tomsun28 / bootshiro Goto Github PK

http://47.110.55.246/api/log/operationLog/1/10

权限是否存在问题

Hi, we are a research group to help developers build secure applications. We designed a cryptographic misuse detector on Java language(Our main concern is the secure implementation and use of Json Web Token). We found your great public repository (i.e.,bootshiro) from Github, and several security issues detected by our detector are shown in the following. The specific security issues we found are as follows:
(1) Location: Package: com.usthe.sureness.util; Class: JsonWebTokenUtil.class
Security issue: Using predictable/constant cryptographic key when creating and verifing Json Web Token.

Using a predictable/constant secret does not conform to the security implementation specification of JWT, which may bring security risks to your system. It is recommended to use a more secure way to store the secret used to generate the JWT and use a strong enough key to improve the security of the project. （For the hazards of predictable/constant secret, you can refer to CWE-321, NIST Special Publication 800-57).

We wish the above security issues cloud truly help you to build a secure application. If you have any concern or suggestion, please feel free to contact us, we are looking forward to your reply. Thanks.

在更新角色权限时，执行shiroFilterChainManager.reloadFilterChain();
那么新增 或者 删除某用户的角色事，是否也要执行？

Why user id is String instead of an increment number?

What is the benefit on this approach?

https://user-images.githubusercontent.com/30027321/57188309-01737280-6f2f-11e9-89d5-68da556e1868.png

添加按钮权限和按钮和api权限的对应