4 yıl önce · 712756ae10
--- a/src/main/java/com/jeeplus/modules/utils/GenerateCipherKey.java
+++ b/src/main/java/com/jeeplus/modules/utils/GenerateCipherKey.java
@@ -0,0 +1,22 @@
 
				+package com.jeeplus.modules.utils;
			
 
				+
			
 
				+import javax.crypto.KeyGenerator;
			
 
				+import javax.crypto.SecretKey;
			
 
				+import java.security.NoSuchAlgorithmException;
			
 
				+
			
 
				+public class GenerateCipherKey {
			
 
				+    public static byte[] generateNewKey() {
			
 
				+        KeyGenerator kg;
			
 
				+        try {
			
 
				+            kg = KeyGenerator.getInstance("AES");
			
 
				+        } catch (NoSuchAlgorithmException var5) {
			
 
				+            String msg = "Unable to acquire AES algorithm.  This is required to function.";
			
 
				+            throw new IllegalStateException(msg, var5);
			
 
				+        }
			
 
				+
			
 
				+        kg.init(128);
			
 
				+        SecretKey key = kg.generateKey();
			
 
				+        byte[] encoded = key.getEncoded();
			
 
				+        return encoded;
			
 
				+    }
			
 
				+}
			
--- a/src/main/resources/spring-context-shiro.xml
+++ b/src/main/resources/spring-context-shiro.xml
@@ -101,6 +101,8 @@
 
				         <property name="realm" ref="systemAuthorizingRealm" />
			
 
				         <property name="sessionManager" ref="sessionManager" />
			
 
				         <property name="cacheManager" ref="shiroCacheManager" />
			
 
				+        <!--修复CVE-2016-4437漏洞-->
			
 
				+        <property name="rememberMeManager" ref="rememberMeManager"></property>
			
 
				     </bean>
			
 
				 
			
 
				     <bean id="systemAuthorizingRealm" class="com.jeeplus.modules.sys.security.SystemAuthorizingRealm"/>
			
@@ -167,4 +169,20 @@
 
				         <property name="arguments" ref="securityManager" />
			
 
				     </bean>
			
 
				 
			
 
				+    <!--修复CVE-2016-4437漏洞-->
			
 
				+    <bean id="rememberMeManager" class="org.apache.shiro.web.mgt.CookieRememberMeManager">
			
 
				+        <property name="cipherKey" value="#{T(com.jeeplus.modules.utils.GenerateCipherKey).generateNewKey()}"></property>
			
 
				+        <property name="cookie" ref="rememberMeCookie"></property>
			
 
				+    </bean>
			
 
				+    <!--修复CVE-2016-4437漏洞-->
			
 
				+    <bean id="rememberMeCookie" class="org.apache.shiro.web.servlet.SimpleCookie">
			
 
				+        <!-- 写到cookie的name值 -->
			
 
				+        <constructor-arg value="sid"/>
			
 
				+        <!-- 设置js是否可以访问cookie，true 不能访问 -->
			
 
				+        <property name="httpOnly" value="true"></property>
			
 
				+        <!-- 保存时长30天，以秒为单位 -->
			
 
				+        <property name="maxAge" value="2592000"></property>
			
 
				+    </bean>
			
 
				+
			
 
				+
			
 
				 </beans>