shiro低版本更新到高版本(>1.10.0)出现报错问题解决

近期漏洞爆出(Apache Shiro < 1.10.0 身份认证绕过漏洞),开始升级新版的jar包。

升级过程

1.修改pom文件shiro版本

?
1
2
3
4
5
6
<!-- shiro -->
<dependency>
  <groupId>org.apache.shiro</groupId>
  <artifactId>shiro-spring-boot-starter</artifactId>
  <version>1.10.0</version>
</dependency>

2.启动项目报错

?
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
The dependencies of some of the beans in the application context form a cycle:
 
   shiroFilter defined in class path resource [cn/shiro/ShiroConfig.class]
      
   authorizationAttributeSourceAdvisor defined in class path resource [org/apache/shiro/spring/boot/autoconfigure/ShiroAnnotationProcessorAutoConfiguration.class]
      
   securityManager defined in class path resource [cn/shiro/ShiroConfig.class]
      
   customUserValidateRealm (field private cn.mapper.UserMapper cn.shiro.CustomUserValidateRealm.etcMgmtUserMapper)
      
   userMapper defined in file [D:\mapper\UserMapper.class]
      
   sqlSessionFactory defined in class path resource [tk/mybatis/mapper/autoconfigure/MapperAutoConfiguration.class]
┌─────┐
|  masterDataSource defined in class path resource [cn/config/DataSourceConfig.class]
↑     ↓
|  getMasterDateSource defined in class path resource [cn/config/DataSourceConfig.class]
↑     ↓
|  org.springframework.boot.autoconfigure.jdbc.DataSourceInitializerInvoker
└─────┘

解决方法:

1.在自定义Realm中找到userMapper 注入的地方,添加@Lazy

?
1
2
3
4
5
6
7
8
import org.springframework.context.annotation.Lazy;
 
public class CustomUserValidateRealm extends AuthorizingRealm {
 
  @Lazy
  @Autowired
  private UserMapper mapper;
}

2. 启动项目依旧报错

?
1
2
3
4
5
Description:
Method filterShiroFilterRegistrationBean in org.apache.shiro.spring.config.web.autoconfigure.ShiroWebFilterConfiguration required a bean named 'shiroFilterFactoryBean'
that could not be found.
Action:
Consider defining a bean named 'shiroFilterFactoryBean' in your configuration.

3.找到ShiroConfig配置中设置的过滤规则方法(返回ShiroFilterFactoryBean的)给@bean添加name值

?
1
2
3
4
@Bean(name="shiroFilterFactoryBean")
public ShiroFilterFactoryBean shiroFilter(SecurityManager securityManager) {
  ......
}

4.然后再在过滤规则调用方法添加name

?
1
2
3
4
5
6
7
8
9
@Bean
public FilterRegistrationBean<DelegatingFilterProxy> delegatingFilterProxy() {
     FilterRegistrationBean<DelegatingFilterProxy> filterRegistrationBean = new FilterRegistrationBean<DelegatingFilterProxy>();
     DelegatingFilterProxy proxy = new DelegatingFilterProxy();
     proxy.setTargetFilterLifecycle(true);
     proxy.setTargetBeanName("shiroFilterFactoryBean");
     filterRegistrationBean.setFilter(proxy);
     return filterRegistrationBean;
}

启动项目,问题解决!!!

posted on   qqq9527  阅读(3218)  评论(0编辑  收藏  举报

相关博文:
·  服务启动没问题,打包出现异常乱码问题修改记录
·  springboot2.x、工作流activiti6.0与tk.mybatis整合出现异常问题解决
·  Shiro漏洞复现-springboot运行报错的解决 && 项目本地tomcat部署
·  Shiro未授权漏洞解析环境搭建
·  shiro的过滤,授权,认证
阅读排行:
· 震惊!C++程序真的从main开始吗?99%的程序员都答错了
· 【硬核科普】Trae如何「偷看」你的代码?零基础破解AI编程运行原理
· 单元测试从入门到精通
· 上周热点回顾(3.3-3.9)
· winform 绘制太阳,地球,月球 运作规律
< 2025年3月 >
23 24 25 26 27 28 1
2 3 4 5 6 7 8
9 10 11 12 13 14 15
16 17 18 19 20 21 22
23 24 25 26 27 28 29
30 31 1 2 3 4 5

导航

统计

点击右上角即可分享
微信分享提示
AI IDE Trae