Home

Awesome

fastjson blacklist

背景

fastjson 在1.2.42开始,把原本明文的黑名单改成了哈希过的黑名单,防止安全研究者对其进行研究。在 https://github.com/alibaba/fastjson/commit/eebea031d4d6f0a079c3d26845d96ad50c3aaccd 这次commit中体现出来。

-     private String[] denyList = "bsh,com.mchange,com.sun.,java.lang.Thread,java.net.Socket,java.rmi,javax.xml,org.apache.bcel,org.apache.commons.beanutils,org.apache.commons.collections.Transformer,org.apache.commons.collections.functors,org.apache.commons.collections4.comparators,org.apache.commons.fileupload,org.apache.myfaces.context.servlet,org.apache.tomcat,org.apache.wicket.util,org.apache.xalan,org.codehaus.groovy.runtime,org.hibernate,org.jboss,org.mozilla.javascript,org.python.core,org.springframework".split(",");

+        denyHashCodes = new long[]{
+                -8720046426850100497L,
+                 ......
+                8838294710098435315L
+        };

fastjson 在1.2.61开始,在https://github.com/alibaba/fastjson/commit/d1c0dff9a33d49e6e7b98a4063da01bbc9325a38中,把黑名单从十进制数变成了十六进制数,可能是为了防止安全研究者进行搜索,恕我直言有点可笑。

        denyHashCodes = new long[]{
-                -8720046426850100497L,
-                -8165637398350707645L,
-                -8109300701639721088L,

+                0x86fc2bf9beaf7aefL,
+                0x8eadd40cb2a94443L,
+                0x8f75f9fa0df03f80L,

fastjson 在1.2.62开始,https://github.com/alibaba/fastjson/commit/014444e6c62329ec7878bb6b0c6b28c3f516c54e中,从小写改成了大写,可能是为了规范吧。

本git只记录十进制和小写的十六进制数,不记录大写的十六进制数。

网上没找到类似的仓库,为了弄清楚每个hash到底对应的是什么,就写了个小轮子,跑一下这些case,列出来。

功能

public class Main {
    public static void main(String[] args) throws IOException {
        // 功能1:完善已知列表
        // 使用指定的class去完善
        BreakerUtils.completeDatabase(new String[]{"org.apache.ibatis.datasource.jndi.JndiDataSourceFactory"});
        // 使用指定的jar去完善
        BreakerUtils.completeDatabase(new File("C:\\Users\\leadroyal\\.gradle\\caches\\modules-2\\files-2.1\\com.alibaba\\fastjson\\1.2.24\\a2b82688715ee16d874d90229d204daf3efcac8e\\fastjson-1.2.24.jar"));
        // 使用指定的目录去完善
        BreakerUtils.completeDatabase(new File("C:\\Users\\leadroyal\\.gradle\\caches\\modules-2\\files-2.1\\"), true);


        // 功能2:输入版本号,输出已知和未知的列表
        BreakerUtils.listDatabase(1242);
        BreakerUtils.listDatabase();

        // 功能3:输入classname,输出被ban情况
        BreakerUtils.isBanned("org.apache.ibatis.datasource.jndi.JndiDataSourceFactory");
    }
}

