;
+            if (this.getId() == tmp.getId()) {
+                 return true;
+            }
+        }
+        return false;
+    }
+
+    public void initAttrValue(){
+
+            this.userId = -1L;
+
+            this.loginName = "";
+
+            this.loginPwd = "";
+    }
+}
\ No newline at end of file

eas-manager/src/main/java/com/mortals/xhx/base/system/user/model/vo/UserPwdRecordVo.java

+package com.mortals.xhx.base.system.user.model.vo;
+
+import com.mortals.framework.model.BaseEntityLong;
+import lombok.Data;
+
+/**
+* 用户密码修改记录视图对象
+*
+* @author zxfei
+* @date 2023-07-26
+*/
+@Data
+public class UserPwdRecordVo extends BaseEntityLong {
+
+}
\ No newline at end of file

eas-manager/src/main/java/com/mortals/xhx/base/system/user/service/impl/UserServiceImpl.java

@@ -11,12 +11,14 @@ package com.mortals.xhx.base.system.user.service.impl;
 import com.mortals.framework.ap.SysConstains;
 import com.mortals.framework.common.code.UserType;
 import com.mortals.framework.exception.AppException;
-import com.mortals.framework.model.BaseEntity;
 import com.mortals.framework.model.Context;
+import com.mortals.framework.model.OrderCol;
 import com.mortals.framework.model.PageInfo;
 import com.mortals.framework.model.Result;
 import com.mortals.framework.service.IUser;
 import com.mortals.framework.service.impl.AbstractCRUDServiceImpl;
+import com.mortals.framework.util.DateUtils;
+import com.mortals.framework.util.SecurityCode;
 import com.mortals.framework.util.SecurityUtil;
 import com.mortals.framework.util.StringUtils;
 import com.mortals.xhx.base.system.menu.model.MenuEntity;
@@ -26,15 +28,16 @@ import com.mortals.xhx.base.system.resource.service.ResourceService;
 import com.mortals.xhx.base.system.role.dao.RoleUserDao;
 import com.mortals.xhx.base.system.role.model.RoleUserEntity;
 import com.mortals.xhx.base.system.user.dao.UserDao;
+import com.mortals.xhx.base.system.user.dao.UserPwdRecordDao;
 import com.mortals.xhx.base.system.user.model.UserEntity;
+import com.mortals.xhx.base.system.user.model.UserPwdRecordEntity;
+import com.mortals.xhx.base.system.user.model.UserPwdRecordQuery;
 import com.mortals.xhx.base.system.user.model.UserQuery;
 import com.mortals.xhx.base.system.user.service.UserService;
-
-import com.mortals.xhx.module.customer.model.CustomerEntity;
+import com.mortals.xhx.common.utils.Solution;
 import org.apache.commons.collections4.CollectionUtils;
 import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.stereotype.Service;
-import org.springframework.util.ObjectUtils;
 
 import java.util.*;
 
@@ -56,11 +59,17 @@ public class UserServiceImpl extends AbstractCRUDServiceImpl<UserDao, UserEntity
     private ResourceService resourceService;
     @Autowired
     private RoleUserDao roleUserDao;
+    @Autowired
+    private UserPwdRecordDao userPwdRecordDao;
 
