-
Notifications
You must be signed in to change notification settings - Fork 12.8k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
【v2.1.0】access_token访问漏洞 #9830
Labels
status/duplicate
This issue or pull request already exists
Comments
PRs welcome. |
Maybe Fixed in 2.2.0 with #9380 |
พี่หนูต้องส่งให้ที่ไหนต่อในวันที่ อ. 10 ม.ค. 2023 17:08 lihaopeng ***@***.***> เขียนว่า:
Describe the bug
A clear and concise description of what the bug is.
nacos.io/zh-cn/docs/auth.html 按照官网;docker启动进行了如下配置 NACOS_AUTH_ENABLE=true NACOS_AUTH_TOKEN=字符串
NACOS_AUTH_TOKEN并没有生效;还是继续用 默认的secret.key=SecretKey012345678901234567890123456789012345678901234567890123456789
使用jwt加密生成access_token,猜可以访问api接口
用自定义的NACOS_AUTH_TOKEN=字符串 生成的access_token访问不了
Expected behavior
A clear and concise description of what you expected to happen.
使用自定义的NACOS_AUTH_TOKEN;生成access_token能够访问api接口
Actually behavior
A clear and concise description of what you actually to happen.
还是需要使用 默认的secret.key=SecretKey012345678901234567890123456789012345678901234567890123456789;生成access_token能够访问api接口
How to Reproduce
Steps to reproduce the behavior:
shell docker run --env PREFER_HOST_MODE=hostname --env MODE=standalone --env NACOS_AUTH_ENABLE=true --env NACOS_AUTH_TOKEN=SecretKey:e472c13e-a568-47cd-bb49-c15e253f62e9 -p 8848:8848 nacos/nacos-server:2.1.0
Desktop (please complete the following information):
OS: [e.g. Centos]:centosVersion [e.g. nacos-server 1.3.1, nacos-client 1.3.1]:2.1.0Module [e.g. naming/config]SDK [e.g. original, spring-cloud-alibaba-nacos, dubbo]
Additional context
Add any other context about the problem here.
public static String createToken(String userName) throws IOException {
long now = System.currentTimeMillis();
Date validity;
validity = new Date(now + 18000 * 1000L);
String raw_key = "SecretKey012345678901234567890123456789012345678901234567890123456789";
String raw_key222 = "SecretKey:e472c13e-a568-47cd-bb49-c15e253f62e9";
byte[] key_byte = new BASE64Decoder().decodeBuffer(raw_key);
Claims claims = Jwts.claims().setSubject(userName);
return Jwts.builder().setClaims(claims).setExpiration(validity)
.signWith(Keys.hmacShaKeyFor(key_byte), SignatureAlgorithm.HS256).compact();
}`
—Reply to this email directly, view it on GitHub, or unsubscribe.You are receiving this because you are subscribed to this thread.Message ID: ***@***.***>
|
KomachiSion
added
status/duplicate
This issue or pull request already exists
and removed
status/need feedback
labels
Jan 28, 2023
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Describe the bug
A clear and concise description of what the bug is.
nacos.io/zh-cn/docs/auth.html 按照官网;docker启动进行了如下配置 NACOS_AUTH_ENABLE=true NACOS_AUTH_TOKEN=字符串
NACOS_AUTH_TOKEN并没有生效;还是继续用 默认的secret.key=SecretKey012345678901234567890123456789012345678901234567890123456789
使用jwt加密生成access_token,猜可以访问api接口
用自定义的NACOS_AUTH_TOKEN=字符串 生成的access_token访问不了
Expected behavior
A clear and concise description of what you expected to happen.
使用自定义的NACOS_AUTH_TOKEN;生成access_token能够访问api接口
Actually behavior
A clear and concise description of what you actually to happen.
还是需要使用 默认的secret.key=SecretKey012345678901234567890123456789012345678901234567890123456789;生成access_token能够访问api接口
How to Reproduce
Steps to reproduce the behavior:
shell docker run --env PREFER_HOST_MODE=hostname --env MODE=standalone --env NACOS_AUTH_ENABLE=true --env NACOS_AUTH_TOKEN=SecretKey:e472c13e-a568-47cd-bb49-c15e253f62e9 -p 8848:8848 nacos/nacos-server:v2.1.0
Desktop (please complete the following information):
Additional context
Add any other context about the problem here.
The text was updated successfully, but these errors were encountered: