关于shiro密码验证的奇怪状况,求教啊 求教

最新推荐文章于 2022-10-21 14:08:24 发布
最新推荐文章于 2022-10-21 14:08:24 发布
阅读量289 收藏
点赞数
分类专栏: 工作遇到问题汇总记录
版权声明:本文为博主原创文章,遵循 CC 4.0 BY-SA 版权协议,转载请附上原文出处链接和本声明。
本文链接:https://blog.csdn.net/weixin_44222957/article/details/111404569
版权

问题:
在做springboot整合shiro时。注册用户我用了md5加盐加密的方式,然后验证的时候正确的密码没有任何问题,错误的密码应该提示密码错误。但是却直接报了IncorrectCredentialsException异常。应该是密码凭证不匹配,但是为啥正确密码没影响呢?

问题代码

org.apache.shiro.authc.IncorrectCredentialsException: Submitted credentials for token [org.apache.shiro.authc.UsernamePasswordToken - admin1, rememberMe=false (login)] did not match the expected credentials.
	at org.apache.shiro.realm.AuthenticatingRealm.assertCredentialsMatch(AuthenticatingRealm.java:600)
	at org.apache.shiro.realm.AuthenticatingRealm.getAuthenticationInfo(AuthenticatingRealm.java:578)
	at org.apache.shiro.authc.pam.ModularRealmAuthenticator.doSingleRealmAuthentication(ModularRealmAuthenticator.java:180)
	at org.apache.shiro.authc.pam.ModularRealmAuthenticator.doAuthenticate(ModularRealmAuthenticator.java:267)
	at org.apache.shiro.authc.AbstractAuthenticator.authenticate(AbstractAuthenticator.java:198)
	at org.apache.shiro.mgt.AuthenticatingSecurityManager.authenticate(AuthenticatingSecurityManager.java:106)
	at org.apache.shiro.mgt.DefaultSecurityManager.login(DefaultSecurityManager.java:270)
	at org.apache.shiro.subject.support.DelegatingSubject.login(DelegatingSubject.java:256)
	at com.xingdi.test.controller.LoginController.doLogin(LoginController.java:47)
	at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
	at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
	at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
	at java.lang.reflect.Method.invoke(Method.java:498)
	at org.springframework.web.method.support.InvocableHandlerMethod.doInvoke(InvocableHandlerMethod.java:197)
	at org.springframework.web.method.support.InvocableHandlerMethod.invokeForRequest(InvocableHandlerMethod.java:141)
	at org.springframework.web.servlet.mvc.method.annotation.ServletInvocableHandlerMethod.invokeAndHandle(ServletInvocableHandlerMethod.java:106)
	at org.springframework.web.servlet.mvc.method.annotation.RequestMappingHandlerAdapter.invokeHandlerMethod(RequestMappingHandlerAdapter.java:894)
	at org.springframework.web.servlet.mvc.method.annotation.RequestMappingHandlerAdapter.handleInternal(RequestMappingHandlerAdapter.java:808)
	at org.springframework.web.servlet.mvc.method.AbstractHandlerMethodAdapter.handle(AbstractHandlerMethodAdapter.java:87)
	at org.springframework.web.servlet.DispatcherServlet.doDispatch(DispatcherServlet.java:1061)
	at org.springframework.web.servlet.DispatcherServlet.doService(DispatcherServlet.java:961)
	at org.springframework.web.servlet.FrameworkServlet.processRequest(FrameworkServlet.java:1006)
	at org.springframework.web.servlet.FrameworkServlet.doPost(FrameworkServlet.java:909)
	at javax.servlet.http.HttpServlet.service(HttpServlet.java:652)
	at org.springframework.web.servlet.FrameworkServlet.service(FrameworkServlet.java:883)
	at javax.servlet.http.HttpServlet.service(HttpServlet.java:733)
	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:231)
	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
	at org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:53)
	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
	at org.apache.shiro.web.servlet.ProxiedFilterChain.doFilter(ProxiedFilterChain.java:61)
	at org.apache.shiro.web.servlet.AdviceFilter.executeChain(AdviceFilter.java:108)
	at org.apache.shiro.web.servlet.AdviceFilter.doFilterInternal(AdviceFilter.java:137)
	at org.apache.shiro.web.servlet.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:125)
	at org.apache.shiro.web.servlet.ProxiedFilterChain.doFilter(ProxiedFilterChain.java:66)
	at org.apache.shiro.web.servlet.AbstractShiroFilter.executeChain(AbstractShiroFilter.java:449)
	at org.apache.shiro.web.servlet.AbstractShiroFilter$1.call(AbstractShiroFilter.java:365)
	at org.apache.shiro.subject.support.SubjectCallable.doCall(SubjectCallable.java:90)
	at org.apache.shiro.subject.support.SubjectCallable.call(SubjectCallable.java:83)
	at org.apache.shiro.subject.support.DelegatingSubject.execute(DelegatingSubject.java:383)
	at org.apache.shiro.web.servlet.AbstractShiroFilter.doFilterInternal(AbstractShiroFilter.java:362)
	at org.apache.shiro.web.servlet.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:125)
	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
	at org.springframework.web.filter.RequestContextFilter.doFilterInternal(RequestContextFilter.java:100)
	at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:119)
	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
	at org.springframework.web.filter.FormContentFilter.doFilterInternal(FormContentFilter.java:93)
	at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:119)
	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
	at org.springframework.web.filter.CharacterEncodingFilter.doFilterInternal(CharacterEncodingFilter.java:201)
	at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:119)
	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
	at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:202)
	at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:97)
	at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:542)
	at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:143)
	at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:92)
	at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:78)
	at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:343)
	at org.apache.coyote.http11.Http11Processor.service(Http11Processor.java:374)
	at org.apache.coyote.AbstractProcessorLight.process(AbstractProcessorLight.java:65)
	at org.apache.coyote.AbstractProtocol$ConnectionHandler.process(AbstractProtocol.java:888)
	at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1597)
	at org.apache.tomcat.util.net.SocketProcessorBase.run(SocketProcessorBase.java:49)
	at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
	at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
	at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
	at java.lang.Thread.run(Thread.java:748)

