本文主要是介绍【shiro】shiro学习笔记3-散列功能,希望对大家解决编程问题提供一定的参考价值,需要的开发者们随着小编来一起学习吧!
对于密码,有很多种加密方式散列是其中 最常用的,shiro提供了直接支持。
环境
<dependencies><!-- shiro --><dependency><groupId>org.apache.shiro</groupId><artifactId>shiro-core</artifactId><version>1.2.4</version></dependency><!--日志问题的解决--><dependency><groupId>org.slf4j</groupId><artifactId>slf4j-log4j12</artifactId><version>1.7.15</version></dependency><!--日志--><dependency><groupId>commons-logging</groupId><artifactId>commons-logging</artifactId><version>1.2</version></dependency><dependency><groupId>junit</groupId><artifactId>junit</artifactId><version>4.12</version><scope>test</scope></dependency></dependencies>目录结构
shiro封装的散列对象(列举常用)
Md5Hash
Md5Hash(Object source, Object salt, int hashIterations)
SimpleHash
SimpleHash(String algorithmName, Object source, Object salt, int hashIterations)
参数含意:
source: 要散列的值(这里是明文密码)
salt: 盐,用于与source一起散列的值,一般随机生成,用于防止暴力破解
hashIterations: 散列的次数
algorithmName: simpleHash是其它散列的父类(如下图),如果要用simpleHash就要告诉shiro使用哪种hash方式
代码
log4j.properties
log4j.rootLogger=DEBUG, stdout
log4j.appender.stdout=org.apache.log4j.ConsoleAppender
log4j.appender.stdout.layout=org.apache.log4j.PatternLayout
log4j.appender.stdout.layout.ConversionPattern=%5p [%t] - %m%nshiro-realm-md5.ini
[main]
#注入凭证匹配器
cridentialMatcher = org.apache.shiro.authc.credential.HashedCredentialsMatcher
cridentialMatcher.hashAlgorithmName = MD5
cridentialMatcher.hashIterations = 3#注入自定义的realm
hashRealm = xyz.mrwood.study.realm.HashRealm
hashRealm.credentialsMatcher = $cridentialMatcher
securityManager.realms = $hashRealmUser.java(模拟数据库中的表)
package xyz.mrwood.study.model;/*** Created by Administrator on 2016/2/16.*/
public class User {private String username;private String password;private String salt;public User(String username, String password, String salt) {this.username = username;this.password = password;this.salt = salt;}public String getUsername() {return username;}public void setUsername(String username) {this.username = username;}public String getPassword() {return password;}public void setPassword(String password) {this.password = password;}public String getSalt() {return salt;}public void setSalt(String salt) {this.salt = salt;}@Overridepublic String toString() {return "User{" +"username='" + username + '\'' +", password='" + password + '\'' +", salt='" + salt + '\'' +'}';}
}HashRealm.java
package xyz.mrwood.study.realm;import org.apache.shiro.authc.AuthenticationException;
import org.apache.shiro.authc.AuthenticationInfo;
import org.apache.shiro.authc.AuthenticationToken;
import org.apache.shiro.authc.SimpleAuthenticationInfo;
import org.apache.shiro.authz.AuthorizationInfo;
import org.apache.shiro.crypto.hash.Md5Hash;
import org.apache.shiro.realm.AuthorizingRealm;
import org.apache.shiro.subject.PrincipalCollection;
import org.apache.shiro.util.ByteSource;
import xyz.mrwood.study.model.User;import java.util.HashMap;
import java.util.Map;/*** Created by Administrator on 2016/2/16.*/
public class HashRealm extends AuthorizingRealm {//授权@Overrideprotected AuthorizationInfo doGetAuthorizationInfo(PrincipalCollection principalCollection) {return null;}//认证@Overrideprotected AuthenticationInfo doGetAuthenticationInfo(AuthenticationToken authenticationToken) throws AuthenticationException {//获得主体(帐号)String principal = (String) authenticationToken.getPrincipal();//模拟数据库Map<String, User> users = new HashMap<>();users.put("kiwi", new User("kiwi", new Md5Hash("22222", "324", 3).toString(), "324"));users.put("fly", new User("fly", new Md5Hash("111111", "123", 3).toString(), "123"));//验证帐号是否存在if (users.containsKey(principal)){User user = users.get(principal);System.out.printf(user.toString());//在realm中只要判断帐号是否存在,密码是否正确交给shiro比较return new SimpleAuthenticationInfo(principal, user.getPassword(), ByteSource.Util.bytes(user.getSalt()), getName());}else{return null;}}
}
AuthenticationTest.java
package xyz.mrwood.study.authentication;import org.apache.shiro.SecurityUtils;
import org.apache.shiro.authc.*;
import org.apache.shiro.config.IniSecurityManagerFactory;
import org.apache.shiro.mgt.SecurityManager;
import org.apache.shiro.subject.Subject;
import org.apache.shiro.util.Factory;
import org.junit.Test;/*** Created by Administrator on 2016/2/12.*/
public class AuthenticationTest {@Testpublic void testHash(){// 构建SecurityManager对象Factory<SecurityManager> factory = new IniSecurityManagerFactory("classpath:shiro-realm-md5.ini");SecurityManager securityManager = factory.getInstance();// 设置SecurityManager进入运行环境SecurityUtils.setSecurityManager(securityManager);// 构建主体对象Subject subject = SecurityUtils.getSubject();// 封装帐号密码对象
// 密码传明文,所有如果要用这个以后客户端不能再加密了AuthenticationToken token = new UsernamePasswordToken("kiwi", "22222");// 提交验证try {subject.login(token);} catch (IncorrectCredentialsException e) {System.out.println("错误的凭证!");} catch (UnknownAccountException e){System.out.println("未知帐号!");}System.out.println("认证:" + subject.isAuthenticated());}
}
总结
- 在realm中只要判断帐号是否存在,密码是否正确交给shiro比较
- shiro的凭证匹配器的作用,就是得到明文密码与salt后怎么去散列,匹配器通过配置,有如下几种
这篇关于【shiro】shiro学习笔记3-散列功能的文章就介绍到这儿,希望我们推荐的文章对编程师们有所帮助!
