本文介绍使用Shiro进行密码加密的方法及自定义密码验证过程。通过配置文件或与Spring集成来指定加密算法,如MD5,并利用SimpleCredentialsMatcher或HashedCredentialsMatcher进行密码验证。
前言:对于登录的密码信息加密,增加密码破解难度。在密码使用Shiro的hash加密方法和自定义方法加密算法。
步骤
1.告诉shiro密码使用何种加密方法
2.告诉shiro如何验证加密密码是否正确
1.告诉shiro密码使用何种加密方法
通过Credentials 和 CredentialsMatcher告诉shiro什么加密和密码校验
在配置文件上使用如何使用它们俩告诉shiro如何加密和校验
INI 文件的main 增加如下,可以参考shiro 使用 InI 验证
myRealm = com.demo.MyRealm
customMatcher = com.demo.CustomCredentialsMatcher
myRealm.credentialsMatcher = $customMatcher
与spring集成告诉shiro
<bean id="shiroDbRealm" class="service.ShiroDbRealm">
<!--验证方式-->
<property name="credentialsMatcher">
<bean class="org.apache.shiro.authc.credential.HashedCredentialsMatcher">
<property name="hashAlgorithmName" value="MD5"/>
</bean>
</property>
</bean>
2.告诉shiro如何验证加密密码是否正确
告诉shiro如何验证加密密码,通过SimpleCredentialsMatcher或HashedCredentialsMatcher
SimpleCredentialsMatcher(简单证明匹配): SimpleCredentialsMatcher对存储的用户凭证和从AuthenticationToken提交的用户凭证直接执行相等的检查。
HashedCredentialsMatcher:取代将凭证按它们原始形式存储并执行原始数据的对比,存储终端用户的凭证(如密码)更安全的办法是在存储数据之前,先进行hash运算。
密码校验方法继承SimpleCredentialsMatcher或HashedCredentialsMatcher类,实现doCredentialsMatch方法
示类
-------------------------------------------------------------------------------------------------------------
public class CustomCredentialsMatcher extends SimpleCredentialsMatcher {
@Override
public boolean doCredentialsMatch(AuthenticationToken authcToken, AuthenticationInfo info) {
UsernamePasswordToken token = (UsernamePasswordToken) authcToken;
Object tokenCredentials = encrypt(String.valueOf(token.getPassword()));
Object accountCredentials = getCredentials(info);
//将密码加密与系统加密后的密码校验,内容一致就返回true,不一致就返回false
return equals(tokenCredentials, accountCredentials);
}
//将传进来密码加密方法
private String encrypt(String data) {
String sha384Hex = new Sha384Hash(data).toBase64();
System.out.println(data + ":" + sha384Hex);
return sha384Hex;
}
}
-----------------关于自定义Realm,通过Realm与应用交互验证身份
public class MyRealm extends AuthorizingRealm {
private static Logger logger = LoggerFactory.getLogger(MyRealm.class);
public MyRealm() {
super(); //To change body of overridden methods use File | Settings | File Templates.
}
//认证
@Override
protected AuthenticationInfo doGetAuthenticationInfo(AuthenticationToken authcToken) throws AuthenticationException {
UsernamePasswordToken token = (UsernamePasswordToken) authcToken;
UsernamePasswordToken usernamePasswordToken = (UsernamePasswordToken) token;
String username = usernamePasswordToken.getUsername();
/* logger.info("用户名:{}", token.getUsername());
logger.info("用户密码:{}", token.getPassword());*/
if (username == null) {
throw new AccountException("用户名不能为空");
}
//TODO 取数据库
User user = new User();
user.setName("汤汤");
// user.setPassWord("5201314");
user.setPassWord("Mug2tZdS/WCdxOOfCHXPcdQyVT5kqBimrBM04UEj9Dma+XaasHvZZckw/OGjWj8J");
user.setRoles("admin");
return new SimpleAuthenticationInfo(user.getName(), user.getPassWord(), getName());
}
//授权
@Override
protected AuthorizationInfo doGetAuthorizationInfo(PrincipalCollection principals) {
if (principals == null) {
throw new AuthorizationException("Principal对象不能为空");
}
/* String userName = (String) principals.fromRealm(getName()).iterator().next();*/
String userName = (String) principals.fromRealm(getName()).iterator().next();
if (userName != null && userName.equals("汤汤")) {
SimpleAuthorizationInfo info = new SimpleAuthorizationInfo();
/* info.addStringPermission("admin");*/
List<String> rolesList = new ArrayList<String>();
rolesList.add("admin");
info.addRoles(rolesList);
return info;
} else {
return null;
}
}
}
扫一扫
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
