Upgrade the low version to the high version 1.7.0---->1.9.1.
The attacker used a large number of shiro vulnerability attacks. In order to find these latest packages, it took a day to search, and finally after a netizen’s prompt Found their nest: (Many users in CSDN upload to blogs, but they are charged as soon as they download, which feels very bad)
Download address: (Maven library)
https://mvnrepository.com/artifact/org.apache.shiro/shiro-core
Regarding what should be upgraded, the following content has been tested: (taking upgrading to version 1.7 as an example)
shiro-core-1.7.0.jar
shiro-web-1.7.0.jar
shiro-ehcache-1.7.0.jar
Since the version upgrade comes with some other functions, the following two jar packages are also required: (both can be found from the above library)
commons-beanutils-1.9.4.jar
encoder-1.2.2.jar
Problems that occurred: When upgrading shiro1.3 to 1.7, a 400 error was reported when encountering a redirected login page
. Due to the project's single sign-in requirement, the original project was transformed into a single sign-in, and shiro was upgraded from the original 1.3 to 1.7. The original code was not If any changes are made, the login redirection reports 400, but direct access to the login page is normal. The difference between the two is that the URL adds its own parameter jsessionid, resulting in 400. Just change the configuration file. The code is as follows:
<bean id="sessionManager" class="org.apache.shiro.web.session.mgt.DefaultWebSessionManager">
<property name="sessionIdUrlRewritingEnabled" value="false" /><!--这个参数,默认为true,改为false-->
<property name="globalSessionTimeout" value="1800000" />
</bean>
<!-- securityManager安全管理器 -->
<bean id="securityManager" class="org.apache.shiro.web.mgt.DefaultWebSecurityManager">
<property name="realm" ref="userAuthorizingRealm" />
<property name="sessionManager" ref="sessionManager" />
</bean>