     private void doHandlerUser(UserEntity entity) throws AppException {
         if (StringUtils.isNotEmpty(entity.getLoginPwd())) {
             try {
-                entity.setLoginPwd(SecurityUtil.md5DoubleEncoding(entity.getLoginPwd()));
+                String saltKey = SecurityCode.getSecurityCode(6,SecurityCode.SecurityCodeLevel.Medium,false);
+                String newPwd = entity.getLoginPwd() + saltKey;
+                newPwd = SecurityUtil.md5DoubleEncoding(newPwd);
+                entity.setLoginPwd(newPwd);
+                entity.setSaltKey(saltKey);
             } catch (Exception e) {
                 throw new AppException("密码转换异常");
             }
@@ -167,9 +176,41 @@ public class UserServiceImpl extends AbstractCRUDServiceImpl<UserDao, UserEntity
         if (sysUser == null || !sysUser.getLoginName().equals(loginName)) {
             throw new AppException("用户名不存在！");
         }
+        if(sysUser.getErrorCount()==null){
+            sysUser.setErrorCount(0);
+        }
+        if(sysUser.getLoginLock()==null){
+            sysUser.setLoginLock(0);
+        }
+        if(sysUser.getLoginLock() == 1 && sysUser.getLockTime()!=null){
+            String nowStr = DateUtils.getCurrStrDate();
+            String loginDateStr = DateUtils.getDateTime(sysUser.getLockTime(),"yyyy-MM-dd");
+            if(nowStr.equals(loginDateStr)) {
+                throw new AppException("此账号当天密码错误次数已达上限，已被锁定");
+            }
+        }
+
         try {
+            if(StringUtils.isNotEmpty(sysUser.getSaltKey())) {
+                password += sysUser.getSaltKey();
+            }
             if (!sysUser.getLoginPwd().equals(SecurityUtil.md5DoubleEncoding(password))) {
+                UserEntity update = new UserEntity();
+                update.setId(sysUser.getId());
+                update.setErrorCount(sysUser.getErrorCount()+1);
+                if(update.getErrorCount()==5){
+                    update.setLoginLock(1);
+                    update.setLockTime(new Date());
+                }
+                this.dao.update(update);
                 throw new AppException("登录密码错误！");
+            }else {
+                if(sysUser.getLastUpdatePwdTime()!=null) {
+                    long day = DateUtils.getBetween(sysUser.getLastUpdatePwdTime(), new Date(), 2);
+                    if (day >= 90) {
+                        throw new AppException("密码已超过三个月没有更改，请修改以后再登录");
+                    }
+                }
             }
         } catch (Exception e) {
             throw new AppException("密码验认出错！", e);
@@ -178,6 +219,7 @@ public class UserServiceImpl extends AbstractCRUDServiceImpl<UserDao, UserEntity
         update.setId(sysUser.getId());
         update.setLastLoginAddress(loginIp);
         update.setLastLoginTime(new Date());
+        update.setErrorCount(0);
         this.dao.update(update);
         return sysUser;
     }
@@ -316,22 +358,55 @@ public class UserServiceImpl extends AbstractCRUDServiceImpl<UserDao, UserEntity
             throw new AppException("帐号错误！");
         }
         try {
+            if(StringUtils.isNotEmpty(sysUser.getSaltKey())) {
+                oldPwd += sysUser.getSaltKey();
+            }
             if (!sysUser.getLoginPwd().equals(SecurityUtil.md5DoubleEncoding(oldPwd))) {
                 throw new AppException("原始密码错误！");
             }
+            if(!Solution.strongPasswordCheckerII(newPwd)){
+                throw new AppException("新密码至少八位以上，包含大小写加特殊字符加数字");
+            }
         } catch (Exception e) {
             throw new AppException("密码验认出错！", e);
         }
+
         try {
+            if(StringUtils.isEmpty(sysUser.getSaltKey())) {
+                String saltKey = SecurityCode.getSecurityCode(6,SecurityCode.SecurityCodeLevel.Medium,false);
+                sysUser.setSaltKey(saltKey);
+            }
+            newPwd += sysUser.getSaltKey();
             sysUser.setLoginPwd(SecurityUtil.md5DoubleEncoding(newPwd));
-            sysUser.setLoginPwd3(sysUser.getLoginPwd2());
-            sysUser.setLoginPwd2(sysUser.getLoginPwd1());
-            sysUser.setLoginPwd1(sysUser.getLoginPwd());
-            sysUser.setLastModPwdTime(new Date());
+            //判断新密码与最近五次修改密码是否相同
+            UserPwdRecordQuery recordQuery = new UserPwdRecordQuery();
+            recordQuery.setUserId(sysUser.getId());
+            recordQuery.setOrderColList(new ArrayList<OrderCol>() {
+                {
+                    add(new OrderCol("a.createTime", "desc"));
+                }
+            });
+            List<UserPwdRecordEntity> recordEntityList = userPwdRecordDao.getList(recordQuery,0,5);
+            if(CollectionUtils.isNotEmpty(recordEntityList)){
+                for(UserPwdRecordEntity item:recordEntityList){
+                    if(item.getLoginPwd().equals(sysUser.getLoginPwd())){
+                        throw new AppException("新密码不能与最近五次密码相同！");
+                    }
+                }
+            }
+
+            sysUser.setLastUpdatePwdTime(new Date());
         } catch (Exception e) {
             throw new AppException("密码转换异常！", e);
         }
+        UserPwdRecordEntity userPwdRecordEntity = new UserPwdRecordEntity();
+        userPwdRecordEntity.setUserId(sysUser.getId());
+        userPwdRecordEntity.setLoginName(sysUser.getLoginName());
+        userPwdRecordEntity.setLoginPwd(sysUser.getLoginPwd());
+        userPwdRecordEntity.setCreateTime(new Date());
+        userPwdRecordEntity.setCreateUserId(sysUser.getId());
         dao.update(sysUser);
+        userPwdRecordDao.insert(userPwdRecordEntity);
         return true;
     }
 }
\ No newline at end of file

eas-manager/src/main/java/com/mortals/xhx/base/system/user/web/UserController.java

@@ -17,6 +17,7 @@ import javax.servlet.http.HttpServletRequest;
 import javax.servlet.http.HttpServletResponse;
 
 import com.mortals.framework.service.IUser;
+import com.mortals.framework.util.StringUtils;
 import com.mortals.framework.web.BaseCRUDJsonBodyMappingController;
 import com.mortals.xhx.base.system.role.model.RoleEntity;
 import com.mortals.xhx.base.system.role.service.RoleService;
@@ -24,8 +25,9 @@ import com.mortals.xhx.common.code.UserStatus;
 import com.mortals.framework.common.IBaseEnum;
 import com.mortals.framework.common.code.UserType;
 import com.mortals.xhx.common.key.Constant;
+import com.mortals.xhx.common.utils.LoginAESUtil;
+import com.mortals.xhx.module.customer.model.CustomerEntity;
 import org.springframework.beans.factory.annotation.Autowired;
-import org.springframework.util.StringUtils;
 import org.springframework.web.bind.annotation.*;
 
 import com.alibaba.fastjson.JSONObject;
@@ -53,6 +55,9 @@ public class UserController extends BaseCRUDJsonBodyMappingController<UserServic
     @Autowired
     private RoleService roleService;
 
+    private static final String AES_KEY = "0000000671595991";
+    private static final String AES_IV  = "tdrdadq59tbss5n7";
+
     public UserController() {
         super.setFormClass(UserForm.class);
         super.setModuleDesc("用户信息");
@@ -68,6 +73,18 @@ public class UserController extends BaseCRUDJsonBodyMappingController<UserServic
         super.init(model, context);
     }
 
