Apache Shiro 安全框架深度解析与漏洞原理<\/h1>

一、Shiro 框架概述<\/h2>

1.1 权限管理基础概念<\/h3>

权限管理是指根据不同身份的用户登录系统后，展示不同功能模块的能力。例如：<\/p>

学生登录：选课、成绩查询、课程表<\/li>

老师登录：学生管理、成绩录入<\/li> <\/ul>

1.2 权限管理实现方式<\/h3>

1.2.1 基于页面的实现<\/h4>

适用于权限管理简单、用户少的场景<\/li>

缺点：新增功能需要修改页面，维护成本高<\/li> <\/ul>

1.2.2 RBAC (基于角色的访问控制)<\/h4>

基本原型：用户-权限直接关联<\/li>
改进版：引入角色概念，用户-角色-权限<\/li>

高级版：用户-角色-权限 + 用户-权限（直接分配）<\/li> <\/ul>

1.3 安全框架的作用<\/h3>

安全框架（如Shiro）相当于系统的"保安"，负责：<\/p>

认证（Authentication）：验证用户身份<\/li>
授权（Authorization）：检查用户权限<\/li>
会话管理（Session Management）<\/li>

密码管理（Cryptography）<\/li> <\/ul>

二、Shiro 核心功能与组件<\/h2>

2.1 核心功能<\/h3>

认证<\/strong>：验证用户身份（登录认证）<\/li>
授权<\/strong>：检查用户权限\/角色<\/li>
会话管理<\/strong>：用户认证后创建会话<\/li>

