防止多次尝试,恶意暴力破解密码的情况出现,要限制用户登录尝试次数,必然要对用户名密码验证失败做记录,Shiro中用户名密码的验证交给了CredentialsMatcher 所以在CredentialsMatcher里面检查,记录登录次数是最简单的做法。当登录失败次数达到限制,修改数据库中的状态字段,并返回前台错误信息。
RetryLimitHashedCredentialsMatcher配置:
package com.chinahotelhelp.shm.businessmanagement.config;
import com.chinahotelhelp.shm.businessmanagement.module.sys.entity.Message;
import com.chinahotelhelp.shm.businessmanagement.module.sys.entity.SysUser;
import com.chinahotelhelp.shm.businessmanagement.module.sys.mapper.SysUserMapper;
import com.chinahotelhelp.shm.businessmanagement.module.sys.service.SysUserService;
import org.apache.shiro.authc.AuthenticationInfo;
import org.apache.shiro.authc.AuthenticationToken;
import org.apache.shiro.authc.ExcessiveAttemptsException;
import org.apache.shiro.authc.UsernamePasswordToken;
import org.apache.shiro.authc.credential.HashedCredentialsMatcher;
import org.apache.shiro.authc.credential.SimpleCredentialsMatcher;
import org.apache.shiro.cache.Cache;
import org.apache.shiro.cache.CacheException;
import org.apache.shiro.cache.CacheManager;
import org.apache.shiro.cache.ehcache.EhCacheManager;
import org.apache.shiro.crypto.hash.SimpleHash;
import org.apache.shiro.util.ByteSource;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.stereotype.Component;
import java.util.concurrent.atomic.AtomicInteger;
/**
* @Auther: 杨
* @Date: 2019/1/3 17:11
* @Description: 验证器,增加了登录次数校验功能
*/
@Component
public class RetryLimitHashedCredentialsMatcher extends SimpleCred