加密方式

  account.setPassword("123456");
        account.setStatus(1);
        account.setRealname("超级管理员");
        account.setEmployeenumber("0002");
        account.setSalt(ShiroKit.getRandomSalt(5));
        account.setPassword(ShiroKit.md5(account.getPassword(), account.getSalt())); //把盐与密码传入方法中进行 md5加密方式 的1024次加密 最后得出加密密码
        System.out.println("密码:"+account.getPassword()+" "+"Salt:"+ account.getSalt()); //打印 加密后的密码 与 盐的值
       
       =====================================================
         /**

     shiro密码加密工具类
     @param credentials 密码
     @param saltSource  密码盐
     @return
     */
    public static String md5(String credentials, String saltSource) {
        ByteSource salt = new Md5Hash(saltSource);
        return new SimpleHash(hashAlgorithmName, credentials, salt, hashIterations).toString();
    }
    /**

     获取随机盐值
     @param length
     @return
     */
    public static String getRandomSalt(int length) {
        return getRandomString(length);
    }


        //随即生成length长度的字母数字组合的字符串
        public static   String getRandomString(int length) {
            String val = "";
            Random random = new Random();
            for (int i = 0; i < length; i++) {
                String charOrNum = random.nextInt(2) % 2 == 0 ? "char" : "num"; // 输出字母还是数字
                if ("char".equalsIgnoreCase(charOrNum)) // 字符串
                {
                    int choice = random.nextInt(2) % 2 == 0 ? 65 : 97; // 取得大写字母还是小写字母
                    val += (char) (choice + random.nextInt(26));
                } else if ("num".equalsIgnoreCase(charOrNum)) // 数字
                {
                    val += String.valueOf(random.nextInt(10));
                }
            }
            return val;
        }

shiro配置类


    @Bean
    public MyShiroRealm myShiroRealm(@Qualifier("hashedCredentialsMatcher") HashedCredentialsMatcher matcher){
        MyShiroRealm myShiroRealm = new MyShiroRealm(matcher);
        return myShiroRealm;
    }

    //自定义密码校验器
    @Bean("hashedCredentialsMatcher")
    public HashedCredentialsMatcher hashedCredentialsMatcher() {
        logger.info("hashedCredentialsMatcher.doGetAuthenticationInfo()");
        HashedCredentialsMatcher hashedCredentialsMatcher = new HashedCredentialsMatcher();
        //加密方式
        hashedCredentialsMatcher.setHashAlgorithmName(ShiroKit.hashAlgorithmName);
        //加密次数
        hashedCredentialsMatcher.setHashIterations(ShiroKit.hashIterations);
        //存储散列后的密码是否为16进制
        //hashedCredentialsMatcher.isStoredCredentialsHexEncoded();
        return hashedCredentialsMatcher;
    }

