Skip to content
体验新版
项目
组织
正在加载...
登录
切换导航
打开侧边栏
智布道
OneBlog
提交
f354ab37
O
OneBlog
项目概览
智布道
/
OneBlog
9 个月 前同步成功
通知
11
Star
2
Fork
0
代码
文件
提交
分支
Tags
贡献者
分支图
Diff
Issue
0
列表
看板
标记
里程碑
合并请求
0
DevOps
流水线
流水线任务
计划
Wiki
0
Wiki
分析
仓库
DevOps
项目成员
Pages
O
OneBlog
项目概览
项目概览
详情
发布
仓库
仓库
文件
提交
分支
标签
贡献者
分支图
比较
Issue
0
Issue
0
列表
看板
标记
里程碑
合并请求
0
合并请求
0
Pages
DevOps
DevOps
流水线
流水线任务
计划
分析
分析
仓库分析
DevOps
Wiki
0
Wiki
成员
成员
收起侧边栏
关闭侧边栏
动态
分支图
创建新Issue
流水线任务
提交
Issue看板
前往新版Gitcode,体验更适合开发者的 AI 搜索 >>
提交
f354ab37
编写于
7月 20, 2021
作者:
国
国产大熊猫
浏览文件
操作
浏览文件
下载
电子邮件补丁
差异文件
Signed-off-by: 国产大熊猫 <9199771@qq.com>
上级
15edb712
变更
3
隐藏空白更改
内联
并排
Showing
3 changed file
with
96 addition
and
3 deletion
+96
-3
blog-admin/src/main/java/com/zyd/blog/core/config/MyClassResolvingObjectInputStream.java
...d/blog/core/config/MyClassResolvingObjectInputStream.java
+41
-0
blog-admin/src/main/java/com/zyd/blog/core/config/MySecSerializer.java
...c/main/java/com/zyd/blog/core/config/MySecSerializer.java
+51
-0
blog-admin/src/main/java/com/zyd/blog/core/config/ShiroConfig.java
...n/src/main/java/com/zyd/blog/core/config/ShiroConfig.java
+4
-3
未找到文件。
blog-admin/src/main/java/com/zyd/blog/core/config/MyClassResolvingObjectInputStream.java
0 → 100644
浏览文件 @
f354ab37
package
com.zyd.blog.core.config
;
import
org.apache.shiro.util.ClassUtils
;
import
org.apache.shiro.util.UnknownClassException
;
import
java.io.IOException
;
import
java.io.InputStream
;
import
java.io.ObjectInputStream
;
import
java.io.ObjectStreamClass
;
public
class
MyClassResolvingObjectInputStream
extends
ObjectInputStream
{
public
MyClassResolvingObjectInputStream
(
InputStream
inputStream
)
throws
IOException
{
super
(
inputStream
);
}
protected
Class
<?>
resolveClass
(
ObjectStreamClass
osc
)
throws
IOException
,
ClassNotFoundException
{
try
{
String
s
=
osc
.
getName
();
// 干掉常见的gadget,为了避免 [ ; 符号,必须使用contains方法
// 简单的使用 s.equals 可能导致fastjson 以前出现的黑名单逃逸问题
if
(
s
.
contains
(
"java.util.PriorityQueue"
)
||
s
.
contains
(
"xsltc.trax.TemplatesImpl"
))
{
throw
new
ClassNotFoundException
(
"Unable to load Dangerous ObjectStreamClass ["
+
osc
+
"]"
);
}
if
(
s
.
contains
(
"org.apache."
))
{
// 直接干掉了 org.apache ,但是要保留shiro自己
if
(
s
.
startsWith
(
"org.apache.shiro.subject."
