一.shiro加密模块的使用
1.shiro是主流的权限管理框架,提供了认证,授权,回话管理,密码加密等功能,使得开发者更加便捷
2.具体实现采用MD5加密,而且进行加盐处理
二.代码实现
1.在自定义的认证类中,放回的AuthenticationInfo添加加盐参数
return new SimpleAuthenticationInfo(user,user.getPassword(),credentialsSalt,getName());
import java.util.Set;
import org.apache.shiro.authc.AccountException;
import org.apache.shiro.authc.AuthenticationException;
import org.apache.shiro.authc.AuthenticationInfo;
import org.apache.shiro.authc.AuthenticationToken;
import org.apache.shiro.authc.SimpleAuthenticationInfo;
import org.apache.shiro.authc.UsernamePasswordToken;
import org.apache.shiro.authz.AuthorizationInfo;
import org.apache.shiro.realm.AuthorizingRealm;
import org.apache.shiro.subject.PrincipalCollection;
import org.apache.shiro.util.ByteSource;
import org.springframework.beans.factory.annotation.Autowired;
import com.yuanjun.shiro.bean.Module;
import com.yuanjun.shiro.bean.Role;
import com.yuanjun.shiro.bean.User;
import com.yuanjun.shiro.service.UserService;
/**
*
* 类名称: MyAuthRealm
* 类描述: 自己实现Realm认证授权操作
* @author yuanjun
* 创建时间:2017年11月26日下午3:56:12
*/
public class MyAuthRealm extends AuthorizingRealm{
@Autowired
private UserService userService;
/**
* 登陆认证
*/
protected AuthenticationInfo doGetAuthenticationInfo(
AuthenticationToken authcToken) throws AuthenticationException {
//获取登陆信息
UsernamePasswordToken token = (UsernamePasswordToken) (authcToken);
//获取登录名
String username = token.getUsername();
//查询数据库中的信息
User user = userService.findUserByUserName(username);
if(user==null){
throw new AccountException("账号不存在");
}
//使用账号作为盐值
ByteSource credentialsSalt = ByteSource.Util.bytes(user.getUsername());
return new SimpleAuthenticationInfo(user,user.getPassword(),credentialsSalt,getName());
}
/**
* 授权
*/
protected AuthorizationInfo doGetAuthorizationInfo(
PrincipalCollection principals) {
User user = (User) principals.getPrimaryPrincipal();
//查找用户对于的角色
Set<Role> roles = user.getRoles();
//获取权限
List<String> permissions=new ArrayList<String>();
if(roles.size()>0){
for(Role role: roles){
Set<Module> module = role.getModules();
if(module.size()>0){
for (Module module2 : module) {
permissions.add(module2.getMname());
}
}
}
}
SimpleAuthorizationInfo info=new SimpleAuthorizationInfo();
info.addStringPermissions(permissions);//将权限放入shiro中.
return info;
}
}
2.添加密码匹配器
采用的SpringBoot的方式配置,即java配置类注册方式实现,通过跟踪源码的方式getCredentialsMatcher()调用密码匹配器,注册自己的Hash散序管理器,SecurityManager回去调用,传入的数据库的password会与用户输入的密码加盐处理后对比,不正确会抛出异常信息。实现的方式如下,自定义密码匹对,注入到权限登录器
方式一 java代码实现
//配置自定义的权限登录器
@Bean(name="authRealm")
public AuthRealm authRealm(@Qualifier("hashedCredentialsMatcher") HashedCredentialsMatcher matcher,
EhCacheManager ehCacheManager) {
AuthRealm authRealm=new AuthRealm();
authRealm.setCredentialsMatcher(matcher);
authRealm.setCacheManager(ehCacheManager);
return authRealm;
}
/**
* 密码匹配凭证管理器
*
* @return
*/
@Bean(name = "hashedCredentialsMatcher")
public HashedCredentialsMatcher hashedCredentialsMatcher() {
HashedCredentialsMatcher hashedCredentialsMatcher = new HashedCredentialsMatcher();
hashedCredentialsMatcher.setHashAlgorithmName("MD5");// 散列算法:这里使用MD5算法;
hashedCredentialsMatcher.setHashIterations(1024);// 散列的次数,比如散列两次,相当于
// md5(md5(""));
return hashedCredentia