Overview
CVE-2021-41303 describes an authentication bypass vulnerability affecting Apache Shiro prior to 1.8.0 when used in conjunction with Spring Boot. In real-world Spring Boot applications that rely on Shiro for authentication, a specially crafted HTTP request could bypass the normal login flow and grant access to protected resources without valid credentials. This vulnerability is categorized under CWE-287 (Authentication Bypass). Upgrading Shiro to 1.8.0 mitigates this flaw by correcting the underlying processing of web authentication tokens and the related cookie handling used by Shiro in web contexts. The risk is most acute for apps that enable Remember-Me or rely on filter-based authentication without strict validation, especially when integrated with Spring Boot’s web filters and security configuration.
Affected Versions
Shiro before 1.8.0 (i.e., 1.7.x and earlier) when used with Spring Boot
Code Fix Example
Spring Boot API Security Remediation
public class ShiroSpringBootSecurityConfig {
// Vulnerable pattern
public static class VulnerableConfig {
@org.springframework.context.annotation.Bean
public org.apache.shiro.mgt.SecurityManager securityManager() {
org.apache.shiro.web.mgt.DefaultWebSecurityManager securityManager = new org.apache.shiro.web.mgt.DefaultWebSecurityManager();
// Vulnerable: relying on a weak, static cipher key for Remember-Me tokens
org.apache.shiro.web.mgt.CookieRememberMeManager rememberMe = new org.apache.shiro.web.mgt.CookieRememberMeManager();
rememberMe.setCipherKey("1234567890abcdef".getBytes(java.nio.charset.StandardCharsets.UTF_8));
securityManager.setRememberMeManager(rememberMe);
return securityManager;
}
@org.springframework.context.annotation.Bean
public org.apache.shiro.spring.web.ShiroFilterFactoryBean shiroFilter(org.apache.shiro.mgt.SecurityManager securityManager) {
org.apache.shiro.spring.web.ShiroFilterFactoryBean filter = new org.apache.shiro.spring.web.ShiroFilterFactoryBean();
filter.setSecurityManager(securityManager);
java.util.LinkedHashMap<String, String> filterChain = new java.util.LinkedHashMap<>();
filterChain.put("/login", "anon");
filterChain.put("/**", "authc");
filter.setFilterChainDefinitionMap(filterChain);
return filter;
}
}
// Fixed pattern
public static class FixedConfig {
@org.springframework.context.annotation.Bean
public org.apache.shiro.mgt.SecurityManager securityManager() {
org.apache.shiro.web.mgt.DefaultWebSecurityManager securityManager = new org.apache.shiro.web.mgt.DefaultWebSecurityManager();
// Fixed: use a strong, application-specific cipher key for Remember-Me tokens
org.apache.shiro.web.mgt.CookieRememberMeManager rememberMe = new org.apache.shiro.web.mgt.CookieRememberMeManager();
byte[] key = java.util.Base64.getDecoder().decode("dGhpcy1pcy1hbi1hbm9ueW1pY2FsbWEtYmFzaWMtY2lwaGVyLWtleQ==");
rememberMe.setCipherKey(key);
securityManager.setRememberMeManager(rememberMe);
return securityManager;
}
@org.springframework.context.annotation.Bean
public org.apache.shiro.spring.web.ShiroFilterFactoryBean shiroFilter(org.apache.shiro.mgt.SecurityManager securityManager) {
org.apache.shiro.spring.web.ShiroFilterFactoryBean filter = new org.apache.shiro.spring.web.ShiroFilterFactoryBean();
filter.setSecurityManager(securityManager);
java.util.LinkedHashMap<String, String> filterChain = new java.util.LinkedHashMap<>();
filterChain.put("/login", "anon");
filterChain.put("/**", "authc");
filter.setFilterChainDefinitionMap(filterChain);
return filter;
}
}
}