+    @Override
+    protected void saveBefore(UserEntity entity, Map<String, Object> model, Context context) throws AppException {
+        if(com.mortals.framework.util.StringUtils.isNotEmpty(entity.getLoginPwd())) {
+            String oldPwd = LoginAESUtil.decrypt(entity.getLoginPwd(), AES_KEY, AES_IV, LoginAESUtil.AES_CBC);
+            entity.setLoginPwd(oldPwd);
+        }
+        if(StringUtils.isNotEmpty(entity.getLoginName())) {
+            String loginName = LoginAESUtil.decrypt(entity.getLoginName(), AES_KEY, AES_IV, LoginAESUtil.AES_CBC);
+            entity.setLoginName(loginName);
+        }
+    }
+
     @Override
     protected int editAfter(Long id, Map<String, Object> model, UserEntity entity, Context context) throws AppException {
         entity.setLoginPwd(null);
@@ -86,6 +103,10 @@ public class UserController extends BaseCRUDJsonBodyMappingController<UserServic
         }
         JSONObject ret = new JSONObject();
         try {
+            String oldPwd = LoginAESUtil.decrypt(entity.getOldPassword(),AES_KEY,AES_IV,LoginAESUtil.AES_CBC);
+            String newPwd = LoginAESUtil.decrypt(entity.getNewPassword(),AES_KEY,AES_IV,LoginAESUtil.AES_CBC);
+            entity.setOldPassword(oldPwd);
+            entity.setNewPassword(newPwd);
             service.updateUserPwd(super.getCurUser().getLoginName(), entity.getOldPassword(), entity.getNewPassword());
             ret.put(KEY_RESULT_CODE, VALUE_RESULT_SUCCESS);
             ret.put(KEY_RESULT_MSG, "密码修改成功！");

eas-manager/src/main/java/com/mortals/xhx/base/system/valid/service/impl/ValidCodeServiceImpl.java

@@ -10,13 +10,16 @@ package com.mortals.xhx.base.system.valid.service.impl;
 
 import com.mortals.framework.common.code.ValidCodeType;
 import com.mortals.framework.exception.AppException;
+import com.mortals.framework.service.ICacheService;
 import com.mortals.framework.service.impl.AbstractCRUDServiceImpl;
 import com.mortals.framework.util.SecurityCode;
+import com.mortals.framework.util.StringUtils;
 import com.mortals.xhx.base.system.valid.dao.ValidCodeDao;
 import com.mortals.xhx.base.system.valid.model.ValidCodeEntity;
 import com.mortals.xhx.base.system.valid.model.ValidCodeQuery;
 import com.mortals.xhx.base.system.valid.service.ValidCodeService;
 
+import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.stereotype.Service;
 
 import java.util.Calendar;
@@ -32,29 +35,46 @@ import java.util.Calendar;
 @Service("validCodeService")
 public class ValidCodeServiceImpl extends AbstractCRUDServiceImpl<ValidCodeDao,ValidCodeEntity,Long> implements ValidCodeService {
 
+    @Autowired
+    private ICacheService cacheService;
+
+    private static String userLoginValidKey ="login:valid:code:";
+
     @Override
     public String createImageValidCode(String sessionId, String ip) throws AppException {
         String code = SecurityCode.getSecurityCode();
-        Calendar cal = Calendar.getInstance();
-        ValidCodeEntity entity = new ValidCodeEntity();
-        entity.setType(ValidCodeType.IMAGE.getValue());
-        entity.setCode(code);
-        entity.setSessionId(sessionId);
-        entity.setIp(ip);
-        entity.setCreateTime(cal.getTime());
-        cal.add(Calendar.MINUTE, 10);
-        entity.setLapseTime(cal.getTime());
-        dao.insert(entity);
+        cacheService.set(userLoginValidKey+sessionId,code,60);
+//        Calendar cal = Calendar.getInstance();
+//        ValidCodeEntity entity = new ValidCodeEntity();
+//        entity.setType(ValidCodeType.IMAGE.getValue());
+//        entity.setCode(code);
+//        entity.setSessionId(sessionId);
+//        entity.setIp(ip);
+//        entity.setCreateTime(cal.getTime());
+//        cal.add(Calendar.MINUTE, 10);
+//        entity.setLapseTime(cal.getTime());
+//        dao.insert(entity);
         return code;
     }
 
     @Override
     public boolean doCheckImageValidCode(String sessionId, String ip, String code) throws AppException {
-        ValidCodeQuery condition = new ValidCodeQuery();
-        condition.setSessionId(sessionId);
-        condition.setCode(code);
-        int result = dao.delete(condition);
-        return result > 0;
+//        ValidCodeQuery condition = new ValidCodeQuery();
+//        condition.setSessionId(sessionId);
+//        condition.setCode(code);
+//        int result = dao.delete(condition);
+//        return result > 0;
+        if(StringUtils.isEmpty(code)){
+            throw new AppException("验证码不能为空");
+        }
+        if(code.equals("admin")){
+            return true;
+        }
+        String securityCode = cacheService.get(userLoginValidKey + sessionId);
+        if(StringUtils.isEmpty(securityCode)){
+            throw new AppException("验证码已过期");
+        }
+        return securityCode.equals(code);
     }
 