密码管理<\/strong>：敏感信息加密<\/li> <\/ol>
2.2 支持特性<\/h3>

Web支持：通过过滤器拦截请求<\/li>
缓存支持：缓存用户信息和权限<\/li>
并发支持<\/li>
测试支持<\/li>
Remember Me功能<\/li> <\/ul>
2.3 核心组件与运行流程<\/h3>
Subject (用户) → SecurityManager (安全管理器) → Realm (数据源) <\/code><\/pre> Subject<\/strong>：代表当前用户，由SecurityUtils创建<\/li> SecurityManager<\/strong>：Shiro核心，管理所有Subject<\/li> Realm<\/strong>：安全数据源，连接Shiro与应用的"桥梁"<\/li> <\/ol> 三、Shiro 基础使用<\/h2> 3.1 Java SE 环境使用<\/h3> 3.1.1 依赖配置<\/h4> <dependency><\/span> <\/span><\/span> <groupId><\/span>org.apache.shiro<\/groupId><\/span> <\/span><\/span> <artifactId><\/span>shiro-core<\/artifactId><\/span> <\/span><\/span> <version><\/span>1.4.1<\/version><\/span> <\/span><\/span><\/dependency><\/span> <\/span><\/span><\/code><\/pre>3.1.2 IniRealm 配置<\/h4> 创建shiro.ini<\/code>文件：<\/p> [users] heihuUser=heihuPass,seller hacker=123456,ckmgr admin=admin888,admin [roles] seller=order-add,order-del,order-list ckmgr=ck-add,ck-del,ck-list admin=* <\/code><\/pre> 3.1.3 认证代码示例<\/h4> DefaultSecurityManager defaultSecurityManager =<\/span> new<\/span> DefaultSecurityManager();<\/span> <\/span><\/span>defaultSecurityManager.<\/span>setRealm<\/span>(<\/span>new<\/span> IniRealm(<\/span>"classpath:shiro.ini"<\/span>));<\/span> <\/span><\/span>SecurityUtils.<\/span>setSecurityManager<\/span>(<\/span>defaultSecurityManager);<\/span> <\/span><\/span> <\/span><\/span>Subject subject =<\/span> SecurityUtils.<\/span>getSubject<\/span>();<\/span> <\/span><\/span>try<\/span> {<\/span> <\/span><\/span> subject.<\/span>login<\/span>(<\/span>new<\/span> UsernamePasswordToken(<\/span>username,<\/span> password));<\/span> <\/span><\/span> System.<\/span>out<\/span>.<\/span>println<\/span>(<\/span>"登陆成功!"<\/span>);<\/span> <\/span><\/span>}<\/span> catch<\/span> (<\/span>IncorrectCredentialsException e)<\/span> {<\/span> <\/span><\/span> System.<\/span>out<\/span>.<\/span>println<\/span>(<\/span>"登陆失败!"<\/span>);<\/span> <\/span><\/span>}<\/span> catch<\/span> (<\/span>UnknownAccountException e)<\/span> {<\/span> <\/span><\/span> System.<\/span>out<\/span>.<\/span>println<\/span>(<\/span>"用户名不存在!"<\/span>);<\/span> <\/span><\/span>}<\/span> <\/span><\/span><\/code><\/pre>3.1.4 授权检查<\/h4> subject.<\/span>hasRole<\/span>(<\/span>"seller"<\/span>);<\/span> \/\/ 检查角色 <\/span><\/span><\/span><\/span>subject.<\/span>isPermitted<\/span>(<\/span>"order-del"<\/span>);<\/span> \/\/ 检查权限 <\/span><\/span><\/span><\/code><\/pre>3.2 SpringBoot 整合 Shiro<\/h3> 3.2.1 依赖配置<\/h4> <dependency><\/span> <\/span><\/span> <groupId><\/span>org.apache.shiro<\/groupId><\/span> <\/span><\/span> <artifactId><\/span>shiro-spring<\/artifactId><\/span> <\/span><\/span> <version><\/span>1.4.1<\/version><\/span> <\/span><\/span><\/dependency><\/span> <\/span><\/span><\/span> <\/span><\/span><\/code><\/pre>3.2.2 Shiro 配置类<\/h4> @Configuration<\/span> <\/span><\/span>public<\/span> class<\/span> ShiroAutoConfiguration<\/span> {<\/span> <\/span><\/span> @Bean<\/span> <\/span><\/span> public<\/span> IniRealm getIniRealm<\/span>()<\/span> {<\/span> <\/span><\/span> return<\/span> new<\/span> IniRealm(<\/span>"classpath:shiro.ini"<\/span>);<\/span> <\/span><\/span> }<\/span> <\/span><\/span> <\/span><\/span> @Bean<\/span> <\/span><\/span> public<\/span> SecurityManager getSecurityManager<\/span>(<\/span>IniRealm iniRealm)<\/span> {<\/span> <\/span><\/span> DefaultWebSecurityManager manager =<\/span> new<\/span> DefaultWebSecurityManager();<\/span> <\/span><\/span> manager.