如何贡献

目前的列表

versionhashhex-hashname
1.2.42-87200464268501004970x86fc2bf9beaf7aefLorg.apache.commons.collections4.comparators
1.2.42-81093007016397210880x8f75f9fa0df03f80Lorg.python.core
1.2.42-79661231005031995690x9172a53f157930afLorg.apache.tomcat
1.2.42-77666058188347480970x9437792831df7d3fLorg.apache.xalan
1.2.42-68354370861568135360xa123a62f93178b20Ljavax.xml
1.2.42-48375369718107379700xbcdd9dc12766f0ceLorg.springframework.
1.2.42-40820570402351257540xc7599ebfe3e72406Lorg.apache.commons.beanutils
1.2.42-23649879942476791150xdf2ddff310cdb375Lorg.apache.commons.collections.Transformer
1.2.42-18724170153665881170xe603d6a51fad692bLorg.codehaus.groovy.runtime
1.2.42-2546701113762471510xfc773ae20c827691Ljava.lang.Thread
1.2.42-1902810656853956800xfd5bfc610056d720Ljavax.net.
1.2.423138641002078975070x45b11bc78a3aba3Lcom.mchange
1.2.4212032327279673086060x10b2bdca849d9b3eLorg.apache.wicket.util
1.2.4215028459588739591520x14db2e6fead04af0Ljava.util.jar.
1.2.4235476277816545989880x313bb4abd8d4554cLorg.mozilla.javascript
1.2.4237307524322858268630x33c64b921f523f2fLjava.rmi
1.2.4237943166657632660330x34a81ee78429fdf1Ljava.util.prefs.
1.2.4241476967071472714080x398f942e01920cf0Lcom.sun.
1.2.4253479098776336548280x4a3797b30328202cLjava.util.logging.
1.2.4254504488283349214850x4ba3e254e758d70dLorg.apache.bcel
1.2.4257513934395027952950x4fd10ddc6d13821fLjava.net.Socket
1.2.4259441079692361555800x527db6b46ce3bcbcLorg.apache.commons.fileupload
1.2.4267427054327180117800x5d92e6ddde40ed84Lorg.jboss
1.2.4271793369283658894650x63a220e60a17c7b9Lorg.hibernate
1.2.4274426242568605493300x6749835432e0f0d2Lorg.apache.commons.collections.functors
1.2.4288382947100984353150x7aa7ee3627a19cf3Lorg.apache.myfaces.context.servlet
1.2.43-22622447606199520810xe09ae4604842582fLjava.net.URL
1.2.46-81656373983507076450x8eadd40cb2a94443Ljunit.
1.2.46-80835148884603758840x8fd1960988bce8b4Lorg.apache.ibatis.datasource
1.2.46-79212188309982864080x92122d710e364fb8Lorg.osjava.sj.
1.2.46-77686080374581852750x94305c26580f73c5Lorg.apache.log4j.
1.2.46-61795896095504933850xaa3daffdb10c4937Lorg.logicalcobwebs.
1.2.46-51946410812681042860xb7e8ed757f5d13a2Lorg.apache.logging.
1.2.46-39351858548757333620xc963695082fd728eLorg.apache.commons.dbcp
1.2.46-27534278444007762710xd9c9dbf6bbd27bb1Lcom.ibatis.sqlmap.engine.datasource
1.2.46-15891948802142351290xe9f20bad25f60807Lorg.jdom.
1.2.4610736347393082897760xee6511b66fd5ef0Lorg.slf4j.
1.2.4656882008837517983890x4ef08c90ff16c675Ljavassist.
1.2.4670174921631085942700x616323f12c2ce25eLoracle.net
1.2.4683890325370952473550x746bd4a53ec195fbLorg.jaxen.
1.2.4814598608459348176240x144277b467723158Ljava.net.InetAddress
1.2.4884096407690195891190x74b50bb9260e31ffLjava.lang.Class
1.2.4949040078171886304570x440e89208f445fb9Lcom.alibaba.fastjson.annotation
1.2.5951003360815100803430x46c808a4b5841f57Lorg.apache.cxf.jaxrs.provider.
1.2.5964568557234741969080x599b5c1213a099acLch.qos.logback.
1.2.5985372332572834526550x767a586a5107feefLnet.sf.ehcache.transaction.manager.
1.2.6036881790727221092000x332f0b5369a18310Lcom.zaxxer.hikari.
1.2.61-44013908040443773350xc2eb1e621f439309Lflex.messaging.util.concurrent.AsynchBeansWorkManagerExecutor
1.2.61-16504858149830271580xe9184be55b1d962aLorg.apache.openjpa.ee.
1.2.61-12514191541766208310xeea210e8da2ec6e1Loracle.jdbc.rowset.OracleJDBCRowSet
1.2.61-98224830678824910xffdd1a80f1ed3405Lcom.mysql.cj.jdbc.admin.
1.2.61991470921420562800x1603dc147a3e358Loracle.jdbc.connector.OracleManagedConnectionFactory
1.2.6131148628681176055990x2b3a37467a344cdfLorg.apache.ibatis.parsing.
1.2.6148146584335701759130x42d11a560fc9fba9Lorg.apache.axis2.jaxws.spi.handler.
1.2.6165110355760632542700x5a5bd85c072e5efeLjodd.db.connection.
1.2.6189255224615796471740x7bddd363ad3998c6Lorg.apache.commons.configuration.JNDIConfiguration