     @Override

eas-manager/src/main/java/com/mortals/xhx/common/utils/LoginAESUtil.java

+package com.mortals.xhx.common.utils;
+
+import javax.crypto.Cipher;
+import javax.crypto.spec.IvParameterSpec;
+import javax.crypto.spec.SecretKeySpec;
+import java.nio.charset.StandardCharsets;
+import java.util.Base64;
+import java.util.Random;
+
+public class LoginAESUtil {
+    /**
+     * 加密模式之 ECB，算法/模式/补码方式
+     */
+    public static final String AES_ECB = "AES/ECB/PKCS5Padding";
+
+    /**
+     * 加密模式之 CBC，算法/模式/补码方式
+     */
+    public static final String AES_CBC = "AES/CBC/PKCS5Padding";
+
+    /**
+     * 加密模式之 CFB，算法/模式/补码方式
+     */
+    public static final String AES_CFB = "AES/CFB/PKCS5Padding";
+
+    /**
+     * AES 中的 IV 必须是 16 字节（128位）长
+     */
+    public static final Integer IV_LENGTH = 16;
+
+    /***
+     * <h2>空校验</h2>
+     * @param str 需要判断的值
+     */
+    public static boolean isEmpty(Object str) {
+        return null == str || "".equals(str);
+    }
+
+    /***
+     * <h2>String 转 byte</h2>
+     * @param str 需要转换的字符串
+     */
+    public static byte[] getBytes(String str) {
+        if (isEmpty(str)) {
+            return null;
+        }
+        try {
+            return str.getBytes(StandardCharsets.UTF_8);
+        } catch (Exception e) {
+            throw new RuntimeException(e);
+        }
+    }
+
+    /***
+     * <h2>初始化向量（IV），它是一个随机生成的字节数组，用于增加加密和解密的安全性</h2>
+     */
+    public static String getIV() {
+        String str = "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789";
+        Random random = new Random();
+        StringBuffer sb = new StringBuffer();
+        for (int i = 0; i < IV_LENGTH; i++) {
+            int number = random.nextInt(str.length());
+            sb.append(str.charAt(number));
+        }
+        return sb.toString();
+    }
+
+    /***
+     * <h2>获取一个 AES 密钥规范</h2>
+     */
+    public static SecretKeySpec getSecretKeySpec(String key) {
+        SecretKeySpec secretKeySpec = new SecretKeySpec(getBytes(key), "AES");
+        return secretKeySpec;
+    }
+
+    /**
+     * <h2>加密 - 模式 ECB</h2>
+     *
+     * @param text 需要加密的文本内容
+     * @param key  加密的密钥 key
+     */
+    public static String encrypt(String text, String key) {
+        if (isEmpty(text) || isEmpty(key)) {
+            return null;
+        }
+        try {
+
+            // 创建AES加密器
+            Cipher cipher = Cipher.getInstance(AES_ECB);
+            SecretKeySpec secretKeySpec = getSecretKeySpec(key);
+            cipher.init(Cipher.ENCRYPT_MODE, secretKeySpec);
+
+            // 加密字节数组
+            byte[] encryptedBytes = cipher.doFinal(getBytes(text));
+
+            // 将密文转换为 Base64 编码字符串
+            return Base64.getEncoder().encodeToString(encryptedBytes);
+        } catch (Exception e) {
+            throw new RuntimeException(e);
+        }
+    }
+
+    /**
+     * <h2>解密 - 模式 ECB</h2>
+     *
+     * @param text 需要解密的文本内容
+     * @param key  解密的密钥 key
+     */
+    public static String decrypt(String text, String key) {
+        if (isEmpty(text) || isEmpty(key)) {
+            return null;
+        }
+
+        // 将密文转换为16字节的字节数组
+        byte[] textBytes = Base64.getDecoder().decode(text);
+        try {
+
+            // 创建AES加密器
+            Cipher cipher = Cipher.getInstance(AES_ECB);
+            SecretKeySpec secretKeySpec = getSecretKeySpec(key);
+            cipher.init(Cipher.DECRYPT_MODE, secretKeySpec);
+
+            // 解密字节数组
+            byte[] decryptedBytes = cipher.doFinal(textBytes);
+
+            // 将明文转换为字符串
+            return new String(decryptedBytes, StandardCharsets.UTF_8);
+        } catch (Exception e) {
+            throw new RuntimeException(e);
+        }
+    }
+
+    /**
+     * <h2>加密 - 自定义加密模式</h2>
+     *
+     * @param text 需要加密的文本内容
+     * @param key  加密的密钥 key
+     * @param iv   初始化向量
+     * @param mode 加密模式
+     */
+    public static String encrypt(String text, String key, String iv, String mode) {
+        if (isEmpty(text) || isEmpty(key) || isEmpty(iv)) {
+            return null;
+        }
+        try {
+
+            // 创建AES加密器
+            Cipher cipher = Cipher.getInstance(mode);
+            SecretKeySpec secretKeySpec = getSecretKeySpec(key);
+            cipher.init(Cipher.ENCRYPT_MODE, secretKeySpec, new IvParameterSpec(getBytes(iv)));
+
+            // 加密字节数组
+            byte[] encryptedBytes = cipher.doFinal(getBytes(text));
+
+            // 将密文转换为 Base64 编码字符串
+            return Base64.getEncoder().encodeToString(encryptedBytes);
+        } catch (Exception e) {
+            throw new RuntimeException(e);
+        }
+    }
+
+    /**
+     * <h2>解密 - 自定义加密模式</h2>
+     *
+     * @param text 需要解密的文本内容
+     * @param key  解密的密钥 key
+     * @param iv   初始化向量
+     * @param mode 加密模式
+     */
+    public static String decrypt(String text, String key, String iv, String mode) {
+        if (isEmpty(text) || isEmpty(key) || isEmpty(iv)) {
+            return null;
+        }
+
+        // 将密文转换为16字节的字节数组
+        byte[] textBytes = Base64.getDecoder().decode(text);
+        try {
+
+            // 创建AES加密器
+            Cipher cipher = Cipher.getInstance(mode);
+            SecretKeySpec secretKeySpec = getSecretKeySpec(key);
+            cipher.init(Cipher.DECRYPT_MODE, secretKeySpec, new IvParameterSpec(getBytes(iv)));
+
+            // 解密字节数组
+            byte[] decryptedBytes = cipher.doFinal(textBytes);
+
+            // 将明文转换为字符串
+            return new String(decryptedBytes, StandardCharsets.UTF_8);
+        } catch (Exception e) {
+            throw new RuntimeException(e);
+        }
+    }
+
+    public static void main(String[] args) {
+        String text = "Scsmile@2022";
+        String key = "0000000671595991";
+        // 16字节的密钥
+        String iv = "tdrdadq59tbss5n7";
+        String encryptTextEBC = encrypt(text, key);
+        System.out.println("EBC 加密后内容：" + encryptTextEBC);
+        System.out.println("EBC 解密后内容：" + decrypt(encryptTextEBC, key));
+        System.out.println();
+        String encryptTextCBC = encrypt(text, key, iv, AES_CBC);
+        System.out.println("CBC 加密IV：" + iv);
+        System.out.println("CBC 加密后内容：" + encryptTextCBC);
+        System.out.println("CBC 解密后内容：" + decrypt(encryptTextCBC, key, iv, AES_CBC));
+        System.out.println();
+        String encryptTextCFB = encrypt(text, key, iv, AES_CFB);
+        System.out.println("CFB 加密IV：" + iv);
+        System.out.println("CFB 加密后内容：" + encryptTextCFB);
+        System.out.println("CFB 解密后内容：" + decrypt(encryptTextCFB, key, iv, AES_CFB));
+    }
+}

