登陆验证和密码加密篇
shiro是一个封装了诸多登陆验证有关功能的轻型框架,可以十分方便地实现密码加密验证,登陆用户管理等功能,通过对里面的部分类进行继承重写实现所需功能
而登陆验证则是通过重写shiro的AuthorizingRealm类来实现,使用eclipse的话可以将光标移到这个类名,使用快捷键Ctrl+T查看该类的具体继承和实现
至于密码加密采用的是shiro自带的MD5算法,这里注意加密和验证的时候使用的函数的第三个参数(即盐值)是不太一样的,博主加密直接采用用户名,加密时第三个参数直接就是用户名,而验证时要用ByteSource.Util.bytes(currentUser.getUsername())
(currentUser为reaml实现类的方法传进来的token)
- pom.xml
<!--EHcache版本 -->
<properties>
<shiro.version>1.3.0</shiro.version>
</properties>
<dependency>
<groupId>net.sf.ehcache</groupId>
<artifactId>ehcache-core</artifactId>
<version>2.4.8</version>
</dependency>
<!-- shiro start -->
<dependency>
<groupId>org.apache.shiro</groupId>
<artifactId>shiro-core</artifactId>
<version>${shiro.version}</version>
</dependency>
<dependency>
<groupId>org.apache.shiro</groupId>
<artifactId>shiro-ehcache</artifactId>
<version>${shiro.version}</version>
</dependency>
<dependency>
<groupId>org.apache.shiro</groupId>
<artifactId>shiro-spring</artifactId>
<version>${shiro.version}</version>
</dependency>
<dependency>
<groupId>org.apache.shiro</groupId>
<artifactId>shiro-web</artifactId>
<version>${shiro.version}</version>
</dependency>
<!-- shiro end -->
- web.xml
<context-param>
<param-name>contextConfigLocation</param-name>
<!-- 将Shiro的配置文件交给Spring监听器初始化 -->
<param-value>classpath:spring/applicationContext.xml,classpath:shiro/spring-shiro-web.xml</param-value>
</context-param>
<!-- shiro所需的过滤器 -->
<filter>
<filter-name>shiroFilter</filter-name>
<filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
<init-param>
<param-name>targetFilterLifecycle</param-name>
<param-value>true</param-value>
</init-param>
</filter>
<filter-mapping>
<filter-name>shiroFilter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
- shiro-spring.xml(只显示加密所需代码)
<!-- 安全管理器 -->
<bean id="securityManager" class="org.apache.shiro.web.mgt.DefaultWebSecurityManager">
<property name="realm" ref="userRealm" />
<property name="cacheManager" ref="cacheManager" />
<!-- <property name="rememberMeManager" ref="rememberMeManager"/> -->
</bean>
<!-- 缓存管理器 使用Ehcache实现 -->
<bean id="cacheManager" class="org.apache.shiro.cache.ehcache.EhCacheManager">
<property name="cacheManagerConfigFile" value="classpath:shiro/ehcache.xml" />
</bean>
<!-- 凭证匹配器 MD5算法实现-->
<bean id="credentialsMatcher" class="org.apache.shiro.authc.credential.HashedCredentialsMatcher">
<property name="hashAlgorithmName" value="MD5" />
<property name="hashIterations" value="2" />
</bean>
<!-- Realm实现 -->
<bean id="userRealm" class="com.mdy.student.shiro.realm.MyRealm">
<property name="credentialsMatcher" ref="credentialsMatcher" />
</bean>
<!-- 多realm实现可使用ModularRealmAuthorizer+认证策略 -->
<!-- <bean id="authenticator" class="org.apache.shiro.authz.ModularRealmAuthorizer">
<property name="realms"></property>
</bean> -->
- 自己实现的realm类
public class MyRealm extends AuthorizingRealm {
@Autowired
private UserService userService;
@Override
// 身份认证api
protected AuthenticationInfo doGetAuthenticationInfo(AuthenticationToken token) throws AuthenticationException {
SimpleAuthenticationInfo info = null;
// 将传进来的token进行类型转化
UsernamePasswordToken currentUser = (UsernamePasswordToken) token;
// 获得数据库里面的账户密码
String password = userService.getUserPassword(currentUser.getUsername());
if (password != null) {
// 比对密码
info = new SimpleAuthenticationInfo(currentUser.getPrincipal(), password,
ByteSource.Util.bytes(currentUser.getCredentials()), this.getName());
} else {
throw new UnknownAccountException();
}
return info;
}
// 授权认证api省略