Shiro——MD5加密
一、shiro默认密码的比对
通过 AuthenticatingRealm 的 credentialsMatcher 属性来进行的密码的比对
/**源码org.apache.shiro.realm.AuthenticatingRealm * Asserts that the submitted {@code AuthenticationToken}'s credentials match the stored account * {@code AuthenticationInfo}'s credentials, and if not, throws an {@link AuthenticationException}. * * @param token the submitted authentication token * @param info the AuthenticationInfo corresponding to the given {@code token} * @throws AuthenticationException if the token's credentials do not match the stored account credentials. */ protected void assertCredentialsMatch(AuthenticationToken token, AuthenticationInfo info)
throws AuthenticationException { CredentialsMatcher cm = getCredentialsMatcher(); if (cm != null) { if (!cm.doCredentialsMatch(token, info)) { //not successful - throw an exception to indicate this: String msg = ""; throw new IncorrectCredentialsException(msg); } } else { throw new AuthenticationException(""); } }
调试技巧:在org.apache.shiro.authc.UsernamePasswordToken的getPassword()方法中添加断点
①、接口CredentialsMatcher
源码 package org.apache.shiro.authc.credential; import org.apache.shiro.authc.AuthenticationInfo; import org.apache.shiro.authc.AuthenticationToken; public interface CredentialsMatcher { boolean doCredentialsMatch(AuthenticationToken token, AuthenticationInfo info); }
②、接口CredentialsMatcher的继承关系
shiro默认是用org.apache.shiro.authc.credential.SimpleCredentialsMatcher进行密码比较
//SimpleCredentialsMatcher.doCredentialsMatch()
public boolean doCredentialsMatch(AuthenticationToken token, AuthenticationInfo info) { Object tokenCredentials = getCredentials(token); Object accountCredentials = getCredentials(info); return equals(tokenCredentials, accountCredentials); }
二、MD5加密
使用 new SimpleHash(hashAlgorithmName, credentials, salt, hashIterations) 来计算盐值加密后的密码的值
import org.apache.shiro.crypto.hash.SimpleHash;
import org.apache.shiro.util.ByteSource;
public static void main(String[] args){ //加密方式 String hashAlgorithmName = "MD5"; //明文密码 Object credentials = "1234"; //盐值 Object salt = ByteSource.Util.bytes("nchu"); int hashIterations = 1024; Object result = new SimpleHash(hashAlgorithmName, credentials, salt, hashIterations);
//加密后的密码 System.out.println(result); }
三、Shiro密码加密
①、在spring核心配置文件中配置自定义Realm
<!-- 自定义Realm --> <bean id="MD5Realm" class="com.nchu.shiro.MD5Realm"> <!-- 更改自定义Realm的默认credentialsMatcher属性--> <property name="credentialsMatcher" > <bean class="org.apache.shiro.authc.credential.HashedCredentialsMatcher"> <!--指定加密算法--> <property name="hashAlgorithmName" value="MD5"></property> <!--设置加密次数--> <property name="hashIterations" value="1024"></property> </bean> </property> </bean> <!-- 安全管理器 --> <bean id="securityManager" class="org.apache.shiro.web.mgt.DefaultWebSecurityManager"> <property name="realms"> <list> <ref bean="MD5Realm"/> </list> </property> </bean>
替换当前 Realm 的 credentialsMatcher 属性. 直接使用 HashedCredentialsMatcher 对象, 并设置加密算法即可
②、自定义Realm
使用shiro MD5加密前提数据库存储的密码是经过MD5加密的
import com.nchu.mvc.dao.ShiroRealmMapper; import org.apache.shiro.authc.*; import org.apache.shiro.crypto.hash.SimpleHash; import org.apache.shiro.realm.AuthenticatingRealm; import org.apache.shiro.util.ByteSource; import org.springframework.beans.factory.annotation.Autowired; /** * Created by yangshijing on 2018/1/16 0016. */ public class MD5Realm extends AuthenticatingRealm { @Autowired ShiroRealmMapper shiroRealmMapper; @Override protected AuthenticationInfo doGetAuthenticationInfo(AuthenticationToken token) throws AuthenticationException { System.out.println("----->"+token.hashCode()); //1. 把 AuthenticationToken 转换为 UsernamePasswordToken UsernamePasswordToken upToken = (UsernamePasswordToken) token; //2. 从 UsernamePasswordToken 中来获取 username String username = upToken.getUsername(); //3. 调用数据库的方法, 从数据库中查询 username 对应的用户记录 System.out.println("从数据库中获取 username: " + username + " 所对应的用户信息."); String password = shiroRealmMapper.login(username); //4. 若用户不存在, 则可以抛出 UnknownAccountException 异常 if(password==null){ throw new UnknownAccountException("用户不存在!"); } //5. 根据用户信息的情况, 决定是否需要抛出其他的 AuthenticationException 异常. /* if("monster".equals(username)){ throw new LockedAccountException("用户被锁定"); }*/ //6. 根据用户的情况, 来构建 AuthenticationInfo 对象并返回.
//通常使用的实现类为: SimpleAuthenticationInfo //以下信息是从数据库中获取的. //1). principal: 认证的实体信息. 可以是 username, 也可以是数据表对应的用户的实体类对象. Object principal = username; //2). hashedCredentials: 加密后的密码. Object hashedCredentials = password; //3). realmName: 当前 realm 对象的 name. 调用父类的 getName() 方法即可 String realmName = getName(); //4). 加密盐值 ByteSource credentialsSalt = ByteSource.Util.bytes("nchu"); SimpleAuthenticationInfo info = //new SimpleAuthenticationInfo(principal, credentials, realmName); new SimpleAuthenticationInfo(principal,hashedCredentials,credentialsSalt,realmName); return info; }
注意:在 doGetAuthenticationInfo 方法返回值创建 SimpleAuthenticationInfo 对象的时候, 需要使用SimpleAuthenticationInfo(principal, credentials, credentialsSalt, realmName) 构造器