blog-admin/src/main/java/com/zyd/blog/core/config/MyClassResolvingObjectInputStream.java

+package com.zyd.blog.core.config;
+
+import org.apache.shiro.util.ClassUtils;
+import org.apache.shiro.util.UnknownClassException;
+
+import java.io.IOException;
+import java.io.InputStream;
+import java.io.ObjectInputStream;
+import java.io.ObjectStreamClass;
+
+public class MyClassResolvingObjectInputStream extends ObjectInputStream {
+    public MyClassResolvingObjectInputStream(InputStream inputStream) throws IOException {
+        super(inputStream);
+    }
+
+    protected Class<?> resolveClass(ObjectStreamClass osc) throws IOException, ClassNotFoundException {
+        try {
+            String s = osc.getName();
+            // 干掉常见的gadget，为了避免 [ ; 符号，必须使用contains方法
+            // 简单的使用 s.equals 可能导致fastjson 以前出现的黑名单逃逸问题
+            if (s.contains("java.util.PriorityQueue") || s.contains("xsltc.trax.TemplatesImpl")) {
+                throw new ClassNotFoundException("Unable to load Dangerous ObjectStreamClass [" + osc + "]");
+            }
+            if (s.contains("org.apache.")) {
+                // 直接干掉了 org.apache ，但是要保留shiro自己
+                if (s.startsWith("org.apache.shiro.subject.")) {
+                    return ClassUtils.forName(s);
+                }
+                throw new ClassNotFoundException("Unable to load Dangerous ObjectStreamClass [" + osc + "]");
+            }
+            // 使用白名单保证业务的正常开展
+            if (s.startsWith("java.lang") || s.startsWith("java.util")) {
+                return ClassUtils.forName(s);
+            } else {
+                throw new ClassNotFoundException("Unable to load Dangerous ObjectStreamClass [" + osc + "]");
+            }
+        } catch (UnknownClassException var3) {
+            throw new ClassNotFoundException("Unable to load ObjectStreamClass [" + osc + "]: ", var3);
+        }
+    }
+}
\ No newline at end of file

blog-admin/src/main/java/com/zyd/blog/core/config/MySecSerializer.java

+package com.zyd.blog.core.config;
+
+import org.apache.shiro.io.SerializationException;
+import org.apache.shiro.io.Serializer;
+
+import java.io.*;
+
+public class MySecSerializer<T> implements Serializer<T> {
+    public MySecSerializer() {
+    }
+
+    public byte[] serialize(T o) throws SerializationException {
+        if (o == null) {
+            String msg = "argument cannot be null.";
+            throw new IllegalArgumentException(msg);
+        } else {
+            ByteArrayOutputStream baos = new ByteArrayOutputStream();
+            BufferedOutputStream bos = new BufferedOutputStream(baos);
+
+            try {
+                ObjectOutputStream oos = new ObjectOutputStream(bos);
+                oos.writeObject(o);
+                oos.close();
+                return baos.toByteArray();
+            } catch (IOException var6) {
+                String msg = "Unable to serialize object [" + o + "].  In order for the DefaultSerializer to serialize this object, the [" + o.getClass().getName() + "] class must implement java.io.Serializable.";
+                throw new SerializationException(msg, var6);
+            }
+        }
+    }
+
+    public T deserialize(byte[] serialized) throws SerializationException {
+        if (serialized == null) {
+            String msg = "argument cannot be null.";
+            throw new IllegalArgumentException(msg);
+        } else {
+            ByteArrayInputStream bais = new ByteArrayInputStream(serialized);
+            BufferedInputStream bis = new BufferedInputStream(bais);
+
+            try {
+                ObjectInputStream ois = new MyClassResolvingObjectInputStream(bis);
+                T deserialized = (T) ois.readObject();
+                ois.close();
+                return deserialized;
+            } catch (Exception var6) {
+                String msg = "Unable to deserialize argument byte array.";
+                throw new SerializationException(msg, var6);
+            }
+        }
+    }
+}

blog-admin/src/main/java/com/zyd/blog/core/config/ShiroConfig.java

@@ -225,8 +225,10 @@ public class ShiroConfig {
      */
     public CookieRememberMeManager rememberMeManager() {
         CookieRememberMeManager cookieRememberMeManager = new CookieRememberMeManager();
+        // 使用自定义的序列化类
+        cookieRememberMeManager.setSerializer(new MySecSerializer<>());
         cookieRememberMeManager.setCookie(rememberMeCookie());
-        //rememberMe cookie加密的密钥 建议每个项目都不一样 默认AES算法 密钥长度(128 256 512 位)
+        //rememberMe cookie加密的密钥 建议每个项目都不一样 默认AES算法 密钥长度(128 192 256 位)
         cookieRememberMeManager.setCipherKey(GenerateCipherKey.generateNewKey());
         return cookieRememberMeManager;
     }
@@ -251,8 +253,8 @@ public class ShiroConfig {
                 String msg = "Unable to acquire AES algorithm.  This is required to function.";
                 throw new IllegalStateException(msg, var5);
             }
-
-            kg.init(128);
+            // 满足合规应使用256位
+            kg.init(256);
             SecretKey key = kg.generateKey();
             return key.getEncoded();
         }

blog-admin/src/main/resources/static/assets/js/zhyd.treetable.js

@@ -18,7 +18,7 @@ $.extend({
             toobarTemplate: '<div id="tree-table-toolbar" class="btn-group" role="group" aria-label="..."><button id="add-btn" type="button" class="btn btn-info" title="新增"><i class="fa fa-plus fa-fw"> </i> </button><button id="batch-delete-btn" type="button" class="btn btn-danger" title="批量删除"><i class="fa fa-trash-o fa-fw"> </i> </button></div>',
             oprater: {
                 title: '操作',
-                width: '100px',
+                width: '130px',
                 align: "center",
                 formatter: function (value, row, index) {
                     var curId = row.id;
@@ -168,4 +168,4 @@ $.extend({
 
         }
     }
-});
\ No newline at end of file
+});

blog-admin/src/main/resources/templates/resources/list.ftl

@@ -114,7 +114,7 @@
                 }, {
                     field: '-',
                     title: '层级',
-                    width: "60px",
+                    width: "90px",
                     align: "center"
                 }, {
                     field: 'name',
@@ -132,6 +132,7 @@
                 }, {
                     field: 'type',
                     title: '资源类型',
+                    width: '100px',
                     formatter: function (code) {
                         return code == 'menu' ? '菜单' : '按钮';
                     }
@@ -196,4 +197,4 @@
             })
         });
     </script>
-</@footer>
\ No newline at end of file
+</@footer>

docs/nginx/nginx-local-file-storage-80.conf

 server {
     listen 80;
     server_name 改成自己的域名;
-    root 改成自己的文件目录;;
-	
+    root 改成自己的文件目录;
+
 	location ^~ / {
 		try_files $uri $uri/ /index.html;
- 	    proxy_set_header Cookie $http_cookie; 
+ 	    proxy_set_header Cookie $http_cookie;
 		proxy_set_header Host $host:$server_port;
     }
 }