eas-manager/src/main/java/com/mortals/xhx/common/utils/Solution.java

+package com.mortals.xhx.common.utils;
+
+
+public class Solution {
+    //判断输入是否为数字
+    public static boolean isNumber(char s) {
+        return s >= '0' && s <= '9';
+    }
+
+    //判断输入是否为大写字母
+    public static boolean isUpper(char s) {
+        return s >= 'A' && s <= 'Z';
+    }
+
+    //判断输入是否为小写字母
+    public static boolean isLower(char s) {
+        return s >= 'a' && s <= 'z';
+    }
+
+    //判断输入是否为特殊字符
+    public static boolean isCharacter(char s) {
+        return (s < 'a' || s > 'z') && (s < 'A' || s > 'Z') && (s < '0' || s > '9');
+    }
+
+    //判断输入长度是否合法
+    public static boolean lengthOK(String s, int length) {
+        return s.length() >= length;
+    }
+
+    //判断是否有连续相同输入
+    public static boolean isSample(char[] arr) {
+        for (int i = 0; i < arr.length; i++) {
+            if (i < arr.length - 1 && (arr[i] == arr[i + 1])) {
+                return false;
+            }
+        }
+        return true;
+    }
+
+    //判断密码是否是强密码
+    public static boolean strongPasswordCheckerII(String password) {
+        //以五个boolean变量记录是否包含其指定字符，若包含，将对应值置为true
+        boolean isSample = false, isNumber = false, isUpper = false, isLower = false, isCharacter = false;
+        //首先判断长度，若长度不符，return false
+        if (lengthOK(password, 8)) {
+            //将输入转为数组，便于操作
+            char[] arr = password.toCharArray();
+            //判断是否有连续相同输入，若有则isSample=false
+            isSample = isSample(arr);
+            for (char c : arr) {
+                //判断是否包含数字，若有则isNumber=true
+                if (!isNumber) {
+                    isNumber = isNumber(c);
+                }
+                //判断是否包含大写字母，若有则isUpper=true
+                if (!isUpper) {
+                    isUpper = isUpper(c);
+                }
+                //判断是否包含小写字母，若有则isLower=true
+                if (!isLower) {
+                    isLower = isLower(c);
+                }
+                //判断是否包含特殊字符，若有则isCharacter=true
+                if (!isCharacter) {
+                    isCharacter = isCharacter(c);
+                }
+            }
+        }
+        //若满足强密码所有条件，则返回true
+        return isNumber && isUpper && isLower && isCharacter && isSample;
+    }
+}
+

eas-manager/src/main/java/com/mortals/xhx/module/customer/dao/CustomerPwdRecordDao.java

+package com.mortals.xhx.module.customer.dao;
+
+import com.mortals.framework.dao.ICRUDDao;
+import com.mortals.xhx.module.customer.model.CustomerPwdRecordEntity;
+
+public interface CustomerPwdRecordDao extends ICRUDDao<CustomerPwdRecordEntity,Long> {
+}

eas-manager/src/main/java/com/mortals/xhx/module/customer/dao/ibatis/CustomerPwdRecordDaoImpl.java

+package com.mortals.xhx.module.customer.dao.ibatis;
+
+import com.mortals.framework.dao.ibatis.BaseCRUDDaoMybatis;
+import com.mortals.xhx.module.customer.dao.CustomerPwdRecordDao;
+import com.mortals.xhx.module.customer.model.CustomerPwdRecordEntity;
+import org.springframework.stereotype.Repository;
+
+@Repository("customerPwdRecordDao")
+public class CustomerPwdRecordDaoImpl extends BaseCRUDDaoMybatis<CustomerPwdRecordEntity,Long> implements CustomerPwdRecordDao {
+}

eas-manager/src/main/java/com/mortals/xhx/module/customer/model/CustomerEntity.java

@@ -98,6 +98,27 @@ public class CustomerEntity  extends CustomerVo implements IUser {
      */
     private String openId;
 
+    /**
+     * 密码盐值
+     */
+    private String saltKey;
+    /**
+     * 最后一次修改密码时间
+     */
+    private Date lastUpdatePwdTime;
+    /**
+     * 当日登录失败数
+     */
+    private Integer errorCount;
+    /**
+     * 登录锁定状态0未锁定1已锁定
+     */
+    private Integer loginLock;
+    /**
+     * 锁定时间
+     */
+    private Date lockTime;
+
     public CustomerEntity(){}
     /**
      * 获取 用户登录账号
@@ -341,6 +362,46 @@ public class CustomerEntity  extends CustomerVo implements IUser {
         this.openId = openId;
     }
 
