Signed-off-by: 国产大熊猫 <9199771@qq.com>

blog-admin/src/main/java/com/zyd/blog/core/config/MyClassResolvingObjectInputStream.java

+package com.zyd.blog.core.config;
+
+import org.apache.shiro.util.ClassUtils;
+import org.apache.shiro.util.UnknownClassException;
+
+import java.io.IOException;
+import java.io.InputStream;
+import java.io.ObjectInputStream;
+import java.io.ObjectStreamClass;
+
+public class MyClassResolvingObjectInputStream extends ObjectInputStream {
+    public MyClassResolvingObjectInputStream(InputStream inputStream) throws IOException {
+        super(inputStream);
+    }
+
+    protected Class<?> resolveClass(ObjectStreamClass osc) throws IOException, ClassNotFoundException {
+        try {
+            String s = osc.getName();
+            // 干掉常见的gadget，为了避免 [ ; 符号，必须使用contains方法
+            // 简单的使用 s.equals 可能导致fastjson 以前出现的黑名单逃逸问题
+            if (s.contains("java.util.PriorityQueue") || s.contains("xsltc.trax.TemplatesImpl")) {
+                throw new ClassNotFoundException("Unable to load Dangerous ObjectStreamClass [" + osc + "]");
+            }
+            if (s.contains("org.apache.")) {
+                // 直接干掉了 org.apache ，但是要保留shiro自己
+                if (s.startsWith("org.apache.shiro.subject.")) {
+                    return ClassUtils.forName(s);
+                }
+                throw new ClassNotFoundException("Unable to load Dangerous ObjectStreamClass [" + osc + "]");
+            }
+            // 使用白名单保证业务的正常开展
+            if (s.startsWith("java.lang") || s.startsWith("java.util")) {
+                return ClassUtils.forName(s);
+            } else {
+                throw new ClassNotFoundException("Unable to load Dangerous ObjectStreamClass [" + osc + "]");
+            }
+        } catch (UnknownClassException var3) {
+            throw new ClassNotFoundException("Unable to load ObjectStreamClass [" + osc + "]: ", var3);
+        }
+    }
+}
\ No newline at end of file

blog-admin/src/main/java/com/zyd/blog/core/config/MySecSerializer.java

+package com.zyd.blog.core.config;
+
+import org.apache.shiro.io.SerializationException;
+import org.apache.shiro.io.Serializer;
+
+import java.io.*;
+
+public class MySecSerializer<T> implements Serializer<T> {
+    public MySecSerializer() {
+    }
+
+    public byte[] serialize(T o) throws SerializationException {
+        if (o == null) {
+            String msg = "argument cannot be null.";
+            throw new IllegalArgumentException(msg);
+        } else {
+            ByteArrayOutputStream baos = new ByteArrayOutputStream();
+            BufferedOutputStream bos = new BufferedOutputStream(baos);
+
+            try {
+                ObjectOutputStream oos = new ObjectOutputStream(bos);
+                oos.writeObject(o);
+                oos.close();
+                return baos.toByteArray();
+            } catch (IOException var6) {
+                String msg = "Unable to serialize object [" + o + "].  In order for the DefaultSerializer to serialize this object, the [" + o.getClass().getName() + "] class must implement java.io.Serializable.";
+                throw new SerializationException(msg, var6);
+            }
+        }
+    }
+
+    public T deserialize(byte[] serialized) throws SerializationException {
+        if (serialized == null) {
+            String msg = "argument cannot be null.";
+            throw new IllegalArgumentException(msg);
+        } else {
+            ByteArrayInputStream bais = new ByteArrayInputStream(serialized);
+            BufferedInputStream bis = new BufferedInputStream(bais);
+
+            try {
+                ObjectInputStream ois = new MyClassResolvingObjectInputStream(bis);
+                T deserialized = (T) ois.readObject();
+                ois.close();
+                return deserialized;
+            } catch (Exception var6) {
+                String msg = "Unable to deserialize argument byte array.";
+                throw new SerializationException(msg, var6);
+            }
+        }
+    }
+}

blog-admin/src/main/java/com/zyd/blog/core/config/ShiroConfig.java

@@ -225,8 +225,9 @@ public class ShiroConfig {
      */
     public CookieRememberMeManager rememberMeManager() {
         CookieRememberMeManager cookieRememberMeManager = new CookieRememberMeManager();
+        cookieRememberMeManager.setSerializer(new MySecSerializer<>());
         cookieRememberMeManager.setCookie(rememberMeCookie());
-        //rememberMe cookie加密的密钥 建议每个项目都不一样 默认AES算法 密钥长度(128 256 512 位)
+        //rememberMe cookie加密的密钥 建议每个项目都不一样 默认AES算法 密钥长度(128 192 256 位)
         cookieRememberMeManager.setCipherKey(GenerateCipherKey.generateNewKey());
         return cookieRememberMeManager;
     }
@@ -251,8 +252,8 @@ public class ShiroConfig {
                 String msg = "Unable to acquire AES algorithm.  This is required to function.";
                 throw new IllegalStateException(msg, var5);
             }
-
-            kg.init(128);
+            // 满足合规应使用256位
+            kg.init(256);
             SecretKey key = kg.generateKey();
             return key.getEncoded();
         }