feat:添加shiro 1.4.1版本及以前的认证bypass环境和以及复现

“threedr3am” · “threedr3am” · commit cb6d7a334fb5 · 2020-03-26T21:48:53.000+08:00
diff --git a/pom.xml b/pom.xml
@@ -22,6 +22,7 @@
     <module>spring</module>
     <module>cas</module>
     <module>ShardingSphere-UI</module>
+    <module>shiro</module>
   </modules>
 
   <name>learn-java-bug</name>
diff --git a/shiro/auth-bypass(shiro<=1.4.1)/pom.xml b/shiro/auth-bypass(shiro<=1.4.1)/pom.xml
@@ -0,0 +1,45 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<project xmlns="http://maven.apache.org/POM/4.0.0"
+  xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+  xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
+  <parent>
+    <groupId>org.springframework.boot</groupId>
+    <artifactId>spring-boot-starter-parent</artifactId>
+    <version>1.5.22.RELEASE</version>
+    <relativePath/>
+  </parent>
+
+  <modelVersion>4.0.0</modelVersion>
+  <artifactId>auth-bypass-shiro-1.4.1</artifactId>
+  <build>
+    <plugins>
+      <plugin>
+        <groupId>org.apache.maven.plugins</groupId>
+        <artifactId>maven-compiler-plugin</artifactId>
+        <configuration>
+          <source>7</source>
+          <target>7</target>
+        </configuration>
+      </plugin>
+    </plugins>
+  </build>
+
+  <dependencies>
+    <dependency>
+      <groupId>org.springframework.boot</groupId>
+      <artifactId>spring-boot-starter-web</artifactId>
+    </dependency>
+
+    <dependency>
+      <groupId>org.apache.shiro</groupId>
+      <artifactId>shiro-web</artifactId>
+      <version>1.4.1</version>
+    </dependency>
+    <dependency>
+      <groupId>org.apache.shiro</groupId>
+      <artifactId>shiro-spring</artifactId>
+      <version>1.4.1</version>
+    </dependency>
+  </dependencies>
+
+</project>
diff --git a/shiro/auth-bypass(shiro<=1.4.1)/src/main/java/com/threedr3am/bug/shiro/bypass/auth/Application.java b/shiro/auth-bypass(shiro<=1.4.1)/src/main/java/com/threedr3am/bug/shiro/bypass/auth/Application.java
@@ -0,0 +1,13 @@
+package com.threedr3am.bug.shiro.bypass.auth;
+
+import org.springframework.boot.SpringApplication;
+import org.springframework.boot.autoconfigure.SpringBootApplication;
+
+@SpringBootApplication
+public class Application {
+
+    public static void main(String[] args) {
+        SpringApplication.run(Application.class, args);
+    }
+
+}
diff --git a/shiro/auth-bypass(shiro<=1.4.1)/src/main/java/com/threedr3am/bug/shiro/bypass/auth/config/ShiroConfig.java b/shiro/auth-bypass(shiro<=1.4.1)/src/main/java/com/threedr3am/bug/shiro/bypass/auth/config/ShiroConfig.java
@@ -0,0 +1,42 @@
+package com.threedr3am.bug.shiro.bypass.auth.config;
+
+import com.threedr3am.bug.shiro.bypass.auth.realm.MyRealm;
+import java.util.LinkedHashMap;
+import java.util.Map;
+import org.apache.shiro.mgt.SecurityManager;
+import org.apache.shiro.spring.web.ShiroFilterFactoryBean;
+import org.apache.shiro.web.mgt.DefaultWebSecurityManager;
+import org.springframework.context.annotation.Bean;
+import org.springframework.context.annotation.Configuration;
+
+/**
+ * @author threedr3am
+ */
+@Configuration
+public class ShiroConfig {
+    @Bean
+    MyRealm myRealm() {
+        return new MyRealm();
+    }
+
+    @Bean
+    SecurityManager securityManager() {
+        DefaultWebSecurityManager manager = new DefaultWebSecurityManager();
+        manager.setRealm(myRealm());
+        return manager;
+    }
+
+    @Bean
+    ShiroFilterFactoryBean shiroFilterFactoryBean() {
+        ShiroFilterFactoryBean bean = new ShiroFilterFactoryBean();
+        bean.setSecurityManager(securityManager());
+        bean.setLoginUrl("/login");
+        bean.setSuccessUrl("/index");
+        bean.setUnauthorizedUrl("/unauthorizedurl");
+        Map<String, String> map = new LinkedHashMap();
+        map.put("/login", "anon");
+        map.put("/bypass", "authc");
+        bean.setFilterChainDefinitionMap(map);
+        return bean;
+    }
+}