1.2.62-91646063882146995180x80d0c70bcc2fea02Lorg.apache.ibatis.executor.
1.2.62-86499612137098967940x87f52a1b07ea33a6Lnet.sf.cglib.
1.2.62-63161546558393046240xa85882ce1044c450Loracle.net.
1.2.62-57648047920632168190xafff4c95b99a334dLcom.mysql.cj.jdbc.MysqlDataSource
1.2.62-46083414469481265810xc00be1debaf2808bLjdk.internal.
1.2.62-44387756801850741000xc2664d0958ecfe4cLaj.org.objectweb.asm.
1.2.62-33192079494866910200xd1efcdf4b3316d34Loracle.jdbc.
1.2.62-21928043970193473130xe1919804d5bf468fLorg.apache.commons.collections.comparators.
1.2.62-20955165713888526100xe2eb3ac7e56c467eLnet.sf.ehcache.hibernate.
1.2.6247503360585743090x10e067cd55c5e5Lcom.mysql.cj.log.
1.2.622185129929475363120x3085068cb7201b8Lorg.h2.jdbcx.
1.2.628236410664736099500xb6e292fa5955adeLorg.apache.commons.logging.
1.2.6215344396105674457540x154b6cb22d294cfaLorg.apache.ibatis.reflection.
1.2.6218180893084933703940x193b2697eaaed41aLorg.h2.server.
1.2.6221646967230692878540x1e0a8c3358ff3daeLorg.apache.ibatis.datasource.
1.2.6226534536299297705690x24d2f6048fef4e49Lorg.objectweb.asm.
1.2.6228364312547378911130x275d0732b877af29Lflex.messaging.util.concurrent.
1.2.6230894514601015278570x2adfefbbfe29d931Lorg.apache.ibatis.javassist.
1.2.6232562583682480662640x2d308dbbc851b0d8Ljava.lang.UNIXProcess
1.2.6237183526611241366810x339a3e0b6beebee9Lorg.apache.ibatis.ognl.
1.2.6240461903615206716430x3826f4b2380c8b9bLcom.mysql.cj.jdbc.MysqlConnectionPoolDataSource
1.2.6248419477098509129140x43320dc9d2ae0892Lorg.codehaus.jackson.
1.2.6262803579609592176600x5728504a6d454ffcLorg.apache.ibatis.scripting.
1.2.6265349464682405070890x5ab0cb3071ab40d1Lorg.apache.commons.proxy.
1.2.6267342403264340962460x5d74d3e5b9370476Lcom.mysql.cj.jdbc.MysqlXADataSource
1.2.6271233268972945070600x62db241274397c34Lorg.apache.commons.collections.functors.
1.2.6284882660053366251070x75cc60f5871d0fd3Lorg.apache.commons.configuration
1.2.66-24399300988955781540xde23a0809a8b9bd6Ljavax.script.
1.2.66-5828132285203379880xf7e96e74dfa58dbcLjavax.sound.
1.2.66-266390358677331240xffa15bf021f1e37cLjavax.print.
1.2.663864614362347018310x55cfca0f2281c07Ljavax.activation.
1.2.6611532916377010437480x100150a253996624Ljavax.tools.
1.2.661698504441317515818L0x17924cca5227622aLjavax.management.
1.2.667375862386996623731L0x665c53c311193973Lorg.apache.xbean.
1.2.667658177784286215602L0x6a47501ebb2afdb2Lorg.eclipse.jetty.
1.2.668055461369741094911L0x6fcabf6fa54cafffLjavax.naming.
1.2.67-7775351613326101303L0x941866e73beff4c9Lorg.apache.shiro.realm.
1.2.67-6025144546313590215L0xac6262f52c98aa39Lorg.apache.http.conn.
1.2.67-5939269048541779808L0xad937a449831e8a0Lorg.quartz.
1.2.67-5885964883385605994L0xae50da1fad60a096Lcom.taobao.eagleeye.wrapper
1.2.67-3975378478825053783L0xc8d49e5601e661a9Lorg.apache.http.impl.
1.2.67-2378990704010641148L0xdefc208f237d4104Lcom.ibatis.
1.2.67-905177026366752536L0xf3702a4a5490b8e8Lorg.apache.catalina.
1.2.672660670623866180977L0x24ec99d5e7dc5571Lorg.apache.http.auth.
1.2.672731823439467737506L0x25e962f1c28f71a2Lbr.com.anteros.
1.2.673637939656440441093L0x327c8ed7c8706905Lcom.caucho.
1.2.674254584350247334433L0x3b0b51ecbf6db221Lorg.apache.http.cookie.
1.2.675274044858141538265L0x49312bdafb0077d9Lorg.javasimon.
1.2.675474268165959054640L0x4bf881e49d37f530Lorg.apache.cocoon.
1.2.675596129856135573697L0x4da972745feb30c1Lorg.apache.activemq.jms.pool.
1.2.676854854816081053523L0x5f215622fb630753Lorg.mortbay.jetty.
1.2.68-3077205613010077203L0xd54b91cc77b239edLorg.apache.shiro.jndi.
1.2.68-2825378362173150292L0xd8ca3d595e982bacLorg.apache.ignite.cache.jta.
1.2.682078113382421334967L0x1cd6f11c6a358bb7Ljavax.swing.J
1.2.686007332606592876737L0x535e552d6f9700c1Lorg.aoju.bus.proxy.provider.
1.2.689140390920032557669L0x7ed9311d28bf1a65Ljava.awt.p
1.2.689140416208800006522L0x7ed9481d28bf417aLjava.awt.i