    @Bean
    public SecurityManager securityManager(@Qualifier("hashedCredentialsMatcher") HashedCredentialsMatcher matcher){
        DefaultWebSecurityManager securityManager =  new DefaultWebSecurityManager();
        securityManager.setRealm(myShiroRealm(matcher));
        return securityManager;
    }

realm

 /**
     * 认证信息.(身份验证)
     * :
     * Authentication 是用来验证用户身份
     *
     * @param token
     * @return
     * @throws AuthenticationException
     */
    @Override
    protected AuthenticationInfo doGetAuthenticationInfo(AuthenticationToken token) throws AuthenticationException {
        logger.info("MyShiroRealm.doGetAuthenticationInfo()");
        //获取用户的输入的账号.
        String username = (String) token.getPrincipal();

        //通过username从数据库中查找 User对象,如果找到,没找到.
        //实际项目中,这里可以根据实际情况做缓存,如果不做,Shiro自己也是有时间间隔机制,2分钟内不会重复执行该方法
        Account account = accountService.selectByUserName(username);
        logger.info("----->>userInfo=" + account.toString());
        //账号判断;
        if (account == null) {
            logger.error("用户 { " + username + " } 不存在 ");
            throw new AccountException("账户不存在");
        }
        if (account.getStatus() == 0) {
            logger.error("用户 { " + username + " } 被禁止登录 ");
            throw new DisabledAccountException("账号已经禁止登录");
        }

        /*
         * 获取权限信息:这里没有进行实现,
         * 请自行根据UserInfo,Role,Permission进行实现;
         * 获取之后可以在前端for循环显示所有链接;
         */
//        userInfo.setPermissions(accountService.findPermissions(user));
        //  accountService.findRoleAndPermissions(account);
        String credentials = account.getPassword();//获取本账号加密过的密码
        String salt = account.getSalt();           //获取本账号中对应盐值
        ByteSource credentialsSalt = new Md5Hash(salt); //放入盐值
        System.out.println("credentialsSaltgetBytes" + credentialsSalt.getBytes());
        System.out.println("credentialsSaltgetClass" + credentialsSalt.getClass());
        //加密方式;
        //交给AuthenticatingRealm使用CredentialsMatcher进行密码匹配,如果觉得人家的不好可以自定义实现
        SimpleAuthenticationInfo authenticationInfo = new SimpleAuthenticationInfo(
                account,
                credentials,
                credentialsSalt,
                getName()  //realm name
        );

        //明文: 若存在,将此用户存放到登录认证info中,无需自己做密码对比,Shiro会为我们进行密码对比校验
//      SimpleAuthenticationInfo authenticationInfo = new SimpleAuthenticationInfo(
//           userInfo, //用户名
//           userInfo.getPassword(), //密码
//             getName()  //realm name
//      );

