一丶漏洞描述
二丶修复流程
1丶升级shiro框架为: 1.2.5 及以上
<dependency>
<groupId>org.apache.shiro</groupId>
<artifactId>shiro-spring</artifactId>
<version>1.7.1</version>
</dependency>
<dependency>
<groupId>org.apache.shiro</groupId>
<artifactId>shiro-ehcache</artifactId>
<version>1.7.1</version>
</dependency>
2丶删除默认秘钥, 使用自动生成的秘钥
@Bean
public CookieRememberMeManager getRememberManager() {
CookieRememberMeManager meManager = new CookieRememberMeManager();
AesCipherService cipherService = new AesCipherService();
meManager.setCipherKey(cipherService.generateNewKey().getEncoded());
meManager.setCookie(getRememberMeCookie());
return meManager;
}
漏扫亲测有效