动态生成密匙，防止默认密钥泄露

4 years ago · 4d55f5df17
parent b9b2b866b2
commit 4d55f5df17
3 changed files with 38 additions and 10 deletions
--- a/ruoyi-admin/src/main/resources/application.yml
+++ b/ruoyi-admin/src/main/resources/application.yml
@ -108,8 +108,6 @@ shiro:
    httpOnly: true
    # 设置Cookie的过期时间，天为单位
    maxAge: 30
-    # 设置密钥，务必保持唯一性（生成方式，直接拷贝到main运行即可）KeyGenerator keygen = KeyGenerator.getInstance("AES"); SecretKey deskey = keygen.generateKey(); System.out.println(Base64.encodeToString(deskey.getEncoded()));
-    cipherKey: zSyK5Kp6PZAAjlT+eeNMlg==
  session:
    # Session超时时间，-1代表永不过期（默认30分钟）
    expireTime: 30
--- a/ruoyi-common/src/main/java/com/ruoyi/common/utils/security/CipherUtils.java
+++ b/ruoyi-common/src/main/java/com/ruoyi/common/utils/security/CipherUtils.java
@ -0,0 +1,36 @@
+package com.ruoyi.common.utils.security;
+
+import java.security.Key;
+import java.security.NoSuchAlgorithmException;
+import javax.crypto.KeyGenerator;
+
+/**
+ * 对称密钥密码算法工具类
+ *
+ * @author ruoyi
+ */
+public class CipherUtils
+{
+    /**
+     * 生成随机秘钥
+     *
+     * @param keyBitSize 字节大小
+     * @param algorithmName 算法名称
+     * @return 创建密匙
+     */
+    public static Key generateNewKey(int keyBitSize, String algorithmName)
+    {
+        KeyGenerator kg;
+        try
+        {
+            kg = KeyGenerator.getInstance(algorithmName);
+        }
+        catch (NoSuchAlgorithmException e)
+        {
+            String msg = "Unable to acquire " + algorithmName + " algorithm.  This is required to function.";
+            throw new IllegalStateException(msg, e);
+        }
+        kg.init(keyBitSize);
+        return kg.generateKey();
+    }
+}
--- a/ruoyi-framework/src/main/java/com/ruoyi/framework/config/ShiroConfig.java
+++ b/ruoyi-framework/src/main/java/com/ruoyi/framework/config/ShiroConfig.java
@ -8,7 +8,6 @@ import java.util.Map;
 import javax.servlet.Filter;
 import org.apache.commons.io.IOUtils;
 import org.apache.shiro.cache.ehcache.EhCacheManager;
-import org.apache.shiro.codec.Base64;
 import org.apache.shiro.config.ConfigurationException;
 import org.apache.shiro.io.ResourceUtils;
 import org.apache.shiro.mgt.SecurityManager;
@ -23,6 +22,7 @@ import org.springframework.context.annotation.Bean;
 import org.springframework.context.annotation.Configuration;
 import com.ruoyi.common.constant.Constants;
 import com.ruoyi.common.utils.StringUtils;
+import com.ruoyi.common.utils.security.CipherUtils;
 import com.ruoyi.common.utils.spring.SpringUtils;
 import com.ruoyi.framework.shiro.realm.UserRealm;
 import com.ruoyi.framework.shiro.session.OnlineSessionDAO;
@ -104,12 +104,6 @@ public class ShiroConfig
    @Value("${shiro.cookie.maxAge}")
    private int maxAge;

-    /**
-     * 设置cipherKey密钥
-     */
-    @Value("${shiro.cookie.cipherKey}")
-    private String cipherKey;
-
    /**
     * 登录地址
     */
@ -357,7 +351,7 @@ public class ShiroConfig
    {
        CookieRememberMeManager cookieRememberMeManager = new CookieRememberMeManager();
        cookieRememberMeManager.setCookie(rememberMeCookie());
-        cookieRememberMeManager.setCipherKey(Base64.decode(cipherKey));
+        cookieRememberMeManager.setCipherKey(CipherUtils.generateNewKey(128, "AES").getEncoded());
        return cookieRememberMeManager;
    }