Shiro之加密加盐及凭证验证

MD5加密在Shiro中使用极其简单:

shiro中工具类:SimpleHash

//SimpleHash构造器
SimpleHash(String algorithmName, Object source, Object salt, int hashIterations)

参数解释:

参数名 参数解释 参数数据类型
algorithmName 加密类型[MD5、Md2、Sha1、Sha256等] String
source 要加密的对象 Object
salt 加盐对象,如果不打算加密时进行加盐则传null Object
hashIterations 对目标对象加密次数,次数越多可靠性越高。同时越复杂 int

使用示例:

//SimpleHash加密
SimpleHash simpleHash2 = new SimpleHash("MD5", "123456", salt, 0);
//输出加密后结果[直接输出对象,或调用toString方法后就是加密结果]
System.out.println(simpleHash2);

Shrio中可以通过修改实现了Realm接口的自定义Realm中的credentialsMatcher属性所对应的证书匹配器来使用加密设置。常用的是其实现类HashedCredentialsMatcher对象,在整合了Spring之后Spring的配置中如下:


<bean id="jdbcRealm" class="com.heiketu.shiro.realm.ShiroRealm">
    
    <property name="credentialsMatcher">
        
        <bean class="org.apache.shiro.authc.credential.HashedCredentialsMatcher">
            
            <property name="hashAlgorithmName" value="MD5">property>
        bean>
    property>
bean>



<bean id="securityManager"
    class="org.apache.shiro.web.mgt.DefaultWebSecurityManager">
    <property name="cacheManager" ref="cacheManager" />
    
    <property name="realm" ref="jdbcRealm" />
bean>



<bean id="lifecycleBeanPostProcessor" class="org.apache.shiro.spring.LifecycleBeanPostProcessor" />

<bean class="org.springframework.aop.framework.autoproxy.DefaultAdvisorAutoProxyCreator"
    depends-on="lifecycleBeanPostProcessor" />
<bean
    class="org.apache.shiro.spring.security.interceptor.AuthorizationAttributeSourceAdvisor">
    <property name="securityManager" ref="securityManager" />
bean>

<bean id="secureRemoteInvocationExecutor"
    class="org.apache.shiro.spring.remoting.SecureRemoteInvocationExecutor">
    <property name="securityManager" ref="securityManager" />
bean>


<bean id="shiroFilter"
    class="org.apache.shiro.spring.web.ShiroFilterFactoryBean">
    <property name="securityManager" ref="securityManager" />
    
    <property name="loginUrl" value="/login.jsp" />
    
    <property name="successUrl" value="/success.jsp" />
    
    <property name="unauthorizedUrl" value="/unauthorized.jsp" />
    
    <property name="filterChainDefinitions">
        <value>
            
            /login.jsp = anon
            /shiroRequest/login = anon
            /shiro/logout = logout
            
            /** = authc
        value>
    property>
bean>

注:如果自定义Realm是继承自AuthenticatingRealm实现类,则需要实现:AuthenticationInfo doGetAuthenticationInfo(AuthenticationToken arg0)抽象方法。

Shiro中doGetAuthenticationInfo方法的示例代码如下:

@Override
protected AuthenticationInfo doGetAuthenticationInfo(AuthenticationToken arg0) throws AuthenticationException {
    //强转UsernamePasswordToken
    UsernamePasswordToken upToken = (UsernamePasswordToken)arg0;

    //用户名
    String username = upToken.getUsername();
    if("unkown".equals(username)) {
        throw new UnknownAccountException("未知用户");
    }

    //principal
    Object principal = username;
    //密码:加盐
    ByteSource bytes = ByteSource.Util.bytes("admin");
    String pass = new SimpleHash("MD5", "123456", bytes, 0).toString();
    String name2 = getName();
    //不加盐的设置
    //AuthenticationInfo info = new SimpleAuthenticationInfo(principal, pass, name2);
    AuthenticationInfo info = new SimpleAuthenticationInfo(username, pass, bytes, getName());
    return info;
}

你可能感兴趣的:(Shiro)