1.2.69-8024746738719829346L0x90a25f5baa21529eLjava.io.Serializable
1.2.69-5811778396720452501L0xaf586a571e302c6bLjava.io.Closeable
1.2.69-3053747177772160511L0xd59ee91f0b09ea01Loracle.jms.AQ
1.2.69-2114196234051346931L0xe2a8ddba03e69e0dLjava.util.Collection
1.2.69-2027296626235911549L0xe3dd9875a2dc5283Ljava.lang.Iterable
1.2.69-2939497380989775398L0xd734ceb4c3e9d1daLjava.lang.Object
1.2.69-1368967840069965882L0xed007300a7b227c6Ljava.lang.AutoCloseable
1.2.692980334044947851925L0x295c4605fd1eaa95Ljava.lang.Readable
1.2.693247277300971823414L0x2d10a5801b9d6136Ljava.lang.Cloneable
1.2.695183404141909004468L0x47ef269aadc650b4Ljava.lang.Runnable
1.2.697222019943667248779L0x6439c4dff712ae8bLjava.util.EventListener
1.2.70-5076846148177416215L0xb98b6b5396932fe9Lorg.apache.commons.collections4.Transformer
1.2.70-4703320437989596122L0xbeba72fb1ccba426Lorg.apache.commons.collections4.functors
1.2.70-4314457471973557243L0xc41ff7c9c87c7c05Lorg.jdom2.transform.
1.2.70-2533039401923731906L0xdcd8d615a6449e3eLorg.apache.hadoop.shaded.com.zaxxer.hikari.
1.2.70156405680656087946L0x22baa234c5bfb8aLcom.p6spy.engine.
1.2.701214780596910349029L0x10dbc48446e0dae5Lorg.apache.activemq.pool.
1.2.703085473968517218653L0x2ad1ce3a112f015dLorg.apache.aries.transaction.
1.2.703129395579983849527L0x2b6dd8b3229d6837Lorg.apache.activemq.ActiveMQConnectionFactory
1.2.704241163808635564644L0x3adba40367f73264Lorg.apache.activemq.spring.
1.2.707240293012336844478L0x647ab0224e149ebeLorg.apache.activemq.ActiveMQXAConnectionFactory
1.2.707347653049056829645L0x65f81b84c1d920cdLorg.apache.commons.jelly.
1.2.707617522210483516279L0x69b6e0175084b377Lorg.apache.axis2.transport.jms.
1.2.71-4537258998789938600L0xc1086afae32e6258Ljava.io.FileReader
1.2.71-4150995715611818742L0xc664b363baca050aLjava.io.ObjectInputStream
1.2.71-2995060141064716555L0xd66f68ab92e7fef5Ljava.io.FileInputStream
1.2.71-965955008570215305L0xf2983d099d29b477Ljava.io.ObjectOutputStream
1.2.71-219577392946377768L0xfcf3e78644b98bd8Ljava.io.DataOutputStream
1.2.712622551729063269307Lx24652ce717e713bbLjava.io.PrintWriter
1.2.712930861374593775110L0x28ac82e44e933606Ljava.io.Buffered
1.2.714000049462512838776L0x378307cb0111e878Ljava.io.InputStreamReader
1.2.714193204392725694463L0x3a31412dbb05c7ffLjava.io.OutputStreamWriter
1.2.715545425291794704408L0x4cf54eec05e3e818Ljava.io.FileWriter
1.2.716584624952928234050L0x5b6149820275ea42Ljava.io.FileOutputStream
1.2.717045245923763966215L0x61c5bdd721385107Ljava.io.DataInputStream
1.2.83-8754006975464705441L0x868385095a22725fLorg.apache.commons.io.
1.2.83-8382625455832334425L0x8baaee8f9bf77fa7Lorg.mvel2.
1.2.83-6088208984980396913L0xab82562f53e6e48fLkotlin.reflect.
1.2.83-4733542790109620528L0xbe4f13e96a6796d0Lcom.googlecode.aviator.
1.2.83-1363634950764737555L0xed13653cb45c4bedLorg.aspectj.
1.2.83-803541446955902575L0xf4d93f4fb3e3d991Lorg.dom4j.
1.2.83860052378298585747L0xbef8514d0b79293Lorg.apache.commons.cli.
1.2.831268707909007641340L0x119b5b1f10210afcLcom.google.common.eventbus.
1.2.833058452313624178956L0x2a71ce2cc40a710cLorg.thymeleaf.
1.2.833740226159580918099L0x33e7f3e02571b153Lorg.junit.
1.2.833977090344859527316L0x37317698dcfce894Lorg.mockito.asm.
1.2.834319304524795015394L0x3bf14094a524f0e2Lcom.google.common.io.
1.2.835120543992130540564L0x470fd3a18bb39414Lorg.mockito.runners.
1.2.835916409771425455946L0x521b4f573376df4aLorg.mockito.cglib.
1.2.836090377589998869205L0x54855e265fe1dad5Lcom.google.common.reflect.
1.2.837164889056054194741L0x636ecca2a131b235Lorg.mockito.stubbing.
1.2.838711531061028787095L0x78e5935826671397Lorg.apache.commons.codec.
1.2.838735538376409180149L0x793addded7a967f5Lognl.
1.2.838861402923078831179L0x7afa070241b8cc4bLcom.google.common.util.concurrent.
1.2.839140416208800006522L0x7ed9481d28bf417aLjava.awt.i
1.2.839144212112462101475L0x7ee6c477da20bbe3Lcom.google.common.net.

