Shiro security限制登录尝试次数

之前讲了Shiro Security如何结合验证码,这次讲讲如何限制用户登录尝试次数,防止多次尝试,暴力破解密码情况出现。要限制用户登录尝试次数,必然要对用户名密码验证失败做记录,Shiro中用户名密码的验证交给了CredentialsMatcher
所以在CredentialsMatcher里面检查,记录登录次数是最简单的做法。Shiro天生和Ehcache是一对好搭档,无论是单机还是集群,都可以在Ehcache中存储登录尝试次数信息。
现在介绍一个简单的登录次数验证做法,实现一个RetryLimitCredentialsMatchers继承至HashedCredentialsMatcher,加入缓存,在每次验证用户名密码之前先验证用户名尝试次数,如果超过5次就抛出尝试过多异常,否则验证用户名密码,验证成功把尝试次数清零,不成功则直接退出。这里依靠Ehcache自带的timeToIdleSeconds来保证锁定时间(帐号锁定之后的最后一次尝试间隔timeToIdleSeconds秒之后自动清除)。

public class RetryLimitCredentialsMatcher extends HashedCredentialsMatcher {

//集群中可能会导致出现验证多过5次的现象,因为AtomicInteger只能保证单节点并发    
private Cache<String, AtomicInteger> passwordRetryCache;

    public RetryLimitHashedCredentialsMatcher(CacheManager cacheManager) {
        passwordRetryCache = cacheManager.getCache("passwordRetryCache");
    }

    @Override
    public boolean doCredentialsMatch(AuthenticationToken token, AuthenticationInfo info) {
        String username = (String)token.getPrincipal();
        //retry count + 1
        AtomicInteger retryCount = passwordRetryCache.get(username);
        if(null == retryCount) {
            retryCount = new AtomicInteger(0);
            passwordRetryCache.put(username, retryCount);
        }
        if(retryCount.incrementAndGet() > 5) {
            logger.warn("username: " + username + " tried to login more than 5 times in period");
            throw new ExcessiveAttemptsException("username: " + username + " tried to login more than 5 times in period"
); } 
         boolean matches = super.doCredentialsMatch(token, info); 
         if(matches) {
              //clear retry data
              passwordRetryCache.remove(username); 
         } 
         return matches; 
    }
}
  1. Spring配置CacheManager
<bean id="springCacheManager" class="org.springframework.cache.ehcache.EhCacheCacheManager">
        <property name="cacheManager" ref="ehcacheManager"/>
    </bean>

    <!--ehcache-->
    <bean id="ehcacheManager" class="org.springframework.cache.ehcache.EhCacheManagerFactoryBean">
        <property name="configLocation" value="classpath:ehcache/ehcache.xml"/>
    </bean>
  1. Ehcache配置
<ehcache name="es">

    <diskStore path="java.io.tmpdir"/>

    <!-- 登录记录缓存 锁定100分钟 -->
    <cache name="passwordRetryCache"
           maxEntriesLocalHeap="20000"
           eternal="false"
           timeToIdleSeconds="36000"
           timeToLiveSeconds="0"
           overflowToDisk="false"
           statistics="false">
    </cache>

</ehcache>
  1. Spring Shiro配置
    UserRealm继承AuthorizingRealm,在其父类AuthenticatingRealm的getAuthenticationInfo方法中会调用credentialsMatcher的
    doCredentialsMatch
    来验证用户输入用户名密码是否匹配。
<bean id="credentialsMatcher" class="com.cloud.service.security.credentials.RetryLimitCredentialsMatcher">
        <constructor-arg ref="springCacheManager"/> 
        <property name="storedCredentialsHexEncoded" value="true"/> 
 </bean>
 <bean id="myRealm" class="com.cloud.service.security.UserRealm">
        <property name="credentialsMatcher" ref="credentialsMatcher"/>
        <property name="cachingEnabled" value="false"/>
        <!--<property name="authenticationCachingEnabled" value="true"/>-->
        <!--<property name="authenticationCacheName" value="authenticationCache"/>-->
        <!--<property name="authorizationCachingEnabled" value="true"/>-->
        <!--<property name="authorizationCacheName" value="authorizationCache"/>-->
    </bean>
阅读更多
换一批

没有更多推荐了,返回首页