<\/span>setRealm<\/span>(<\/span>iniRealm);<\/span> <\/span><\/span> return<\/span> manager;<\/span> <\/span><\/span> }<\/span> <\/span><\/span> <\/span><\/span> @Bean<\/span> <\/span><\/span> public<\/span> ShiroFilterFactoryBean shiroFilterFactoryBean<\/span>(<\/span>SecurityManager securityManager)<\/span> {<\/span> <\/span><\/span> ShiroFilterFactoryBean factory =<\/span> new<\/span> ShiroFilterFactoryBean();<\/span> <\/span><\/span> factory.<\/span>setSecurityManager<\/span>(<\/span>securityManager);<\/span> <\/span><\/span> <\/span><\/span> Map<<\/span>String,<\/span>String><\/span> filterMap =<\/span> new<\/span> HashMap();<\/span> <\/span><\/span> filterMap.<\/span>put<\/span>(<\/span>"\/"<\/span>,<\/span> "anon"<\/span>);<\/span> <\/span><\/span> filterMap.<\/span>put<\/span>(<\/span>"\/login"<\/span>,<\/span> "anon"<\/span>);<\/span> <\/span><\/span> filterMap.<\/span>put<\/span>(<\/span>"\/user\/login"<\/span>,<\/span> "anon"<\/span>);<\/span> <\/span><\/span> filterMap.<\/span>put<\/span>(<\/span>authc"); <\/span><\/span><\/span> <\/span><\/span><\/span> factory.setFilterChainDefinitionMap(filterMap); <\/span><\/span><\/span> factory.setLoginUrl("<\/span>\/<\/span>login"<\/span>);<\/span> <\/span><\/span> factory.<\/span>setUnauthorizedUrl<\/span>(<\/span> <\/span><\/span> return<\/span> factory;<\/span> <\/span><\/span> }<\/span> <\/span><\/span>}<\/span> <\/span><\/span><\/code><\/pre>3.2.3 控制器示例<\/h4> @Controller<\/span> <\/span><\/span>@RequestMapping<\/span>(<\/span>"\/user"<\/span>)<\/span> <\/span><\/span>public<\/span> class<\/span> UserController<\/span> {<\/span> <\/span><\/span> @PostMapping<\/span>(<\/span>"\/login"<\/span>)<\/span> <\/span><\/span> public<\/span> String login<\/span>(<\/span>String username,<\/span> String password)<\/span> {<\/span> <\/span><\/span> try<\/span> {<\/span> <\/span><\/span> Subject subject =<\/span> SecurityUtils.<\/span>getSubject<\/span>();<\/span> <\/span><\/span> subject.<\/span>login<\/span>(<\/span>new<\/span> UsernamePasswordToken(<\/span>username,<\/span> password));<\/span> <\/span><\/span> return<\/span> "index"<\/span>;<\/span> <\/span><\/span> }<\/span> catch<\/span> (<\/span>Exception e)<\/span> {<\/span> <\/span><\/span> return<\/span> "login"<\/span>;<\/span> <\/span><\/span> }<\/span> <\/span><\/span> }<\/span> <\/span><\/span>}<\/span> <\/span><\/span><\/code><\/pre>3.3 JdbcRealm 使用<\/h3> 3.3.1 数据库表结构<\/h4> CREATE<\/span> TABLE<\/span> `<\/span>users`<\/span>( <\/span><\/span> username varchar(60<\/span>) primary<\/span> key<\/span>, <\/span><\/span> password varchar(60<\/span>) not<\/span> null<\/span> <\/span><\/span>); <\/span><\/span> <\/span><\/span>CREATE<\/span> TABLE<\/span> `<\/span>user_roles`<\/span>( <\/span><\/span> username varchar(60<\/span>) not<\/span> null<\/span>, <\/span><\/span> role_name varchar(100<\/span>) not<\/span> null<\/span> <\/span><\/span>); <\/span><\/span> <\/span><\/span>CREATE<\/span> TABLE<\/span> `<\/span>roles_permissions`<\/span>( <\/span><\/span> role_name varchar(100<\/span>) not<\/span> null<\/span>, <\/span><\/span> permission varchar(100<\/span>) not<\/span> null<\/span> <\/span><\/span>); <\/span><\/span><\/code><\/pre>3.3.2 JdbcRealm 配置<\/h4> @Bean<\/span> <\/span><\/span>public<\/span> JdbcRealm getJdbcRealm<\/span>(<\/span>DataSource dataSource)<\/span> {<\/span> <\/span><\/span> JdbcRealm jdbcRealm =<\/span> new<\/span> JdbcRealm();<\/span> <\/span><\/span> jdbcRealm.