[CVE-2020-1957] Shiro小于1.5.2的认证绕过

参考示例：
https://github.com/apache/shiro/tree/master/samples/spring-boot-web
公告参考：

• https://help.aliyun.com/noticelist/articleid/1060253375.html?spm=a2c4g.789213612.n2.6.74ff6141cdyXDH
• https://seclists.org/oss-sec/2020/q1/120

官方修复测试用例：
https://github.com/apache/shiro/commit/3708d7907016bf2fa12691dff6ff0def1249b8ce

/hello(不带凭据)

不带凭据访问/hello，被重定向到login进行登录：

/hello（带凭据）

使用绕过方式访问/hello

Shiro登录demo

import org.apache.catalina.Context;
import org.apache.catalina.core.ApplicationContext;
import org.apache.catalina.core.ApplicationFilterConfig;
import org.apache.catalina.core.StandardContext;
import org.apache.shiro.SecurityUtils;
import org.apache.shiro.authc.IncorrectCredentialsException;
import org.apache.shiro.authc.UnknownAccountException;
import org.apache.shiro.authc.UsernamePasswordToken;
import org.apache.shiro.authz.annotation.RequiresPermissions;
import org.apache.shiro.authz.annotation.RequiresRoles;
import org.apache.shiro.subject.Subject;
import org.apache.tomcat.util.descriptor.web.FilterDef;
import org.apache.tomcat.util.descriptor.web.FilterMap;
import org.springframework.stereotype.Controller;
import org.springframework.ui.Model;
import org.springframework.ui.ModelMap;
import org.springframework.web.bind.annotation.RequestMapping;
import org.springframework.web.bind.annotation.RequestMethod;
import org.springframework.web.bind.annotation.ResponseBody;
import org.springframework.web.context.ContextLoader;
import org.springframework.web.servlet.ModelAndView;


@Controller
public class MainController {
    @RequestMapping(value = "loginUser", method = RequestMethod.POST)
    public String loginUser(String userName, String passwd, Model model) {
        Subject subject = SecurityUtils.getSubject();
        UsernamePasswordToken token = new UsernamePasswordToken(userName, passwd);
        try {
            subject.login(token);
            return "redirect:/index";
        } catch (UnknownAccountException e) {
            e.printStackTrace();
            model.addAttribute("message", "用户名错误！");
            return "login";
        } catch (IncorrectCredentialsException e) {
            e.printStackTrace();
            model.addAttribute("message", "密码错误");
            return "login";
        }
    }
}

org\apache\shiro\subject\support\DelegatingSubject#login
=>
org.apache.shiro.mgt.SecurityManager#login