参考示例:
https://github.com/apache/shiro/tree/master/samples/spring-boot-web
公告参考:
- https://help.aliyun.com/noticelist/articleid/1060253375.html?spm=a2c4g.789213612.n2.6.74ff6141cdyXDH
- https://seclists.org/oss-sec/2020/q1/120
官方修复测试用例:
https://github.com/apache/shiro/commit/3708d7907016bf2fa12691dff6ff0def1249b8ce
/hello(不带凭据)
不带凭据访问/hello,被重定向到login进行登录:
/hello(带凭据)
使用绕过方式访问/hello
Shiro登录demo
import org.apache.catalina.Context;
import org.apache.catalina.core.ApplicationContext;
import org.apache.catalina.core.ApplicationFilterConfig;
import org.apache.catalina.core.StandardContext;
import org.apache.shiro.SecurityUtils;
import org.apache.shiro.authc.IncorrectCredentialsException;
import org.apache.shiro.authc.UnknownAccountException;
import org.apache.shiro.authc.UsernamePasswordToken;
import org.apache.shiro.authz.annotation.RequiresPermissions;
import org.apache.shiro.authz.annotation.RequiresRoles;
import org.apache.shiro.subject.Subject;
import org.apache.tomcat.util.descriptor.web.FilterDef;
import org.apache.tomcat.util.descriptor.web.FilterMap;
import org.springframework.stereotype.Controller;
import org.springframework.ui.Model;
import org.springframework.ui.ModelMap;
import org.springframework.web.bind.annotation.RequestMapping;
import org.springframework.web.bind.annotation.RequestMethod;
import org.springframework.web.bind.annotation.ResponseBody;
import org.springframework.web.context.ContextLoader;
import org.springframework.web.servlet.ModelAndView;
@Controller
public class MainController {
@RequestMapping(value = "loginUser", method = RequestMethod.POST)
public String loginUser(String userName, String passwd, Model model) {
Subject subject = SecurityUtils.getSubject();
UsernamePasswordToken token = new UsernamePasswordToken(userName, passwd);
try {
subject.login(token);
return "redirect:/index";
} catch (UnknownAccountException e) {
e.printStackTrace();
model.addAttribute("message", "用户名错误!");
return "login";
} catch (IncorrectCredentialsException e) {
e.printStackTrace();
model.addAttribute("message", "密码错误");
return "login";
}
}
}
org\apache\shiro\subject\support\DelegatingSubject#login
=>
org.apache.shiro.mgt.SecurityManager#login