目前未知的列表

versionhashhex-hashname
1.2.42332383442077453420x761619136cc13eL
1.2.67-831789045734283466L0xf474e44518f26736L
1.2.713452379460455804429L0x2fe950d3ea52ae0dL
1.2.78-8614556368991373401L0x8872f29fd0b0b7a7L
1.2.78-5472097725414717105L0xb40f341c746ec94fL
1.2.78-3750763034362895579L0xcbf29ce484222325L
1.2.78-1800035667138631116L0xe704fd19052b2a34L
1.2.78-831789045734283466L0xf474e44518f26736L
1.2.7833238344207745342L0x761619136cc13eL
1.2.783452379460455804429L0x2fe950d3ea52ae0dL
1.2.784215053018660518963L0x3a7ee0635eb2bc33L
1.2.83-8614556368991373401L0x8872f29fd0b0b7a7L
1.2.83-3750763034362895579L0xcbf29ce484222325L
1.2.83-1800035667138631116L0xe704fd19052b2a34L
1.2.834215053018660518963L0x3a7ee0635eb2bc33L

内置白名单

fastjson在1.2.67开始,将内置白名单也使用哈希的方式存放。体现在这次commit中 https://github.com/alibaba/fastjson/commit/84eca8e56003ff6ebad3da19c6d69dcd842dbdf7,以下为对照表。

PS: org.springframework.security.web.savedrequest.DefaultSavedRequest 在该次commit中从白名单移除。

