🌱 一款现代化的脚手架项目
License: GNU General Public License v3.0
🌱 Hope-Boot 一款现代化的脚手架项目,给爱学习的同学多一个选择。
Hope [ˈامید ہے],意为希望。
用于企业开发,技术学习等。🍻🍻
关于作者 | QQ 交流群 | Telegram 交流群 | 微博 | 公众号
微信:如果需要和我交流的话可以加我私人微信,有问题的话也可以问,我会尽量回答大家
| 版本 | 文档 | Code Branches |
|---|---|---|
| SpringBoot基础版 | 开始使用 | 1.0.0-release |
| Dubbo分布式精简版 | 开发中 | 开发中 |
Hope-Boot 使用 GPL-v3.0 协议开源,请尽量遵守开源协议,即便是在**。
如果 Hope-Boot 对你有帮助,可以请作者吃个肉夹馍 :)
The author has set a fixed key in the com.hope.shiro.config.ShiroConfig under the hope-admin package and uses this key to encrypt the rememberMe parameter in the cookie. This situation can lead to a deserialisation attack with very serious consequences.
This key can also be obtained by decrypting the ciphertext corresponding to the rememberMe parameter.
Set up a local environment for attacks. When the attacker logs in and selects remember me, the cookie will have the rememberMe field
After blasting or auditing the source code, we can find that the encoded key is 1QWLxg+NYmxraMoxAXu/Iw==, which is the same as the key set in the source code.
After an audit, I found that the source code contains commons-beanutils-1.9.4.jar dependency, which is actually a dependency included in shiro.
Using this dependency, it is possible to generate a deserialized payload and then encrypt the payload using the key obtained by blasting.
Finally, write this payload after the rememberMe field and attack it. Successful RCE
Note that the JSESSIONID in the cookie field should be deleted, otherwise the system will make judgments directly based on the JSESSIONID.
修改了redis和mysql的连接参数
直接运行hope-flyway目录下的HopeFlywayApplication.java
控制台显示springboot启动成功,没有任何报错,但是数据库表没有生成
详细的图示和文档说明 并且标出了参考的官方规范地址便于查证
截图:
22:35:11.318 logback [localhost-startStop-1] INFO o.a.c.core.AprLifecycleListener - The APR based Apache Tomcat Native library which allows optimal performance in production environments was not found on the java.library.path: [C:\Program Files\Java\jdk-10.0.2\bin;C:\WINDOWS\Sun\Java\bin;C:\WINDOWS\system32;C:\WINDOWS;D:\Program Files (x86)\NetSarang\Xshell 6\;C:\Program Files\Python37\Scripts\;C:\Program Files\Python37\;C:\Program Files (x86)\Python37-32\Scripts\;C:\Program Files (x86)\Python37-32\;C:\Program Files (x86)\Common Files\Oracle\Java\javapath;";C:\Program Files\Java\jdk-10.0.2\bin;C:\Program Files\Java\jdk-10.0.2\jre\bin;";C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Program Files (x86)\NVIDIA Corporation\PhysX\Common;E:\MyJava\maven\apache-maven-3.5.4\bin\;C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\System32\Wbem;C:\WINDOWS\System32\WindowsPowerShell\v1.0\;C:\WINDOWS\System32\OpenSSH\;E:\MyJava\myGit\Git\Git\cmd;E:\GitHub\node;E:\MyJava\gradle-4.10.2\bin\;D:\Program Files\nodejs\;D:\Program Files\nodejs\node_global;C:\Program Files\NVIDIA Corporation\NVIDIA NvDLISR;D:\develop\HashiCorp\Vagrant\bin;C:\Program Files\Intel\WiFi\bin\;C:\Program Files\Common Files\Intel\WirelessCommon\;C:\Program Files\Java\jdk-10.0.2\bin;C:\Program Files\Java\jdk-10.0.2\jre\bin;C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL;C:\Program Files\Intel\Intel(R) Management Engine Components\DAL;C:\Program Files\MySQL\MySQL Server 5.7\bin;;.]
