Releases: flashvayne/rbac-spring-boot-starter
Jackson deserialization exception handling
- v2.2.1 solves the problem that an exception is thrown when deserializing an illegal token at v2.2.0.
Tips: Unlike Fastjson, Jackson throws an exception directly instead of returning an empty object when deserialization fails.
replace fastjson with jackson
考虑到fastjson多次暴雷以及项目尽少引用其他依赖,现使用Jackson替换Fastjson将RbacTokenInfo序列化为Json。
我也考虑过将对象序列化工作交由RedisTemplate去做 但这关系到RedisTemplate序列化器的选择配置,造成了一定程度的耦合,所以还是提前将对象序列化为Json。
如需更改这部分逻辑 可继承DefaultRbacTokenServiceImpl或实现RbacTokenService,重写doGenerateToken和decodeTokenInfo方法即可。
本次更新将带来以下影响:
Rbac各DTO的addition属性为Object类型,赋值的自定义DTO对象在反序列化为Object时发生以下变化
Fastjson --> JSONObject
Jackson --> LinkedHashMap
fastjson security hole fixed
fastjson version update to 1.2.83
fastjson最新漏洞信息
漏洞名称:fastjson 反序列化任意代码执行漏洞(Java)影响组件:com.alibaba:fastjson影响版本:<= 1.2.80漏洞评级:严重漏洞公开时间:2022-05-23漏洞详情:https://www.oscs1024.com/hd/MPS-2022-11320
在线详细报告: https://www.oscs1024.com/cd/1528391966096707584?sign=58cf0c60
fastjson最新漏洞信息
漏洞名称:fastjson 反序列化任意代码执行漏洞(Java)
影响组件:com.alibaba:fastjson
影响版本:<= 1.2.80
漏洞评级:严重
漏洞公开时间:2022-05-23
漏洞详情:https://www.oscs1024.com/hd/MPS-2022-11320
deprecate property "rbac.enable"
- rbac will be enabled automatically once the dependency is loaded.
- add spring-configuration-metadata.json
v2.0.0
rbac-spring-boot-starter v2.0.0 release.
<dependency>
<groupId>io.github.flashvayne</groupId>
<artifactId>mysql-mybatis-pagination</artifactId>
<version>2.0.0</version>
</dependency>