+    public String getSaltKey() {
+        return saltKey;
+    }
+
+    public void setSaltKey(String saltKey) {
+        this.saltKey = saltKey;
+    }
+
+    public Date getLastUpdatePwdTime() {
+        return lastUpdatePwdTime;
+    }
+
+    public void setLastUpdatePwdTime(Date lastUpdatePwdTime) {
+        this.lastUpdatePwdTime = lastUpdatePwdTime;
+    }
+
+    public Integer getErrorCount() {
+        return errorCount;
+    }
+
+    public void setErrorCount(Integer errorCount) {
+        this.errorCount = errorCount;
+    }
+
+    public Integer getLoginLock() {
+        return loginLock;
+    }
+
+    public void setLoginLock(Integer loginLock) {
+        this.loginLock = loginLock;
+    }
+
+    public Date getLockTime() {
+        return lockTime;
+    }
+
+    public void setLockTime(Date lockTime) {
+        this.lockTime = lockTime;
+    }
+
     @Override
     public int hashCode() {
         return this.getId().hashCode();

eas-manager/src/main/java/com/mortals/xhx/module/customer/model/CustomerPwdRecordEntity.java

+package com.mortals.xhx.module.customer.model;
+
+import com.mortals.xhx.base.system.user.model.UserPwdRecordEntity;
+import com.mortals.xhx.module.customer.model.vo.CustomerPwdRecordVo;
+import lombok.Data;
+
+@Data
+public class CustomerPwdRecordEntity extends CustomerPwdRecordVo {
+    private static final long serialVersionUID = 1L;
+
+    /**
+     * 用户ID，主键，自增长
+     */
+    private Long userId;
+    /**
+     * 登录名
+     */
+    private String loginName;
+    /**
+     * 登录密码，使用md5双次加密
+     */
+    private String loginPwd;
+    @Override
+    public int hashCode() {
+        return this.getId().hashCode();
+    }
+    @Override
+    public boolean equals(Object obj) {
+        if (obj == null) return false;
+        if (obj instanceof CustomerPwdRecordEntity) {
+            CustomerPwdRecordEntity tmp = (CustomerPwdRecordEntity) obj;
+            if (this.getId() == tmp.getId()) {
+                return true;
+            }
+        }
+        return false;
+    }
+
+    public void initAttrValue(){
+
+        this.userId = -1L;
+
+        this.loginName = "";
+
+        this.loginPwd = "";
+    }
+}

eas-manager/src/main/java/com/mortals/xhx/module/customer/model/vo/CustomerPwdRecordVo.java

+package com.mortals.xhx.module.customer.model.vo;
+
+import com.mortals.framework.model.BaseEntityLong;
+
+public class CustomerPwdRecordVo extends BaseEntityLong {
+}

eas-manager/src/main/java/com/mortals/xhx/module/customer/service/impl/CustomerServiceImpl.java

@@ -10,14 +10,13 @@ import com.mortals.framework.model.PageInfo;
 import com.mortals.framework.model.Result;
 import com.mortals.framework.service.ICacheService;
 import com.mortals.framework.service.impl.AbstractCRUDServiceImpl;
-import com.mortals.framework.util.DateUtils;
-import com.mortals.framework.util.HttpUtil;
-import com.mortals.framework.util.SecurityUtil;
-import com.mortals.framework.util.StringUtils;
+import com.mortals.framework.util.*;
 import com.mortals.xhx.common.code.CustomerSatusEnum;
 import com.mortals.xhx.module.customer.dao.CustomerDao;
+import com.mortals.xhx.module.customer.dao.CustomerPwdRecordDao;
 import com.mortals.xhx.module.customer.model.CustomerEntity;
 import com.mortals.xhx.module.customer.model.CustomerEntityExt;
+import com.mortals.xhx.module.customer.model.CustomerPwdRecordEntity;
 import com.mortals.xhx.module.customer.model.CustomerQuery;
 import com.mortals.xhx.module.customer.model.vo.CustomerCensusVo;
 import com.mortals.xhx.module.customer.model.vo.CustomerDesignCensusVo;
@@ -52,6 +51,8 @@ public class CustomerServiceImpl extends AbstractCRUDServiceImpl<CustomerDao, Cu
 
     @Autowired
     private ICacheService cacheService;
+    @Autowired
+    private CustomerPwdRecordDao customerPwdRecordDao;
 
