shiro低版本更新到高版本(>1.10.0)出现报错问题解决

近期漏洞爆出(Apache Shiro < 1.10.0 身份认证绕过漏洞),开始升级新版的jar包。

升级过程

1.修改pom文件shiro版本

<!-- shiro -->
<dependency>
  <groupId>org.apache.shiro</groupId>
  <artifactId>shiro-spring-boot-starter</artifactId>
  <version>1.10.0</version>
</dependency>

2.启动项目报错

The dependencies of some of the beans in the application context form a cycle:

   shiroFilter defined in class path resource [cn/shiro/ShiroConfig.class]
      ↓
   authorizationAttributeSourceAdvisor defined in class path resource [org/apache/shiro/spring/boot/autoconfigure/ShiroAnnotationProcessorAutoConfiguration.class]
      ↓
   securityManager defined in class path resource [cn/shiro/ShiroConfig.class]
      ↓
   customUserValidateRealm (field private cn.mapper.UserMapper cn.shiro.CustomUserValidateRealm.etcMgmtUserMapper)
      ↓
   userMapper defined in file [D:\mapper\UserMapper.class]
      ↓
   sqlSessionFactory defined in class path resource [tk/mybatis/mapper/autoconfigure/MapperAutoConfiguration.class]
┌─────┐
|  masterDataSource defined in class path resource [cn/config/DataSourceConfig.class]
↑     ↓
|  getMasterDateSource defined in class path resource [cn/config/DataSourceConfig.class]
↑     ↓
|  org.springframework.boot.autoconfigure.jdbc.DataSourceInitializerInvoker
└─────┘

解决方法:

1.在自定义Realm中找到userMapper 注入的地方,添加@Lazy

import org.springframework.context.annotation.Lazy;

public class CustomUserValidateRealm extends AuthorizingRealm {

  @Lazy
  @Autowired
  private UserMapper mapper;
}

2. 启动项目依旧报错

Description:
Method filterShiroFilterRegistrationBean in org.apache.shiro.spring.config.web.autoconfigure.ShiroWebFilterConfiguration required a bean named 'shiroFilterFactoryBean' 
that could not be found.
Action:
Consider defining a bean named 'shiroFilterFactoryBean' in your configuration.

3.找到ShiroConfig配置中设置的过滤规则方法(返回ShiroFilterFactoryBean的)给@bean添加name值

@Bean(name="shiroFilterFactoryBean")
public ShiroFilterFactoryBean shiroFilter(SecurityManager securityManager) {
  ......
}

4.然后再在过滤规则调用方法添加name

@Bean
public FilterRegistrationBean<DelegatingFilterProxy> delegatingFilterProxy() {
     FilterRegistrationBean<DelegatingFilterProxy> filterRegistrationBean = new FilterRegistrationBean<DelegatingFilterProxy>();
     DelegatingFilterProxy proxy = new DelegatingFilterProxy();
     proxy.setTargetFilterLifecycle(true);
     proxy.setTargetBeanName("shiroFilterFactoryBean");
     filterRegistrationBean.setFilter(proxy);
     return filterRegistrationBean;
}

启动项目,问题解决!!!

posted on 2022-12-02 11:21  qqq9527  阅读(3045)  评论(0编辑  收藏  举报

导航