Shiro入门到精通--实现认证realm及加盐
- ShiroRealm1
package com.spring.shiro.realms; import org.apache.shiro.authc.AuthenticationException; import org.apache.shiro.authc.AuthenticationInfo; import org.apache.shiro.authc.AuthenticationToken; import org.apache.shiro.authc.LockedAccountException; import org.apache.shiro.authc.SimpleAuthenticationInfo; import org.apache.shiro.authc.UnknownAccountException; import org.apache.shiro.authc.UsernamePasswordToken; import org.apache.shiro.realm.AuthenticatingRealm; public class ShiroRealm1 extends AuthenticatingRealm{ @Override protected AuthenticationInfo doGetAuthenticationInfo(AuthenticationToken token) throws AuthenticationException { System.out.println("doGetAuthenticationInfo"+token); //1.把AuthenticationToken强制转换为 UsernamePasswordToken UsernamePasswordToken upToken = (UsernamePasswordToken) token; //2.从UsernamePasswordToken中获取token String username =upToken.getUsername(); //3.从数据库中获取对应的username System.out.println("从数据库中获取username" +username +"对应的值"); //4. 若用户不存在抛出UnknowAccountException if ("unknow".equals(username)) { throw new UnknownAccountException("用户名不存在"); } //5.根据用户信息决定是否要抛出其他的AuthenticationException异常 比如账号锁定 if ("monster".equals(username)) { throw new LockedAccountException("账号被锁定"); } //6.根据用户的情况,构建AuthenticationInfo并返回 SimpleAuthenticationInfo //以下信息从数据库获取到的 principal 认证的实体信息,也可以是username Object principal =username; //credentials 密码 Object credentials = "123456"; // realmName 调用父类的getName方法即可 String realmName = getName(); SimpleAuthenticationInfo info = new SimpleAuthenticationInfo(principal, credentials, realmName); return info ; } }
配置这个logout是因为前面的输入任意用户名密码为123456,即可认证成功,认证成功后shiro有缓存机制,之后的测试你即时密码不输入123456也可以登陆成功 配置登出过滤器可解决
- 加盐操作
package com.spring.shiro.realms; import org.apache.shiro.authc.AuthenticationException; import org.apache.shiro.authc.AuthenticationInfo; import org.apache.shiro.authc.AuthenticationToken; import org.apache.shiro.authc.SimpleAuthenticationInfo; import org.apache.shiro.authc.UsernamePasswordToken; import org.apache.shiro.crypto.hash.SimpleHash; import org.apache.shiro.realm.AuthenticatingRealm; import org.apache.shiro.util.ByteSource; /** * 这个类主要做盐值加密 * @author admin * 2018年2月5日 上午11:40:32 */ public class ShiroRealm2 extends AuthenticatingRealm{ @Override protected AuthenticationInfo doGetAuthenticationInfo(AuthenticationToken token) throws AuthenticationException { UsernamePasswordToken upToken = (UsernamePasswordToken) token; String username = upToken.getUsername(); Object principal =username; Object hashedCredentials =null; ByteSource credentialsSalt =ByteSource.Util.bytes(username); if ("admin".equals(username)) { hashedCredentials ="038bdaf98f2037b31f1e75b5b4c9b26e"; }else if ("user".equals(username)) { hashedCredentials ="098d2c478e9c11555ce2823231e02ec1"; } String realmName = getName(); SimpleAuthenticationInfo info = null; info = new SimpleAuthenticationInfo(principal, hashedCredentials, credentialsSalt, realmName); return info; } public static void main(String[] args) { String algorithmName ="MD5"; Object source ="123456"; ByteSource salt = ByteSource.Util.bytes("admin"); int hashIterations =1024; Object result = new SimpleHash(algorithmName, source, salt, hashIterations); System.out.println(result); //123456 +加盐 admin之后的密码 } }
- applicationContext.xml 自定义的那个realm 需要做对应的更改
<bean id="jdbcRealm" class="com.spring.shiro.realms.ShiroRealm1"> <!-- 使用加密 指定加密算法MD5 加密次数 1024次 --> <property name="credentialsMatcher"> <bean class="org.apache.shiro.authc.credential.HashedCredentialsMatcher"> <property name="hashAlgorithmName" value="MD5"></property> <property name="hashIterations" value="1024"></property> </bean> </property> </bean>
密码没有从数据库中做获取,自己随便写的。。。。。