<\/span>setDataSource<\/span>(<\/span>dataSource);<\/span> <\/span><\/span> jdbcRealm.<\/span>setPermissionsLookupEnabled<\/span>(<\/span>true<\/span>);<\/span> \/\/ 开启授权功能 <\/span><\/span><\/span><\/span> return<\/span> jdbcRealm;<\/span> <\/span><\/span>}<\/span> <\/span><\/span><\/code><\/pre>3.4 Shiro 标签使用<\/h3> 3.4.1 依赖配置<\/h4> <dependency><\/span> <\/span><\/span> <groupId><\/span>com.github.theborakompanioni<\/groupId><\/span> <\/span><\/span> <artifactId><\/span>thymeleaf-extras-shiro<\/artifactId><\/span> <\/span><\/span> <version><\/span>2.1.0<\/version><\/span> <\/span><\/span><\/dependency><\/span> <\/span><\/span><\/code><\/pre>3.4.2 配置 ShiroDialect<\/h4> @Bean<\/span> <\/span><\/span>public<\/span> ShiroDialect getShiroDialect<\/span>()<\/span> {<\/span> <\/span><\/span> return<\/span> new<\/span> ShiroDialect();<\/span> <\/span><\/span>}<\/span> <\/span><\/span><\/code><\/pre>3.4.3 模板中使用<\/h4> <html<\/span> lang<\/span>=<\/span>"en"<\/span> xmlns:shiro<\/span>=<\/span>"http:\/\/www.pollix.at\/thymeleaf\/shiro"<\/span>> <\/span><\/span><\/span> <\/span><\/span><shiro:guest<\/span>> <\/span><\/span> 欢迎游客访问 | <a<\/span> href<\/span>=<\/span>"\/login"<\/span>>登录<\/a<\/span>> <\/span><\/span><\/shiro:guest<\/span>> <\/span><\/span> <\/span><\/span><\/span> <\/span><\/span><shiro:user<\/span>> <\/span><\/span> 欢迎用户名为: <shiro:principal<\/span>\/> 的用户访问! <\/span><\/span> <\/span><\/span> <\/span> <\/span><\/span> <shiro:hasRole<\/span> name<\/span>=<\/span>"admin"<\/span>>超级管理员<\/shiro:hasRole<\/span>> <\/span><\/span> <\/span><\/span> <\/span> <\/span><\/span> <shiro:hasPermission<\/span> name<\/span>=<\/span>"order:add"<\/span>> <\/span><\/span> <a<\/span> href<\/span>=<\/span>"#"<\/span>>添加订单<\/a<\/span>> <\/span><\/span> <\/shiro:hasPermission<\/span>> <\/span><\/span><\/shiro:user<\/span>> <\/span><\/span><\/code><\/pre>四、自定义 Realm 实现<\/h2> 4.1 数据库设计<\/h3> 4.1.1 表结构<\/h4> -- 用户表 <\/span><\/span><\/span><\/span>CREATE<\/span> TABLE<\/span> `<\/span>tb_users`<\/span>( <\/span><\/span> user_id int primary<\/span> key<\/span>, <\/span><\/span> username varchar(60<\/span>) unique<\/span>, <\/span><\/span> password varchar(60<\/span>) <\/span><\/span>); <\/span><\/span> <\/span><\/span>-- 角色表 <\/span><\/span><\/span><\/span>CREATE<\/span> TABLE<\/span> `<\/span>tb_roles`<\/span>( <\/span><\/span> role_id int primary<\/span> key<\/span>, <\/span><\/span> role_name varchar(60<\/span>) <\/span><\/span>); <\/span><\/span> <\/span><\/span>-- 权限表 <\/span><\/span><\/span><\/span>CREATE<\/span> TABLE<\/span> `<\/span>tb_permissions`<\/span>( <\/span><\/span> permission_id int primary<\/span> key<\/span>, <\/span><\/span> permission_code varchar(60<\/span>), <\/span><\/span> permission_name varchar(60<\/span>) <\/span><\/span>); <\/span><\/span> <\/span><\/span>-- 用户角色关联表 <\/span><\/span><\/span><\/span>CREATE<\/span> TABLE<\/span> `<\/span>tb_urs`<\/span>( <\/span><\/span> uid int, <\/span><\/span> rid int <\/span><\/span>); <\/span><\/span> <\/span><\/span>-- 角色权限关联表 <\/span><\/span><\/span><\/span>CREATE<\/span> TABLE<\/span> `<\/span>tb_rps`<\/span>( <\/span><\/span> rid int, <\/span><\/span> pid int <\/span><\/span>); <\/span><\/span><\/code><\/pre>4.1.2 查询语句设计<\/h4> 认证查询：根据用户名查询用户信息<\/li> 授权查询：查询用户角色<\/li> 查询角色权限<\/li> <\/ul> <\/li> <\/ul> 4.2 自定义 Realm 实现<\/h3> public<\/span> class<\/span> CustomRealm<\/span> extends<\/span> AuthorizingRealm {<\/span> <\/span><\/span> <\/span><\/span> @Autowired<\/span> <\/span><\/span> private<\/span> UserService userService;<\/span> <\/span><\/span> <\/span><\/span> \/\/ 授权 <\/span><\/span><\/span><\/span> @Override<\/span> <\/span><\/span> protected<\/span> AuthorizationInfo doGetAuthorizationInfo<\/span>(<\/span>PrincipalCollection principals)<\/span> {<\/span> <\/span><\/span> String username =<\/span> (<\/span>String)<\/span>principals.<\/span>getPrimaryPrincipal<\/span>();<\/span> <\/span><\/span> SimpleAuthorizationInfo info =<\/span> new<\/span> SimpleAuthorizationInfo();<\/span> <\/span><\/span> <\/span><\/span> \/\/ 查询用户角色 <\/span><\/span><\/span><\/span> Set<<\/span>String><\/span> roles =<\/span> userService.<\/span>findRolesByUsername<\/span>(<\/span>username);<\/span> <\/span><\/span> info.<\/span>setRoles<\/span>(<\/span>roles);<\/span> <\/span><\/span> <\/span><\/span> \/\/ 查询用户权限 <\/span><\/span><\/span><\/span> Set<<\/span>String><\/span> permissions =<\/span> userService.<\/span>findPermissionsByUsername<\/span>(<\/span>username);<\/span> <\/span><\/span> info.<\/span>setStringPermissions<\/span>(<\/span>permissions);<\/span> <\/span><\/span> <\/span><\/span> return<\/span> info;<\/span> <\/span><\/span> }<\/span> <\/span><\/span> <\/span><\/span> \/\/ 认证 <\/span><\/span><\/span><\/span> @Override<\/span> <\/span><\/span> protected<\/span> AuthenticationInfo doGetAuthenticationInfo<\/span>(<\/span>AuthenticationToken token)<\/span> <\/span><\/span> throws<\/span> AuthenticationException {<\/span> <\/span><\/span> <\/span><\/span> String username =<\/span> (<\/span>String)<\/span>token.<\/span>getPrincipal<\/span>();<\/span> <\/span><\/span> User user =<\/span> userService.<\/span>findByUsername<\/span>(<\/span>username);<\/span> <\/span><\/span> <\/span><\/span> if<\/span>(<\/span>user ==<\/span> null<\/span>)<\/span> {<\/span> <\/span><\/span> throw<\/span> new<\/span> UnknownAccountException(<\/span>"用户不存在"<\/span>);<\/span> <\/span><\/span> }<\/span> <\/span><\/span> <\/span><\/span> return<\/span> new<\/span> SimpleAuthenticationInfo(<\/span> <\/span><\/span> user.<\/span>getUsername<\/span>(),<\/span> <\/span><\/span> user.<\/span>getPassword<\/span>(),<\/span> <\/span><\/span> ByteSource.<\/span>Util<\/span>.<\/span>bytes<\/span>(<\/span>user.<\/span>getSalt<\/span>()),<\/span> \/\/ 加盐 <\/span><\/span><\/span><\/span> getName()<\/span> <\/span><\/span> );<\/span> <\/span><\/span> }<\/span> <\/span><\/span>}<\/span> <\/span><\/span><\/code><\/pre>4.3 密码加密与加盐<\/h3> \/\/ 配置密码匹配器 <\/span><\/span><\/span><\/span>@Bean<\/span> <\/span><\/span>public<\/span> HashedCredentialsMatcher hashedCredentialsMatcher<\/span>()<\/span> {<\/span> <\/span><\/span> HashedCredentialsMatcher matcher =<\/span> new<\/span> HashedCredentialsMatcher();<\/span> <\/span><\/span> matcher.