我正在运行一个登录脚本,该脚本在数据库中查询有效的用户名/哈希对。代码如下:
@Override
public boolean login(User user) {
// Check if we have a valid user/pass pair
Query query = (Query) entityManager.createQuery("SELECT u FROM User u WHERE u.username=:userName AND u.password=:password");
((javax.persistence.Query) query).setParameter("userName", user.getUsername());
// We need to hash the password first before comparing it(as we only store the SHA-512 hash)
String tohash = user.getPassword();
String hash = null;
try {
// Create MessageDigest instance for MD5
MessageDigest md = MessageDigest.getInstance("SHA-512");
// Add password bytes to digest
md.update(tohash.getBytes());
// Get the hash's bytes
byte[] bytes = md.digest();
// This bytes[] has bytes in decimal format;
// Convert it to hexadecimal format
StringBuilder sb = new StringBuilder();
for (int i = 0; i < bytes.length; i++) {
sb.append(Integer.toString((bytes[i] & 0xff) + 0x100,
16).substring(1));
}
// Get complete hashed password in hex format
hash = sb.toString();
} catch (NoSuchAlgorithmException e) {
e.printStackTrace();
}
((javax.persistence.Query) query).setParameter("password", hash);
List<User> users = castList(User.class, ((javax.persistence.Query) query).getResultList());
if(users != null && !users.isEmpty()) {
// return "Welcome " + user.getUsername() + "!";
return true;
} else {
// return "Username or password are not valid";
return false;
}
}
其中 castList 用于指定列表中的元素类型(默认情况下获取列表会导致未定义类型警告)。代码如下:
public static <T> List<T> castList(Class<? extends T> clazz, Collection<?> c) {
List<T> r = new ArrayList<T>(c.size());
for(Object o: c)
r.add(clazz.cast(o));
return r;
}
即使表为空,上述方法也始终返回true。我错过了什么?