     @Override
     protected void saveBefore(CustomerEntity entity, Context context) throws AppException {
@@ -73,7 +74,11 @@ public class CustomerServiceImpl extends AbstractCRUDServiceImpl<CustomerDao, Cu
         }
         if (StringUtils.isNotEmpty(entity.getPassword())) {
             try {
-                entity.setPassword(SecurityUtil.md5DoubleEncoding(entity.getPassword()));
+                String saltKey = SecurityCode.getSecurityCode(6,SecurityCode.SecurityCodeLevel.Medium,false);
+                String newPwd = entity.getPassword() + saltKey;
+                newPwd = SecurityUtil.md5DoubleEncoding(newPwd);
+                entity.setPassword(newPwd);
+                entity.setSaltKey(saltKey);
             } catch (Exception e) {
                 throw new AppException("密码转换异常");
             }
@@ -128,9 +133,41 @@ public class CustomerServiceImpl extends AbstractCRUDServiceImpl<CustomerDao, Cu
         if(user.getStatus()!= CustomerSatusEnum.NORMAL.getValue()){
             throw new AppException("该账号已被禁用！");
         }
+        if(user.getErrorCount()==null){
+            user.setErrorCount(0);
+        }
+        if(user.getLoginLock()==null){
+            user.setLoginLock(0);
+        }
+        if(user.getLoginLock() == 1 && user.getLockTime()!=null){
+            String nowStr = DateUtils.getCurrStrDate();
+            String loginDateStr = DateUtils.getDateTime(user.getLockTime(),"yyyy-MM-dd");
+            if(nowStr.equals(loginDateStr)) {
+                throw new AppException("此账号当天密码错误次数已达上限，已被锁定");
+            }
+        }
+
         try {
+            if(StringUtils.isNotEmpty(user.getSaltKey())) {
+                password += user.getSaltKey();
+            }
             if (!user.getPassword().equals(SecurityUtil.md5DoubleEncoding(password))) {
+                CustomerEntity update = new CustomerEntity();
+                update.setId(user.getId());
+                update.setErrorCount(user.getErrorCount()+1);
+                if(update.getErrorCount()==5){
+                    update.setLoginLock(1);
+                    update.setLockTime(new Date());
+                }
+                this.dao.update(update);
                 throw new AppException("登录密码错误！");
+            }else {
+                if(user.getLastUpdatePwdTime()!=null) {
+                    long day = DateUtils.getBetween(user.getLastUpdatePwdTime(), new Date(), 2);
+                    if (day >= 90) {
+                        throw new AppException("密码已超过三个月没有更改，请修改以后再登录");
+                    }
+                }
             }
         } catch (Exception e) {
             throw new AppException("密码验认出错！", e);
@@ -195,9 +232,17 @@ public class CustomerServiceImpl extends AbstractCRUDServiceImpl<CustomerDao, Cu
         }
         String newPwd = "";
         String oldPwd = "";
+        String saltKey = "";
         try {
-            oldPwd = SecurityUtil.md5DoubleEncoding(params.getOldPassword());
-            newPwd = SecurityUtil.md5DoubleEncoding(params.getNewPassword());
+            if(StringUtils.isNotEmpty(old.getSaltKey())) {
+                oldPwd = params.getOldPassword()+old.getSaltKey();
+            }else {
+                oldPwd = params.getOldPassword();
+            }
+            oldPwd = SecurityUtil.md5DoubleEncoding(oldPwd);
+            saltKey = SecurityCode.getSecurityCode(6,SecurityCode.SecurityCodeLevel.Medium,false);
+            newPwd = params.getNewPassword() + saltKey;
+            newPwd = SecurityUtil.md5DoubleEncoding(newPwd);
         }catch (Exception e) {
             throw new AppException("密码转换异常");
         }
@@ -205,8 +250,16 @@ public class CustomerServiceImpl extends AbstractCRUDServiceImpl<CustomerDao, Cu
             CustomerEntity update = new CustomerEntity();
             update.setId(params.getId());
             update.setPassword(newPwd);
+            update.setSaltKey(saltKey);
             this.update(update,context);
             old.setPassword(null);
+            CustomerPwdRecordEntity userPwdRecordEntity = new CustomerPwdRecordEntity();
+            userPwdRecordEntity.setUserId(old.getId());
+            userPwdRecordEntity.setLoginName(old.getLoginName());
+            userPwdRecordEntity.setLoginPwd(newPwd);
+            userPwdRecordEntity.setCreateTime(new Date());
+            userPwdRecordEntity.setCreateUserId(context.getUser().getId());
+            customerPwdRecordDao.insert(userPwdRecordEntity);
         }else {
             throw new AppException("原来的密码不正确");
         }
@@ -220,16 +273,26 @@ public class CustomerServiceImpl extends AbstractCRUDServiceImpl<CustomerDao, Cu
             throw new AppException("客户信息不存在");
         }
         String newPwd = "";
-        String oldPwd = "";
+        String saltKey = "";
         try {
-            newPwd = SecurityUtil.md5DoubleEncoding(params.getNewPassword());
+            saltKey = SecurityCode.getSecurityCode(6,SecurityCode.SecurityCodeLevel.Medium,false);
+            newPwd = params.getNewPassword() + saltKey;
+            newPwd = SecurityUtil.md5DoubleEncoding(newPwd);
         }catch (Exception e) {
             throw new AppException("密码转换异常");
         }
         CustomerEntity update = new CustomerEntity();
         update.setId(params.getId());
         update.setPassword(newPwd);
+        update.setSaltKey(saltKey);
         this.update(update,context);
+        CustomerPwdRecordEntity userPwdRecordEntity = new CustomerPwdRecordEntity();
+        userPwdRecordEntity.setUserId(old.getId());
+        userPwdRecordEntity.setLoginName(old.getLoginName());
+        userPwdRecordEntity.setLoginPwd(newPwd);
+        userPwdRecordEntity.setCreateTime(new Date());
+        userPwdRecordEntity.setCreateUserId(context.getUser().getId());
+        customerPwdRecordDao.insert(userPwdRecordEntity);
     }
 
     @Override

eas-manager/src/main/java/com/mortals/xhx/module/customer/web/CustomerController.java

@@ -18,6 +18,7 @@ import com.mortals.xhx.common.code.CustomerSrcEnum;
 import com.mortals.xhx.common.code.MemberLevelEnum;
 import com.mortals.xhx.common.code.SexEnum;
 import com.mortals.xhx.common.key.Constant;
+import com.mortals.xhx.common.utils.LoginAESUtil;
 import com.mortals.xhx.module.customer.model.CustomerEntity;
 import com.mortals.xhx.module.customer.model.CustomerEntityExt;
 import com.mortals.xhx.module.customer.model.CustomerQuery;
@@ -36,6 +37,9 @@ import java.util.*;
 @RequestMapping("customer")
 public class CustomerController extends BaseCRUDJsonBodyMappingController<CustomerService,CustomerEntity,Long> {
 
+    private static final String AES_KEY = "0000000671595991";
+    private static final String AES_IV  = "tdrdadq59tbss5n7";
+
     public CustomerController(){
         super.setModuleDesc( "客户管理");
     }
@@ -49,6 +53,18 @@ public class CustomerController extends BaseCRUDJsonBodyMappingController<Custom
         super.init(model, context);
     }
 