<\/span>setHashAlgorithmName<\/span>(<\/span>"SHA-256"<\/span>);<\/span> \/\/ 加密算法 <\/span><\/span><\/span><\/span> matcher.<\/span>setHashIterations<\/span>(<\/span>1024<\/span>);<\/span> \/\/ 哈希迭代次数 <\/span><\/span><\/span><\/span> matcher.<\/span>setStoredCredentialsHexEncoded<\/span>(<\/span>true<\/span>);<\/span> \/\/ 十六进制编码 <\/span><\/span><\/span><\/span> return<\/span> matcher;<\/span> <\/span><\/span>}<\/span> <\/span><\/span> <\/span><\/span>\/\/ 在Realm中设置 <\/span><\/span><\/span><\/span>@Bean<\/span> <\/span><\/span>public<\/span> CustomRealm customRealm<\/span>()<\/span> {<\/span> <\/span><\/span> CustomRealm realm =<\/span> new<\/span> CustomRealm();<\/span> <\/span><\/span> realm.<\/span>setCredentialsMatcher<\/span>(<\/span>hashedCredentialsMatcher());<\/span> <\/span><\/span> return<\/span> realm;<\/span> <\/span><\/span>}<\/span> <\/span><\/span><\/code><\/pre>五、Shiro 漏洞原理分析<\/h2> 5.1 Shiro 记住我功能<\/h3> Shiro的RememberMe功能实现机制：<\/p> 用户登录时选择"记住我"<\/li> 服务端生成包含用户信息的加密Cookie<\/li> 下次访问时，Shiro自动解密Cookie进行认证<\/li> <\/ol> 5.2 漏洞成因<\/h3> 5.2.1 加密密钥硬编码<\/h4> 早期版本使用固定加密密钥（硬编码在代码中）<\/p> 5.2.2 AES加密模式问题<\/h4> 使用ECB模式（电子密码本模式）<\/li> 相同明文块加密后得到相同密文块<\/li> 无初始向量(IV)，易受攻击<\/li> <\/ul> 5.2.3 加密数据构造<\/h4> RememberMe Cookie结构：<\/p> Base64(序列化数据 + AES加密(序列化数据)) <\/code><\/pre> 5.3 攻击流程<\/h3> 构造恶意序列化数据<\/li> 使用已知密钥或暴力破解密钥加密<\/li> 替换Cookie中的RememberMe字段<\/li> 服务端反序列化时执行恶意代码<\/li> <\/ol> 5.4 漏洞修复方案<\/h3> 升级到最新版本<\/li> 自定义加密密钥：<\/li> <\/ol> @Bean<\/span> <\/span><\/span>public<\/span> DefaultWebSecurityManager securityManager<\/span>()<\/span> {<\/span> <\/span><\/span> DefaultWebSecurityManager manager =<\/span> new<\/span> DefaultWebSecurityManager();<\/span> <\/span><\/span> manager.<\/span>setRealm<\/span>(<\/span>customRealm());<\/span> <\/span><\/span> <\/span><\/span> \/\/ 设置RememberMe管理器 <\/span><\/span><\/span><\/span> CookieRememberMeManager rememberMeManager =<\/span> new<\/span> CookieRememberMeManager();<\/span> <\/span><\/span> rememberMeManager.<\/span>setCipherKey<\/span>(<\/span>Base64.<\/span>decode<\/span>(<\/span>"自定义Base64编码密钥"<\/span>));<\/span> <\/span><\/span> manager.<\/span>setRememberMeManager<\/span>(<\/span>rememberMeManager);<\/span> <\/span><\/span> <\/span><\/span> return<\/span> manager;<\/span> <\/span><\/span>}<\/span> <\/span><\/span><\/code><\/pre> 禁用RememberMe功能（如不需要）<\/li> 使用更安全的加密模式（如GCM）<\/li> <\/ol> 六、Shiro 安全最佳实践<\/h2> 密钥管理<\/strong>：<\/p> 避免使用默认密钥<\/li> 定期更换密钥<\/li> 密钥存储在安全位置<\/li> <\/ul> <\/li> 会话管理<\/strong>：<\/p> 设置合理的会话超时时间<\/li> 实现会话固定保护<\/li> 限制并发会话数<\/li> <\/ul> <\/li> 密码安全<\/strong>：<\/p> 使用强哈希算法（如SHA-256、BCrypt）<\/li> 加盐处理<\/li> 适当设置哈希迭代次数<\/li> <\/ul> <\/li> 权限设计<\/strong>：<\/p> 遵循最小权限原则<\/li> 定期审查权限分配<\/li> 实现权限变更审计<\/li> <\/ul> <\/li> 其他安全措施<\/strong>：<\/p> 启用CSRF防护<\/li> 实现请求频率限制<\/li> 记录安全相关事件<\/li> <\/ul> <\/li> <\/ol> 七、总结<\/h2> Apache Shiro是一个功能强大且灵活的安全框架，通过本文我们深入了解了：<\/p> Shiro的核心架构和运行原理<\/li> 多种集成方式（Java SE、SpringBoot）<\/li> 不同Realm的实现（Ini、JDBC、自定义）<\/li> 权限控制和标签使用<\/li> 安全漏洞的底层原理<\/li> 安全加固的最佳实践<\/li> <\/ol> 正确配置和使用Shiro可以显著提高应用的安全性，而不当的配置则可能引入严重的安全隐患。开发者应当深入理解其工作原理，遵循安全最佳实践，才能充分发挥Shiro的安全防护能力。<\/p>