        return authenticationInfo;
    }

有人说可以将前端传的明文密码加密后传入token比对
但是我密码加密使用的盐,明文加密盐跟之前就不一样了吧?
所以咋解决 求大佬啊

勤劳的小王
关注
专栏目录
Shiro 身份验证、授权、密码和会话管理
05-07
Apache Shiro 是一个强大且易用的 Java 安全框架,它提供了身份验证、授权、密码管理和会话管理等功能,简化了在 Java 应用程序中处理安全性的问题。Shiro 的设计目标是使开发者能够专注于应用程序的安全逻辑,而...
jupyterlab获取其他浏览器登陆的token
wj1298250240的博客
11-22 6407
jupyterlab默认使用IE打开,但是我想用其他浏览器打开,就跳出这个界面,让输入密码,但是密码我也不知道是什么 Token authentication is enabled If no password has been configured, you need to open the notebook server with its login token in the URL, or paste it above. This requirement will be lifted if you
【Python】Jupyter Notebook的安装与基本使用方法
最新发布
几度热忱的博客
10-21 3745
Jupyter Notebook是基于网页的用于交互计算的应用程序。其可被应用于开发、文档编写、运行代码和展示结果。优势在于可以在网页中按单元格分块编写Python代码和 Markdown文字。
shiro 认证时加盐的问题 did not match the expected credentials.处理
GinChou的萌新博客
03-10 4094
密码加盐在核对时报错: token中的密码位char[] char[]数据时是加密后的密码 info中的验证信息也是 和token一样 但是报错 token的hash 和 account的不一致 这是在一开始就进行加密处理的操作 明显不对劲 如果是 放明文密码 最后得出的token哈希值 也是不一致的 最后明显的问题是在于数据库的密码是否能对上。 最开始的是错误的。 ...
shiro认证时出现报错Submitted credentials for token [org.apache.shiro.authc.UsernamePasswordToken -
m0_67402970的博客
03-28 4016
shiro认证时出现报错: org.apache.shiro.authc.IncorrectCredentialsException: Submitted credentials for token [org.apache.shiro.authc.UsernamePasswordToken - admin, rememberMe=false] did not match the expected credentials. 当时出现这个问题是在生产的uat环境上出现的,说实话,挺幸运的,幸好是在uat环境上
shiro验证登录代码实例及问题解决
08-25
Shiro验证登录代码实例及问题解决 Shiro 是一个 Java security framework,它提供了许多有用的功能来帮助开发者保护应用程序的安全。Shiro验证登录是指在一个应用程序中使用多种身份验证方式来验证用户身份。...
shiro登录验证实例
02-03
shiro登录验证实例,下载包虽然是web_exception_project.zip,但是确实是shiro登录验证实例,请放心下载,另外,实例详情请访问博主博客:http://blog.csdn.net/u013142781
Java shiro登录验证实例
04-29
Java shiro登录验证实例。 shiro登录验证实例,下载包虽然是web_exception_project.zip,但是确实是shiro登录验证实例,请放心下载,另外,实例详情请访问博主博客:http://blog.csdn.net/u013142781 shiro
springboot与shiro密码加密,mybatis,redis的整合项目
04-02
后台在通过shiro进行授权和认证,分为普通用户和管理员两种角色,普通用户只能访问商品,管理员可以访问商品和用户界面的基础上加入了密码加密。登录时利用了redis缓存。里面包含数据库文件希望能帮助到大家学习。
shiro身份认证失败:org.apache.shiro.authc.IncorrectCredentialsException
m0_67391521的博客
08-24 1539
所以不是身份认证的原因,归根到底是密码错的原因,经过多次验证,我很确定经过MD5加盐加密的密码没有错啊,那是能使格式错了,,,,,最近整个shiro项目的时候,发现一个小bug,在登录的时候,当用户名对,密码错的时候,本应提示用户名或密码错误的,但提示信息却是身份认证失败的异常信息,项目后台窗口报错。又经过多次尝试,发现token和info不一样,一个是32位的string形式的,一个是char的形式,然后我将密码先设置为char再转为string之后,终于成功了。
Submitted credentials for token [org.apache.shiro.authc.UsernamePasswordToken - admin, rememberMe=fa
落拓子ю的博客
08-20 4310
问题: ajax与ssm后台交互获取到的msg错误如下 {code: 500,…} code:500 count:0 data:null msg:"Submitted credentials for token [org.apache.shiro.authc.UsernamePasswordToken - admin, rememberMe=false] did not match the exp...
shiro认证时出现报错Submitted credentials for token [org.apache.shiro.authc.UsernamePasswordToken - admin...
努力明天会更好的博客
08-20 5797
shiro认证时出现报错: org.apache.shiro.authc.IncorrectCredentialsException: Submitted credentials for token [org.apache.shiro.authc.UsernamePasswordToken - admin, rememberMe=false] did not match the expected credentials. 当时出现这个问题是在生产的uat环境上出现的,说实话,挺幸运的,幸好是在uat环境上
shiro: Odd number of characters.
ITHomeZSL的博客
10-21 1709
java.lang.IllegalArgumentException: Odd number of characters. at org.apache.shiro.codec.Hex.decode(Hex.java:128) at org.apache.shiro.codec.Hex.decode(Hex.java:107) at org.apache.shiro.code...
org.apache.shiro.authc.IncorrectCredentialsException: Submitted credentials for token [org.apache.s
qq_35804654的博客
06-13 5767
问题描述:org.apache.shiro.authc.IncorrectCredentialsException: Submitted credentials for token [org.apache.shiro.authc.UsernamePasswordToken - **, rememberMe=false] did not match the expected credential
springboot集成shiro时认证出现报错(Submitted credentials for token...)
热门推荐
阿潘是个程序猿的博客
06-14 4万+
[ERROR:]2015-10-14 08:46:19,226 [Submitted credentials for token [org.apache.shiro.authc.UsernamePasswordToken - 1300, rememberMe=false] did not match the expected credentials.] org.apache.shiro.auth...
springboot集成shiro时认证出现报错Submitted credentials for token [org.apache.shiro.authc.UsernamePasswordToke
苏顺的博客
05-09 1万+
shiro密码验证的大致流程: 1. controller中login的时候 UsernamePasswordToken token = new UsernamePasswordToken(account, password); try { SecurityUtils.getSubject().login(token); } 2. realm中调用doGetAuthenticationInfo @Override
Springside4学习与Shiro服务端验证解析
"这篇文档主要介绍了Springside4的学习整理,包括其与Shiro的集成以及服务端验证的使用。Springside4是一个基于Spring Framework的实用型JavaEE应用示例,展示了主流技术选型和最佳实践。它不是一个完整的框架,而是...
评论 1
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包
实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值