shiro加密操作
散列算法一般用于生成数据的摘要信息,是一种不可逆的算法,一般适合存储密码之类的数据,常见的散列算法人MD5、SHA等。一般进行散列算法时最好提供一个盐,比如加密密码(admin),产生的散列值是“21232f9757a837dasddadw”,可以到一些MD5
解密网站很容易的通过散列值得到“admin”,即如果直接对密码进行散列相对来说破解更容易,此时我们可以加一些干扰数据,如:用户名、ID。这样的散列的对象是“密码+用户名+ID”,这样生成的散列值相对来说更难破解。
步骤:1.自定义加密之后realm:重写3个方法:getName 、doGetAuthorizationInfo、doGetAuthenticationInfo三个方法
结构图:
pom文件:
<?xml version="1.0" encoding="UTF-8"?>
<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
<modelVersion>4.0.0</modelVersion>
<groupId>com.study</groupId>
<artifactId>shiro</artifactId>
<version>1.0-SNAPSHOT</version>
<name>shiro</name>
<!-- FIXME change it to the project's website -->
<url>http://www.example.com</url>
<properties>
<project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>
<maven.compiler.source>1.7</maven.compiler.source>
<maven.compiler.target>1.7</maven.compiler.target>
</properties>
<dependencies>
<dependency>
<groupId>junit</groupId>
<artifactId>junit</artifactId>
<version>4.11</version>
<scope>test</scope>
</dependency>
<dependency>
<groupId>commons-logging</groupId>
<artifactId>commons-logging</artifactId>
<version>1.1.3</version>
</dependency>
<dependency>
<groupId>org.apache.shiro</groupId>
<artifactId>shiro-core</artifactId>
<version>1.2.2</version>
</dependency>
</dependencies>
<build>
<pluginManagement><!-- lock down plugins versions to avoid using Maven defaults (may be moved to parent pom) -->
<plugins>
<!-- clean lifecycle, see https://maven.apache.org/ref/current/maven-core/lifecycles.html#clean_Lifecycle -->
<plugin>
<artifactId>maven-clean-plugin</artifactId>
<version>3.1.0</version>
</plugin>
<!-- default lifecycle, jar packaging: see https://maven.apache.org/ref/current/maven-core/default-bindings.html#Plugin_bindings_for_jar_packaging -->
<plugin>
<artifactId>maven-resources-plugin</artifactId>
<version>3.0.2</version>
</plugin>
<plugin>
<artifactId>maven-compiler-plugin</artifactId>
<version>3.8.0</version>
</plugin>
<plugin>
<artifactId>maven-surefire-plugin</artifactId>
<version>2.22.1</version>
</plugin>
<plugin>
<artifactId>maven-jar-plugin</artifactId>
<version>3.0.2</version>
</plugin>
<plugin>
<artifactId>maven-install-plugin</artifactId>
<version>2.5.2</version>
</plugin>
<plugin>
<artifactId>maven-deploy-plugin</artifactId>
<version>2.8.2</version>
</plugin>
<!-- site lifecycle, see https://maven.apache.org/ref/current/maven-core/lifecycles.html#site_Lifecycle -->
<plugin>
<artifactId>maven-site-plugin</artifactId>
<version>3.7.1</version>
</plugin>
<plugin>
<artifactId>maven-project-info-reports-plugin</artifactId>
<version>3.0.0</version>
</plugin>
</plugins>
</pluginManagement>
</build>
</project>
package com.study.shiro.realm;
import org.apache.shiro.authc.AuthenticationException;
import org.apache.shiro.authc.AuthenticationInfo;
import org.apache.shiro.authc.AuthenticationToken;
import org.apache.shiro.authc.SimpleAuthenticationInfo;
import org.apache.shiro.authz.AuthorizationInfo;
import org.apache.shiro.realm.AuthorizingRealm;
import org.apache.shiro.subject.PrincipalCollection;
import org.apache.shiro.util.ByteSource;
public class PasswordRealm extends AuthorizingRealm {
@Override
public String getName() {
return "PasswordRealm";
}
/**
* 授权
* @param principals
* @return
*/
@Override
protected AuthorizationInfo doGetAuthorizationInfo(PrincipalCollection principals) {
return null;
}
/**
* 认证
* @param token
* @return
* @throws AuthenticationException
*/
@Override
protected AuthenticationInfo doGetAuthenticationInfo(AuthenticationToken token) throws AuthenticationException {
// 通过用户名查找用户信息,封装成一个AuthenticationInfo对象返回,方便认证器进行对比
// 获取token中的用户名
String username = (String) token.getPrincipal();
// 通过用户名查询数据库,将该用户对应的信息查询出来:账号,密码
String dbUsername = "zhangsan";
if(!dbUsername.equals(username)){
return null;
}
// 模拟数据库保存的加密之后的密码666 +账号+散列次数3次
String password = "cd757bae8bd31da92c6b14c235668091";
// info对象表示realm登录对比信息:参数1用户信息,参数2,:密码,参数3:盐,参数4:当前realm的名字
SimpleAuthenticationInfo simpleAuthenticationInfo = new SimpleAuthenticationInfo(username, password, ByteSource.Util.bytes(dbUsername), getName());
return simpleAuthenticationInfo;
}
}
ini文件shiro-cryptography.ini
[main]
#定义凭证匹配器
credentialsMatcher=org.apache.shiro.authc.credential.HashedCredentialsMatcher
#散列算法
credentialsMatcher.hashAlgorithmName=md5
#散列次数
credentialsMatcher.hashIterations=3
#将凭证匹配器设置到realm
myRealm=com.study.shiro.realm.PasswordRealm
myRealm.credentialsMatcher=$credentialsMatcher
securityManager.realms=$myRealm
测试方法:
@Test
public void testLoginByPasswordRealm() throws Exception{
// 1.创建SecurityManager工厂对象,加载配置文件,创建
Factory<SecurityManager> factory = new IniSecurityManagerFactory("classpath:shiro-cryptography.ini");
// 2.通过工厂对象,创建Securitymanage对象
SecurityManager securityManager = factory.getInstance();
// 3.将securitymanage绑定到当前运行环境中,让系统随时随地的都可以访问securityManager对象
SecurityUtils.setSecurityManager(securityManager);
// 4:创建当前登录的主体,注意;此时主体没有经过认证
Subject subject = SecurityUtils.getSubject();
// 5:绑定主体登录的身份、凭证,即账号密码
UsernamePasswordToken token = new UsernamePasswordToken("zhangsan","666");
try {
// 6.主体登录
subject.login(token);
}catch (IncorrectCredentialsException incorrectCredentialsException){
System.out.println("密码错误!");
}catch (UnknownAccountException UnknownAccountException){
System.out.println("用户名错误!");
}
// 7:判断是否登录成功
System.out.println("验证是否登录1:" + subject.isAuthenticated());
// 8:登出
subject.logout();
System.out.println("验证是否登录2:" + subject.isAuthenticated());
}