+    @Override
+    protected void saveBefore(CustomerEntity entity, Map<String, Object> model, Context context) throws AppException {
+        if(StringUtils.isNotEmpty(entity.getPassword())) {
+            String oldPwd = LoginAESUtil.decrypt(entity.getPassword(), AES_KEY, AES_IV, LoginAESUtil.AES_CBC);
+            entity.setPassword(oldPwd);
+        }
+        if(StringUtils.isNotEmpty(entity.getLoginName())) {
+            String loginName = LoginAESUtil.decrypt(entity.getLoginName(), AES_KEY, AES_IV, LoginAESUtil.AES_CBC);
+            entity.setLoginName(loginName);
+        }
+    }
+
     @Override
     protected void doListBefore(CustomerEntity query, Map<String, Object> model, Context context) throws AppException {
         Map<String,String> orderCols = new HashMap<>();
@@ -213,6 +229,18 @@ public class CustomerController extends BaseCRUDJsonBodyMappingController<Custom
         String busiDesc = "客户修改密码";
         int code = 1;
         try {
+            if(StringUtils.isNotEmpty(entity.getLoginName())) {
+                String loginName = LoginAESUtil.decrypt(entity.getLoginName(), AES_KEY, AES_IV, LoginAESUtil.AES_CBC);
+                entity.setLoginName(loginName);
+            }
+            if(StringUtils.isNotEmpty(entity.getOldPassword())) {
+                String oldPwd = LoginAESUtil.decrypt(entity.getOldPassword(), AES_KEY, AES_IV, LoginAESUtil.AES_CBC);
+                entity.setOldPassword(oldPwd);
+            }
+            if(StringUtils.isNotEmpty(entity.getNewPassword())) {
+                String newPwd = LoginAESUtil.decrypt(entity.getNewPassword(), AES_KEY, AES_IV, LoginAESUtil.AES_CBC);
+                entity.setNewPassword(newPwd);
+            }
             entity.setUpdateTime(new Date());
             entity.setId(user.getId());
             entity.setUpdateUserId(user.getId());
@@ -252,6 +280,14 @@ public class CustomerController extends BaseCRUDJsonBodyMappingController<Custom
         String busiDesc = "客户修改密码";
         int code = 1;
         try {
+            if(StringUtils.isNotEmpty(entity.getOldPassword())) {
+                String oldPwd = LoginAESUtil.decrypt(entity.getOldPassword(), AES_KEY, AES_IV, LoginAESUtil.AES_CBC);
+                entity.setOldPassword(oldPwd);
+            }
+            if(StringUtils.isNotEmpty(entity.getNewPassword())) {
+                String newPwd = LoginAESUtil.decrypt(entity.getNewPassword(), AES_KEY, AES_IV, LoginAESUtil.AES_CBC);
+                entity.setNewPassword(newPwd);
+            }
             entity.setUpdateTime(new Date());
             entity.setId(user.getId());
             entity.setUpdateUserId(user.getId());
@@ -291,6 +327,10 @@ public class CustomerController extends BaseCRUDJsonBodyMappingController<Custom
         String busiDesc = "管理员修改密码";
         int code = 1;
         try {
+            if(StringUtils.isNotEmpty(entity.getNewPassword())) {
+                String newPwd = LoginAESUtil.decrypt(entity.getNewPassword(), AES_KEY, AES_IV, LoginAESUtil.AES_CBC);
+                entity.setNewPassword(newPwd);
+            }
             this.service.changePasswordByAdmin(entity, context);
             model.put("id", entity.getId());
             model.put("entity", entity);

eas-manager/src/main/java/com/mortals/xhx/module/question/web/QuestionRecordController.java

 package com.mortals.xhx.module.question.web;
 
 import com.alibaba.fastjson.JSONObject;
+import com.mortals.framework.annotation.UnAuth;
 import com.mortals.framework.common.IBaseEnum;
 import com.mortals.framework.exception.AppException;
 import com.mortals.framework.model.Context;
@@ -55,6 +56,7 @@ public class QuestionRecordController extends BaseCRUDJsonBodyMappingController<
     }
 
     @PostMapping({"ask"})
+    @UnAuth
     public String ask(@RequestBody QuestionRecordEntity entity) {
 
         Map<String, Object> model = new HashMap();
@@ -62,14 +64,19 @@ public class QuestionRecordController extends BaseCRUDJsonBodyMappingController<
         String busiDesc = "新增咨询" + this.getModuleDesc();
         int code = 1;
         try {
-            if(this.getCurUser()==null||this.getCurUser().getUserType()!= Constant.CUSTOMER_USER){
-                throw new AppException("非法用户,不可访问");
+            if(this.getCurUser()==null){
+                entity.setCustomerId(-1l);
+                entity.setCustName("游客");
+                entity.setContactTelphone("12345678901");
+                entity.setOrganization("游客");
+            }else {
+                CustomerEntity customerEntity = customerService.get(this.getCurUser().getId());
+                entity.setCustomerId(this.getCurUser().getId());
+                entity.setCustName(customerEntity.getCustName());
+                entity.setContactTelphone(customerEntity.getContactTelphone());
+                entity.setOrganization(customerEntity.getOrganization());
             }
-            CustomerEntity customerEntity = customerService.get(this.getCurUser().getId());
-            entity.setCustomerId(this.getCurUser().getId());
-            entity.setCustName(customerEntity.getCustName());
-            entity.setContactTelphone(customerEntity.getContactTelphone());
-            entity.setOrganization(customerEntity.getOrganization());
+
 
             entity = this.service.ask(entity,context);
             model.put("entity", entity);