以为是环境变量问题,重新好了一遍还是无解,百度了一下,加了jar包也无解,有解决的吗 +++
//rememberMe cookie加密的密钥 建议每个项目都不一样 默认AES算法 密钥长度(128 256 512 位)
cookieRememberMeManager.setCipherKey(Base64.decode("1QWLxg+NYmxraMoxAXu/Iw=="));
能把commit message 规范一点就好了。
运行项目flyway没有在数据库生成表
建议添加mybatis plus支持
12:04:54.605 logback [main] WARN o.s.b.w.s.c.AnnotationConfigServletWebServerApplicationContext - Exception encountered during context initialization - cancelling refresh attempt: org.springframework.beans.factory.BeanCreationException: Error creating bean with name 'xmlModelPlugin': Lookup method resolution failed; nested exception is java.lang.IllegalStateException: Failed to introspect Class [springfox.documentation.schema.XmlModelPlugin] from ClassLoader [jdk.internal.loader.ClassLoaders$AppClassLoader@2c13da15]
QQ 交流群链接有问题
test能正常运行;数据库链接配置也没错,运行admin下面就这样
17:41:10.065 logback [main] WARN o.s.b.w.s.c.AnnotationConfigServletWebServerApplicationContext - Exception encountered during context initialization - cancelling refresh attempt: org.springframework.beans.factory.BeanCreationException: Error creating bean with name 'shiroFilter' defined in class path resource [com/hope/shiro/config/ShiroConfig.class]: BeanPostProcessor before instantiation of bean failed; nested exception is org.springframework.beans.factory.UnsatisfiedDependencyException: Error creating bean with name 'authorizationAttributeSourceAdvisor' defined in class path resource [com/hope/shiro/config/ShiroConfig.class]: Unsatisfied dependency expressed through method 'authorizationAttributeSourceAdvisor' parameter 0; nested exception is org.springframework.beans.factory.BeanCreationException: Error creating bean with name 'securityManager' defined in class path resource [com/hope/shiro/config/ShiroConfig.class]: Bean instantiation via factory method failed; nested exception is org.springframework.beans.BeanInstantiationException: Failed to instantiate [org.apache.shiro.mgt.SecurityManager]: Factory method 'securityManager' threw exception; nested exception is org.springframework.beans.factory.UnsatisfiedDependencyException: Error creating bean with name 'hopeShiroReam': Unsatisfied dependency expressed through field 'redisSessionDAO'; nested exception is org.springframework.beans.factory.BeanCreationException: Error creating bean with name 'redisSessionDAO' defined in class path resource [com/hope/shiro/config/ShiroConfig.class]: Bean instantiation via factory method failed; nested exception is org.springframework.beans.BeanInstantiationException: Failed to instantiate [org.crazycake.shiro.RedisSessionDAO]: Factory method 'redisSessionDAO' threw exception; nested exception is java.lang.NullPointerException
怎么才能测试限制同一账号,登录人数的控制,能否大致讲一下流程
正在学习shiro 谢谢分享开源
谢谢作者
给企业用的东西,你这登录页样式我看介绍图都搞得这么花里胡哨的
你说程序员还下载再看啊,
有些东西,原则很重要,态度也很重要的
个人觉得企业的软件也好,支持也好
稳定和可靠是要放第一的
不要太轻浮。稳重shi 有道理的。
不像个人的软件,坏了自己修一下就好
企业的软件down一下可能是十个人也可能是四五十个人在等着运转的。
所以不是设计风格上的问题,是再做代码和做软件的态度和初心上的问题
要更成熟稳重,多点责任感。
希望能加入docker部署项目的配置,pom文件的和Dokcfile文件配置的,尽量全一点,熊猫
如果远程redis有auth,无法连接
希望可以有个demo站,方便看看效果
菜单是写死的吗?
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
Django
The Web framework for perfectionists with deadlines.
Laravel
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
Microsoft
Open source projects and samples from Microsoft.
Google
Google ❤️ Open Source for everyone.
Alibaba
Alibaba Open Source for everyone
D3
Data-Driven Documents codes.
Tencent
China tencent open source team.