动态生成密匙，防止默认密钥泄露

ruoyi-admin/src/main/resources/application.yml

@@ -108,8 +108,6 @@ shiro:
     httpOnly: true
     # 设置Cookie的过期时间，天为单位
     maxAge: 30
-    # 设置密钥，务必保持唯一性（生成方式，直接拷贝到main运行即可）KeyGenerator keygen = KeyGenerator.getInstance("AES"); SecretKey deskey = keygen.generateKey(); System.out.println(Base64.encodeToString(deskey.getEncoded()));
-    cipherKey: zSyK5Kp6PZAAjlT+eeNMlg==
   session:
     # Session超时时间，-1代表永不过期（默认30分钟）
     expireTime: 30

ruoyi-common/src/main/java/com/ruoyi/common/utils/security/CipherUtils.java

@@ -0,0 +1,36 @@
+package com.ruoyi.common.utils.security;
+
+import java.security.Key;
+import java.security.NoSuchAlgorithmException;
+import javax.crypto.KeyGenerator;
+
+/**
+ * 对称密钥密码算法工具类
+ *
+ * @author ruoyi
+ */
+public class CipherUtils
+{
+    /**
+     * 生成随机秘钥
+     *
+     * @param keyBitSize 字节大小
+     * @param algorithmName 算法名称
+     * @return 创建密匙
+     */
+    public static Key generateNewKey(int keyBitSize, String algorithmName)
+    {
+        KeyGenerator kg;
+        try
+        {
+            kg = KeyGenerator.getInstance(algorithmName);
+        }
+        catch (NoSuchAlgorithmException e)
+        {
+            String msg = "Unable to acquire " + algorithmName + " algorithm.  This is required to function.";
+            throw new IllegalStateException(msg, e);
+        }
+        kg.init(keyBitSize);
+        return kg.generateKey();
+    }
+}

ruoyi-framework/src/main/java/com/ruoyi/framework/config/ShiroConfig.java

@@ -8,7 +8,6 @@ import java.util.Map;
 import javax.servlet.Filter;
 import org.apache.commons.io.IOUtils;
 import org.apache.shiro.cache.ehcache.EhCacheManager;
-import org.apache.shiro.codec.Base64;
 import org.apache.shiro.config.ConfigurationException;
 import org.apache.shiro.io.ResourceUtils;
 import org.apache.shiro.mgt.SecurityManager;
@@ -23,6 +22,7 @@ import org.springframework.context.annotation.Bean;
 import org.springframework.context.annotation.Configuration;
 import com.ruoyi.common.constant.Constants;
 import com.ruoyi.common.utils.StringUtils;
+import com.ruoyi.common.utils.security.CipherUtils;
 import com.ruoyi.common.utils.spring.SpringUtils;
 import com.ruoyi.framework.shiro.realm.UserRealm;
 import com.ruoyi.framework.shiro.session.OnlineSessionDAO;
@@ -104,12 +104,6 @@ public class ShiroConfig
     @Value("${shiro.cookie.maxAge}")
     private int maxAge;
 
-    /**
-     * 设置cipherKey密钥
-     */
-    @Value("${shiro.cookie.cipherKey}")
-    private String cipherKey;
-
     /**
      * 登录地址
      */
@@ -357,7 +351,7 @@ public class ShiroConfig
     {
         CookieRememberMeManager cookieRememberMeManager = new CookieRememberMeManager();
         cookieRememberMeManager.setCookie(rememberMeCookie());
-        cookieRememberMeManager.setCipherKey(Base64.decode(cipherKey));
+        cookieRememberMeManager.setCipherKey(CipherUtils.generateNewKey(128, "AES").getEncoded());
         return cookieRememberMeManager;
     }