对于shiro rememberMe 反序列化漏洞
1、已经升级到最新的版本1.9.1
2、但应该如何关闭RememberMe持久化登录呢?
Response 中 header里也有 rememberMe = deleteMe,是否可以去掉?
有 rememberMe = deleteMe就行了,说明这个功能你已经禁用的,这个漏洞可以使用自定义加密解决,
/**
* cookie对象;
*/
@Bean
public SimpleCookie rememberMeCookie() {
//这个参数是cookie的名称,对应前端的checkbox的name = rememberMe
SimpleCookie simpleCookie = new SimpleCookie("rememberMe");
//cookie生效时间30天,单位秒;
simpleCookie.setMaxAge(2592000);
return simpleCookie;
}
@Bean
public CookieRememberMeManager rememberMeManager() {
CookieRememberMeManager cookieRememberMeManager = new CookieRememberMeManager();
cookieRememberMeManager.setCookie(rememberMeCookie());
cookieRememberMeManager.setCipherKey(createCipherKey());
return cookieRememberMeManager;
}
public byte[] createCipherKey() {
KeyGenerator keyGenerator;
try {
keyGenerator = KeyGenerator.getInstance("AES");
} catch (Exception e) {
throw new DscException(ErrorCodeEnum.UNKNOWN_EXCEPTION, "Init AES key error!");
}
keyGenerator.init(128);
SecretKey secretKey = keyGenerator.generateKey();
return secretKey.getEncoded();
}