hashname
0xD4788669A13AE74Ljava.awt.Rectangle
0xE08EE874A26F5EAFLjava.awt.Point
0xDDAAA11FECA77B5ELjava.awt.Font
0xB81BA299273D4E6Ljava.awt.Color
0xA8AAA929446FFCE4Lcom.alibaba.fastjson.util.AntiCollisionHashMap
0xD0E71A6E155603C1Lcom.alipay.sofa.rpc.core.exception.SofaTimeOutException
0x9F2E20FB6049A371Ljava.util.Collections.UnmodifiableMap
0xD45D6F8C9017FALjava.util.concurrent.ConcurrentSkipListMap
0x64DC636F343516DCLjava.util.concurrent.ConcurrentSkipListSet
0x7FE2B8E675DA0CEFLorg.springframework.dao.CannotAcquireLockException
0xF8C7EF9B13231FB6Lorg.springframework.dao.CannotSerializeTransactionException
0x42646E60EC7E5189Lorg.springframework.dao.CleanupFailureDataAccessException
0xCC720543DC5E7090Lorg.springframework.dao.ConcurrencyFailureException
0xC0FE32B8DC897DE9Lorg.springframework.dao.DataAccessResourceFailureException
0xDC9583F0087CC2C7Lorg.springframework.dao.DataIntegrityViolationException
0x5449EC9B0280B9EFLorg.springframework.dao.DataRetrievalFailureException
0xEB7D4786C473368DLorg.springframework.dao.DeadlockLoserDataAccessException
0x44D57A1B1EF53451Lorg.springframework.dao.DuplicateKeyException
0xC92D8F9129AF339BLorg.springframework.dao.EmptyResultDataAccessException
0x9DF9341F0C76702Lorg.springframework.dao.IncorrectResultSizeDataAccessException
0xDB7BFFC197369352Lorg.springframework.dao.IncorrectUpdateSemanticsDataAccessException
0x73FBA1E41C4C3553Lorg.springframework.dao.InvalidDataAccessApiUsageException
0x76566C052E83815Lorg.springframework.dao.InvalidDataAccessResourceUsageException
0x61D10AF54471E5DELorg.springframework.dao.NonTransientDataAccessException
0x82E8E13016B73F9ELorg.springframework.dao.NonTransientDataAccessResourceException
0xE794F5F7DCD3AC85Lorg.springframework.dao.OptimisticLockingFailureException
0x3F64BC3933A6A2DFLorg.springframework.dao.PermissionDeniedDataAccessException
0x863D2DD1E82B9ED9Lorg.springframework.dao.PessimisticLockingFailureException
0x4BB3C59964A2FC50Lorg.springframework.dao.QueryTimeoutException
0x552D9FB02FFC9DEFLorg.springframework.dao.RecoverableDataAccessException
0x21082DFBF63FBCC1Lorg.springframework.dao.TransientDataAccessException
0x178B0E2DC3AE9FE5Lorg.springframework.dao.TransientDataAccessResourceException
0x24AE2D07FB5D7497Lorg.springframework.dao.TypeMismatchDataAccessException
0x90003416F28ACD89Lorg.springframework.dao.UncategorizedDataAccessException
0x73A0BE903F2BCBF4Lorg.springframework.jdbc.BadSqlGrammarException
0x7B606F16A261E1E6Lorg.springframework.jdbc.CannotGetJdbcConnectionException
0xAFCB539973CEA3F7Lorg.springframework.jdbc.IncorrectResultSetColumnCountException
0x4A39C6C7ACB6AA18Lorg.springframework.jdbc.InvalidResultSetAccessException
0x9E404E583F254FD4Lorg.springframework.jdbc.JdbcUpdateAffectedIncorrectNumberOfRowsException
0x34CC8E52316FA0CBLorg.springframework.jdbc.LobRetrievalFailureException
0xB5114C70135C4538Lorg.springframework.jdbc.SQLWarningException
0x7F36112F218143B6Lorg.springframework.jdbc.UncategorizedSQLException
0x26C5D923AF21E2E1Lorg.springframework.cache.support.NullValue
0xD11D2A941337A7BCLorg.springframework.security.oauth2.common.DefaultExpiringOAuth2RefreshToken
0x4F0C3688E8A18F9FLorg.springframework.security.oauth2.common.DefaultOAuth2AccessToken
0xC59AA84D9A94C640Lorg.springframework.security.oauth2.common.DefaultOAuth2RefreshToken
0x1F10A70EE4065963Lorg.springframework.util.LinkedMultiValueMap
0x557F642131553498Lorg.springframework.util.LinkedCaseInsensitiveMap
0x8B2081CB3A50BD44Lorg.springframework.remoting.support.RemoteInvocation
0x8B2081CB3A50BD44Lorg.springframework.remoting.support.RemoteInvocation
0x54DC66A59269BAE1Lorg.springframework.security.web.savedrequest.SavedCookie
0x111D12921C5466DALorg.springframework.security.web.csrf.DefaultCsrfToken
0x19DCAF4ADC37D6D4Lorg.springframework.security.web.authentication.WebAuthenticationDetails
0x604D6657082C1EE9Lorg.springframework.security.core.context.SecurityContextImpl
0xF4AA683928027CDALorg.springframework.security.authentication.UsernamePasswordAuthenticationToken
0x92F252C398C02946Lorg.springframework.security.core.authority.SimpleGrantedAuthority
0x6B949CE6C2FE009Lorg.springframework.security.core.userdetails.User

感谢补充