1.加密
用户注册时,系统为输入的密码进行加密,此处使用MD5算法,“密码+盐(用户名+随机数)”的方式生成散列值:
public class passwordEncry{
//随机数生成器
private static RandomNumberGenerator randomNumberGenerator = new SecureRandomNumberGenerator();
//指定散列算法为md5
private String algorithmName = "MD5";
//散列迭代次数
private final int hashIterations = 2;
/**
* 生成随机盐值对密码进行加密
* @param userLogin 登录识别串(用户名)
* @return
*/
public UserLogin encrypt(UserLogin userLogin) {
userLogin.setSalt(randomNumberGenerator.nextBytes().
toHex());
String newPassword =
new SimpleHash(algorithmName,userLogin.getPassword(),
ByteSource.Util.bytes(userLogin.getCredentialsSalt()),hashIterations).toHex();
userLogin.setPassword(newPassword);
return userLogin;
``````````````````````
}
}
这里的userLogin.getCredentialsSalt()为加密盐,我这里的盐设为(登录识别串+随机数),生成一个新的加密密码,并把新密码覆盖原明文密码存到数据库。加密完成。
2.HashedCredentialsMatcher的配置
<bean id="credentialsMatcher"
class="org.apache.shiro.authc.credential.HashedCredentialsMatcher">
<property name="hashAlgorithmName" value="MD5" />
<property name="hashIterations" value="2" />
<property name="storedCredentialsHexEncoded" value="true" />
</bean>
HashedCredentialsMatcher配置的属性值要跟加密时的属性(hashAlgorithmName,hashIterations,storedCredentialsHexEncoded)一致,storedCredentialsHexEnc表示是否存储散列后的密码为16进制,需要和生成密码时的一样。
3.得到Token
从客户输入获取token(令牌)
protected AuthenticationToken createToken(ServletRequest request,ServletResponse response) {
String username = request.getParameter("loginString");
String password = request.getParameter("pwd");
String rememberMe = request.getParameter("rememberMe");
String host = getHost(request);
UsernamePasswordToken token =
new UsernamePasswordToken(username,
password,
Boolean.parseBoolean(rememberMe), host);
return token;
}
4.Realm认证
自己实现一个Realm,重写doGetAuthenticationInfo,得到一个AuthenticationInfo对象。
protected AuthenticationInfo doGetAuthenticationInfo(AuthenticationToken token) throws AuthenticationException {
String username = (String)token.getPrincipal();
UserLogin userLogin = userService.getUserLogin(username);
if (userLogin == null) {
throw new UnknownAccountException("用户不存在");
}
if("S".equals(userLogin.getStatus())) {
throw new LockedAccountException("无效账号");
}
SimpleAuthenticationInfo authenticationInfo =
new SimpleAuthenticationInfo(
userLogin, //登录识别串信息
userLogin.getPassword(), //密码
ByteSource.Util.bytes(userLogin.getCredentialsSalt()),//盐值
getName() //realm name
);
return authenticationInfo;
}
5.密码的匹配
最终会来到HashedCredentialsMatcher类的doCredentialsMatch()方法进行密码的比对,此方法包含两个参数AuthenticationToken token, AuthenticationInfo info,思路一下子豁然开朗。
public boolean doCredentialsMatch(AuthenticationToken token, AuthenticationInfo info) {
Object tokenHashedCredentials =
hashProvidedCredentials(token, info);
Object accountCredentials = getCredentials(info);
return equals(tokenHashedCredentials, accountCredentials);
}
方法的最后通过一个equals函数进行散列的比较:
//equals()方法的主要代码:
byte[] tokenBytes = toBytes(tokenCredentials);
byte[] accountBytes = toBytes(accountCredentials);
return Arrays.equals(tokenBytes, accountBytes);
验证完毕,最后执行subject.login(token)登录成功。
此处只简单介绍了shiro一种匹配器HashedCredentialsMatcher的认证过程,除了这个匹配器还有另外的匹配器,如PasswordMatcher(密码匹配器),道理都差不多