如何在Shiro中使用JdbcRealm散列提交的密码?

时间:2015-05-13 08:47:04

标签: shiro jdbcrealm

我已创建了一个应用程序,并一直使用Shiro进行身份验证。 我已经关注了大部分指南以及有关shiro和Jdbc Realm的一些已发布的问题。

这是我的shiro.ini文件:

[main]
authc.loginUrl=/jsp/loginForm.jsp
authc.successUrl=/test/successUrl.jsp
authc.rememberMeParam = login-remember-me
logout.redirectUrl=/index.jsp

hashService = org.apache.shiro.crypto.hash.DefaultHashService
hashService.hashIterations = 500000
hashService.hashAlgorithmName = SHA-256
hashService.generatePublicSalt = true

hashService.privateSalt = someBase64EncodedSaltValue

realm = org.apache.shiro.realm.jdbc.JdbcRealm
realm.permissionsLookupEnabled = false
realm.authenticationQuery = SELECT password FROM userTable WHERE username = ?

ps = org.apache.shiro.authc.credential.DefaultPasswordService
ps.hashService = $hashService
pm = org.apache.shiro.authc.credential.PasswordMatcher
pm.passwordService = $ps

jof = org.apache.shiro.jndi.JndiObjectFactory
jof.resourceName = java:comp/env/jdbc/theResourceName
jof.requiredType = javax.sql.DataSource
jof.resourceRef = true

realm.dataSource = $jof
realm.credentialsMatcher = $pm

securityManager.realms = $realm

并且我在Java中使用以下代码将密码保存在数据库中:

DefaultHashService hashService = new DefaultHashService();
hashService.setHashIterations(500000);
hashService.setHashAlgorithmName(Sha256Hash.ALGORITHM_NAME);
hashService.setPrivateSalt(new SimpleByteSource(
    "someBase64EncodedSaltValue")); // Same salt as in shiro.ini, but NOT
                                      // base64-encoded.
hashService.setGeneratePublicSalt(true);

DefaultPasswordService pwService = new DefaultPasswordService();
pwService.setHashService(hashService);
this.password = pwService.encryptPassword(password);

一切看起来都很好并且正在按预期保存,但问题出在我登录的时候。我已经将执行追溯到JdbcRealm.class并且我已经看到比较的值是"原始字符串密码"和来自数据库的加密密码。

我是否错过任何步骤配置?

1 个答案:

答案 0 :(得分:0)

使用盐渍更好,为每个用户配备单独的盐。所以将该盐存储在数据库中。 SEE

现在, 像package common.shiro; import org.apache.shiro.realm.jdbc.JdbcRealm; public class JDBCSaltedRealm extends JdbcRealm { public JDBCSaltedRealm() { setSaltStyle(SaltStyle.COLUMN); } } 那样延伸:

credentialsMatcher = org.apache.shiro.authc.credential.HashedCredentialsMatcher
credentialsMatcher.hashAlgorithmName=SHA-256
credentialsMatcher.storedCredentialsHexEncoded = false
credentialsMatcher.hashIterations = 500000
credentialsMatcher.hashSalted = true

realm = common.shiro.JDBCSaltedRealm

realm .permissionsLookupEnabled = true
realm .authenticationQuery  = SELECT password,salt  FROM userTable WHERE username = ?
realm .dataSource = $jof
realm .credentialsMatcher = $credentialsMatcher
securityManager.realm = $realm

在shiro.ini中:

{{1}}
相关问题
最新问题