4 years ago · 712756ae10
--- a/src/main/java/com/jeeplus/modules/utils/GenerateCipherKey.java
+++ b/src/main/java/com/jeeplus/modules/utils/GenerateCipherKey.java
@@ -0,0 +1,22 @@
 
																+package com.jeeplus.modules.utils;
															
 
																+
															
 
																+import javax.crypto.KeyGenerator;
															
 
																+import javax.crypto.SecretKey;
															
 
																+import java.security.NoSuchAlgorithmException;
															
 
																+
															
 
																+public class GenerateCipherKey {
															
 
																+    public static byte[] generateNewKey() {
															
 
																+        KeyGenerator kg;
															
 
																+        try {
															
 
																+            kg = KeyGenerator.getInstance("AES");
															
 
																+        } catch (NoSuchAlgorithmException var5) {
															
 
																+            String msg = "Unable to acquire AES algorithm.  This is required to function.";
															
 
																+            throw new IllegalStateException(msg, var5);
															
 
																+        }
															
 
																+
															
 
																+        kg.init(128);
															
 
																+        SecretKey key = kg.generateKey();
															
 
																+        byte[] encoded = key.getEncoded();
															
 
																+        return encoded;
															
 
																+    }
															
 
																+}
															
--- a/src/main/resources/spring-context-shiro.xml
+++ b/src/main/resources/spring-context-shiro.xml
@@ -101,6 +101,8 @@
 
																         <property name="realm" ref="systemAuthorizingRealm" />
															
 
																         <property name="sessionManager" ref="sessionManager" />
															
 
																         <property name="cacheManager" ref="shiroCacheManager" />
															
 
																+        <!--修复CVE-2016-4437漏洞-->
															
 
																+        <property name="rememberMeManager" ref="rememberMeManager"></property>
															
 
																     </bean>
															
 
																     <bean id="systemAuthorizingRealm" class="com.jeeplus.modules.sys.security.SystemAuthorizingRealm"/>
															
@@ -167,4 +169,20 @@
 
																         <property name="arguments" ref="securityManager" />
															
 
																     </bean>
															
 
																+    <!--修复CVE-2016-4437漏洞-->
															
 
																+    <bean id="rememberMeManager" class="org.apache.shiro.web.mgt.CookieRememberMeManager">
															
 
																+        <property name="cipherKey" value="#{T(com.jeeplus.modules.utils.GenerateCipherKey).generateNewKey()}"></property>
															
 
																+        <property name="cookie" ref="rememberMeCookie"></property>
															
 
																+    </bean>
															
 
																+    <!--修复CVE-2016-4437漏洞-->
															
 
																+    <bean id="rememberMeCookie" class="org.apache.shiro.web.servlet.SimpleCookie">
															
 
																+        <!-- 写到cookie的name值 -->
															
 
																+        <constructor-arg value="sid"/>
															
 
																+        <!-- 设置js是否可以访问cookie，true 不能访问 -->
															
 
																+        <property name="httpOnly" value="true"></property>
															
 
																+        <!-- 保存时长30天，以秒为单位 -->
															
 
																+        <property name="maxAge" value="2592000"></property>
															
 
																+    </bean>
															
 
																+
															
 
																+
															
 
																 </beans>