))
{
return
ClassUtils
.
forName
(
s
);
}
throw
new
ClassNotFoundException
(
"Unable to load Dangerous ObjectStreamClass ["
+
osc
+
"]"
);
}
// 使用白名单保证业务的正常开展
if
(
s
.
startsWith
(
"java.lang"
)
||
s
.
startsWith
(
"java.util"
))
{
return
ClassUtils
.
forName
(
s
);
}
else
{
throw
new
ClassNotFoundException
(
"Unable to load Dangerous ObjectStreamClass ["
+
osc
+
"]"
);
}
}
catch
(
UnknownClassException
var3
)
{
throw
new
ClassNotFoundException
(
"Unable to load ObjectStreamClass ["
+
osc
+
"]: "
,
var3
);
}
}
}
\ No newline at end of file
blog-admin/src/main/java/com/zyd/blog/core/config/MySecSerializer.java
0 → 100644
浏览文件 @
f354ab37
package
com.zyd.blog.core.config
;
import
org.apache.shiro.io.SerializationException
;
import
org.apache.shiro.io.Serializer
;
import
java.io.*
;
public
class
MySecSerializer
<
T
>
implements
Serializer
<
T
>
{
public
MySecSerializer
()
{
}
public
byte
[]
serialize
(
T
o
)
throws
SerializationException
{
if
(
o
==
null
)
{
String
msg
=
"argument cannot be null."
;
throw
new
IllegalArgumentException
(
msg
);
}
else
{
ByteArrayOutputStream
baos
=
new
ByteArrayOutputStream
();
BufferedOutputStream
bos
=
new
BufferedOutputStream
(
baos
);
try
{
ObjectOutputStream
oos
=
new
ObjectOutputStream
(
bos
);
oos
.
writeObject
(
o
);
oos
.
close
();
return
baos
.
toByteArray
();
}
catch
(
IOException
var6
)
{
String
msg
=
"Unable to serialize object ["
+
o
+
"]. In order for the DefaultSerializer to serialize this object, the ["
+
o
.
getClass
().
getName
()
+
"] class must implement java.io.Serializable."
;
throw
new
SerializationException
(
msg
,
var6
);
}
}
}
public
T
deserialize
(
byte
[]
serialized
)
throws
SerializationException
{
if
(
serialized
==
null
)
{
String
msg
=
"argument cannot be null."
;
throw
new
IllegalArgumentException
(
msg
);
}
else
{
ByteArrayInputStream
bais
=
new
ByteArrayInputStream
(
serialized
);
BufferedInputStream
bis
=
new
BufferedInputStream
(
bais
);
try
{
ObjectInputStream
ois
=
new
MyClassResolvingObjectInputStream
(
bis
);
T
deserialized
=
(
T
)
ois
.
readObject
();
ois
.
close
();
return
deserialized
;
}
catch
(
Exception
var6
)
{
String
msg
=
"Unable to deserialize argument byte array."
;
throw
new
SerializationException
(
msg
,
var6
);
}
}
}
}
blog-admin/src/main/java/com/zyd/blog/core/config/ShiroConfig.java
浏览文件 @
f354ab37
...
...
@@ -225,8 +225,9 @@ public class ShiroConfig {
*/
public
CookieRememberMeManager
rememberMeManager
()
{
CookieRememberMeManager
cookieRememberMeManager
=
new
CookieRememberMeManager
();
cookieRememberMeManager
.
setSerializer
(
new
MySecSerializer
<>());
cookieRememberMeManager
.
setCookie
(
rememberMeCookie
());
//rememberMe cookie加密的密钥 建议每个项目都不一样 默认AES算法 密钥长度(128
256 512
位)
//rememberMe cookie加密的密钥 建议每个项目都不一样 默认AES算法 密钥长度(128
192 256
位)
cookieRememberMeManager
.
setCipherKey
(
GenerateCipherKey
.
generateNewKey
());
return
cookieRememberMeManager
;
}
...
...
@@ -251,8 +252,8 @@ public class ShiroConfig {
String
msg
=
"Unable to acquire AES algorithm. This is required to function."
;
throw
new
IllegalStateException
(
msg
,
var5
);
}
kg
.
init
(
128
);
// 满足合规应使用256位
kg
.
init
(
256
);
SecretKey
key
=
kg
.
generateKey
();
return
key
.
getEncoded
();
}
...
...
编辑
预览
Markdown
is supported
0%
请重试
或
添加新附件
.
添加附件
取消
You are about to add
0
people
to the discussion. Proceed with caution.
先完成此消息的编辑!
取消
想要评论请
注册
或
登录