diff --git a/shiro/auth-bypass(shiro<=1.4.1)/src/main/java/com/threedr3am/bug/shiro/bypass/auth/controller/BypassTestController.java b/shiro/auth-bypass(shiro<=1.4.1)/src/main/java/com/threedr3am/bug/shiro/bypass/auth/controller/BypassTestController.java
@@ -0,0 +1,26 @@
+package com.threedr3am.bug.shiro.bypass.auth.controller;
+
+import org.springframework.web.bind.annotation.RequestMapping;
+import org.springframework.web.bind.annotation.RequestMethod;
+import org.springframework.web.bind.annotation.RestController;
+
+/**
+ * @author threedr3am
+ */
+@RestController
+public class BypassTestController {
+
+    /**
+     * todo 过滤器配置（参考ShiroConfig）中bypass映射认证过滤器最后一个URI字符没有/，使用spring和shiro对资源的解析不一致进行bypass
+     *
+     * 例：配置"/bypass", "authc"，请求http://localhost:8080/bypass/
+     *
+     * shiro <= 1.4.1
+     *
+     * @return
+     */
+    @RequestMapping(value = "/bypass", method = RequestMethod.GET)
+    public String bypass() {
+        return "bypass";
+    }
+}
diff --git a/shiro/auth-bypass(shiro<=1.4.1)/src/main/java/com/threedr3am/bug/shiro/bypass/auth/controller/LoginController.java b/shiro/auth-bypass(shiro<=1.4.1)/src/main/java/com/threedr3am/bug/shiro/bypass/auth/controller/LoginController.java
@@ -0,0 +1,29 @@
+package com.threedr3am.bug.shiro.bypass.auth.controller;
+
+import org.apache.shiro.SecurityUtils;
+import org.apache.shiro.authc.AuthenticationException;
+import org.apache.shiro.authc.UsernamePasswordToken;
+import org.apache.shiro.subject.Subject;
+import org.springframework.web.bind.annotation.RequestMapping;
+import org.springframework.web.bind.annotation.RequestMethod;
+import org.springframework.web.bind.annotation.RestController;
+
+/**
+ * @author threedr3am
+ */
+@RestController
+public class LoginController {
+
+    @RequestMapping(value = "/login", method = RequestMethod.POST)
+    public String login(String username, String password) {
+        Subject subject = SecurityUtils.getSubject();
+        try {
+            subject.login(new UsernamePasswordToken(username, password));
+            return "登录成功!";
+        } catch (AuthenticationException e) {
+            e.printStackTrace();
+            return "登录失败!";
+        }
+
+    }
+}
diff --git a/shiro/auth-bypass(shiro<=1.4.1)/src/main/java/com/threedr3am/bug/shiro/bypass/auth/realm/MyRealm.java b/shiro/auth-bypass(shiro<=1.4.1)/src/main/java/com/threedr3am/bug/shiro/bypass/auth/realm/MyRealm.java
@@ -0,0 +1,28 @@
+package com.threedr3am.bug.shiro.bypass.auth.realm;
+
+import org.apache.shiro.authc.AuthenticationException;
+import org.apache.shiro.authc.AuthenticationInfo;
+import org.apache.shiro.authc.AuthenticationToken;
+import org.apache.shiro.authc.SimpleAuthenticationInfo;
+import org.apache.shiro.authc.UnknownAccountException;
+import org.apache.shiro.authz.AuthorizationInfo;
+import org.apache.shiro.realm.AuthorizingRealm;
+import org.apache.shiro.subject.PrincipalCollection;
+
+/**
+ * @author threedr3am
+ */
+public class MyRealm extends AuthorizingRealm {
+    @Override
+    protected AuthorizationInfo doGetAuthorizationInfo(PrincipalCollection principals) {
+        return null;
+    }
+    @Override
+    protected AuthenticationInfo doGetAuthenticationInfo(AuthenticationToken token) throws AuthenticationException {
+        String username = (String) token.getPrincipal();
+        if (!"threedr3am".equals(username)) {
+            throw new UnknownAccountException("账户不存在!");
+        }
+        return new SimpleAuthenticationInfo(username, "123456", getName());
+    }
+}
diff --git a/shiro/pom.xml b/shiro/pom.xml
@@ -0,0 +1,16 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<project xmlns="http://maven.apache.org/POM/4.0.0"
+  xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+  xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
+  <parent>
+    <artifactId>learn-java-bug</artifactId>
+    <groupId>com.xyh</groupId>
+    <version>1.0-SNAPSHOT</version>
+  </parent>
+  <modelVersion>4.0.0</modelVersion>
+
+  <artifactId>shiro</artifactId>
+  <packaging>pom</packaging>
+
+
+</project>
