记一次shiro安全漏洞处理。
问题描述
shrio反序列漏洞修复
修复方式
1、确定使用的shiro版本是否高于1.2.4
<shiro.version>1.2.6</shiro.version>
2、在代码中添加类文件生成AES密钥
package cn.hy.common.config;
import org.apache.log4j.Logger;
import org.springframework.context.annotation.Bean;
import javax.crypto.KeyGenerator;
import javax.crypto.SecretKey;
import java.security.NoSuchAlgorithmException;
public class GenerateCipherKey {
private static final Logger log = Logger.getLogger(GenerateCipherKey.class);
/**
* 随机生成秘钥,参考org.apache.shiro.crypto.AbstractSymmetricCipherService#generateNewKey(int)
*
* @return 随机生成秘钥
*/
@Bean
public static byte[] generateNewKey() {
KeyGenerator keyGenerator;
try {
keyGenerator = KeyGenerator.getInstance("AES");
} catch (NoSuchAlgorithmException e) {
String msg = "Unable to acquire AES algorithm. This is required to function.";
throw new IllegalStateException(msg, e);
}
keyGenerator.init(128);
SecretKey secretKey = keyGenerator.generateKey();
byte[] encoded = secretKey.getEncoded();
log.info("生成随机秘钥成功!");
return org.apache.shiro.codec.Base64.decode(encoded);
}
}
<!-- rememberMe管理器 -->
<bean id="rememberMeManager" class="org.apache.shiro.web.mgt.CookieRememberMeManager">
<!-- rememberMe cookie加密的密钥 建议每个项目都不一样 默认AES算法 密钥长度(128 256 512 位)-->
<!--<property name="cipherKey" value="#{T(org.apache.shiro.codec.Base64).decode('4AvVhmFLUs0KTA3Kprsdag==')}"/> -->
<property name="cipherKey" value="#{T(cn.hy.common.config.GenerateCipherKey).generateNewKey()}"/>
<property name="cookie" ref="rememberMeCookie"/>
</bean>
<bean id="rememberMeCookie" class="org.apache.shiro.web.servlet.SimpleCookie">
<constructor-arg value="rememberMe"/>
<property name="httpOnly" value="true"/>
<property name="maxAge" value="2592000"/><!-- 30天 -->
</bean>