灵活使用shiro的密码服务模块
来源:互联网 发布:布林线指标源码 编辑:程序博客网 时间:2024/05/22 00:43
shiro最闪亮的四大特征是认证,授权,加密,会话管理。
上一篇已经演示了如何使用shiro的授权模块,有了shiro这个利器,可以以统一的编码方式对用户的登入,登出,认证进行管理,相当的优雅。
为了提高应用系统的安全性,这里主要关注shiro提供的密码服务模块;
1,加密工具类的熟悉
首先来个结构图,看看shiro哥哥提供了哪些加密工具类:
为此,写了一个工具类来探测和熟悉这些工具类的使用:
package com.util;
import com.domain.User;
import com.google.common.base.Preconditions;
import com.google.common.base.Strings;
import com.sun.crypto.provider.AESKeyGenerator;
import org.apache.shiro.codec.Base64;
import org.apache.shiro.codec.CodecSupport;
import org.apache.shiro.codec.H64;
import org.apache.shiro.codec.Hex;
import org.apache.shiro.crypto.AesCipherService;
import org.apache.shiro.crypto.SecureRandomNumberGenerator;
import org.apache.shiro.crypto.hash.Md5Hash;
import java.security.Key;
/**
* User: cutter.li
* Date: 2014/6/27 0027
* Time: 16:49
* 备注: shiro进行加密解密的工具类封装
*/
public final class EndecryptUtils {
/**
* base64进制加密
*
* @param password
* @return
*/
public static String encrytBase64(String password) {
Preconditions.checkArgument(!Strings.isNullOrEmpty(password), "不能为空");
byte[] bytes = password.getBytes();
return Base64.encodeToString(bytes);
}
/**
* base64进制解密
* @param cipherText
* @return
*/
public static String decryptBase64(String cipherText) {
Preconditions.checkArgument(!Strings.isNullOrEmpty(cipherText), "消息摘要不能为空");
return Base64.decodeToString(cipherText);
}
/**
* 16进制加密
*
* @param password
* @return
*/
public static String encrytHex(String password) {
Preconditions.checkArgument(!Strings.isNullOrEmpty(password), "不能为空");
byte[] bytes = password.getBytes();
return Hex.encodeToString(bytes);
}
/**
* 16进制解密
* @param cipherText
* @return
*/
public static String decryptHex(String cipherText) {
Preconditions.checkArgument(!Strings.isNullOrEmpty(cipherText), "消息摘要不能为空");
return new String(Hex.decode(cipherText));
}
public static String generateKey()
{
AesCipherService aesCipherService=new AesCipherService();
Key key=aesCipherService.generateNewKey();
return Base64.encodeToString(key.getEncoded());
}
/**
* 对密码进行md5加密,并返回密文和salt,包含在User对象中
* @param username 用户名
* @param password 密码
* @return 密文和salt
*/
public static User md5Password(String username,String password){
Preconditions.checkArgument(!Strings.isNullOrEmpty(username),"username不能为空");
Preconditions.checkArgument(!Strings.isNullOrEmpty(password),"password不能为空");
SecureRandomNumberGenerator secureRandomNumberGenerator=new SecureRandomNumberGenerator();
String salt= secureRandomNumberGenerator.nextBytes().toHex();
//组合username,两次迭代,对密码进行加密
String password_cipherText= new Md5Hash(password,username+salt,2).toBase64();
User user=new User();
user.setPassword(password_cipherText);
user.setSalt(salt);
user.setUsername(username);
return user;
}
public static void main(String[] args) {
String password = "admin";
String cipherText = encrytHex(password);
System.out.println(password + "hex加密之后的密文是:" + cipherText);
String decrptPassword=decryptHex(cipherText);
System.out.println(cipherText + "hex解密之后的密码是:" + decrptPassword);
String cipherText_base64 = encrytBase64(password);
System.out.println(password + "base64加密之后的密文是:" + cipherText_base64);
String decrptPassword_base64=decryptBase64(cipherText_base64);
System.out.println(cipherText_base64 + "base64解密之后的密码是:" + decrptPassword_base64);
String h64= H64.encodeToString(password.getBytes());
System.out.println(h64);
String salt="7road";
String cipherText_md5= new Md5Hash(password,salt,4).toHex();
System.out.println(password+"通过md5加密之后的密文是:"+cipherText_md5);
System.out.println(generateKey());
System.out.println("==========================================================");
AesCipherService aesCipherService=new AesCipherService();
aesCipherService.setKeySize(128);
Key key=aesCipherService.generateNewKey();
String aes_cipherText= aesCipherService.encrypt(password.getBytes(),key.getEncoded()).toHex();
System.out.println(password+" aes加密的密文是:"+aes_cipherText);
String aes_mingwen=new String(aesCipherService.decrypt(Hex.decode(aes_cipherText),key.getEncoded()).getBytes());
System.out.println(aes_cipherText+" aes解密的明文是:"+aes_mingwen);
}
}
2,一个综合点的例子,配置帐号的密码生成方式,并利用ehcache,设定输错密码多少次,用户被锁定一个小时;
1,提供一个ehcache的简单实用类
package com.util.cache;import net.sf.ehcache.Cache;
import net.sf.ehcache.CacheManager;
import net.sf.ehcache.Element;
import net.sf.ehcache.config.CacheConfiguration;
import net.sf.ehcache.store.MemoryStoreEvictionPolicy;
/**
* User: cutter.li
* Date: 2014/6/30 0030
* Time: 15:32
* 备注: ehcache的缓存工具类
*/
public final class EhcacheUtil {
private static final CacheManager cacheManager = CacheManager.getInstance();
/**
* 创建ehcache缓存,创建之后的有效期是1小时
*/
private static Cache cache = new Cache(new CacheConfiguration("systemCache", 5000).memoryStoreEvictionPolicy(MemoryStoreEvictionPolicy.FIFO).timeoutMillis(300).timeToLiveSeconds( 60 * 60));
static {
cacheManager.addCache(cache);
}
public static void putItem(String key, Object item) {
if (cache.get(key) != null) {
cache.remove(key);
}
Element element = new Element(key, item);
cache.put(element);
}
public static void removeItem(String key) {
cache.remove(key);
}
public static void updateItem(String key, Object value) {
putItem(key, value);
}
public static Object getItem(String key) {
Element element= cache.get(key);
if(null!=element)
{
return element.getObjectValue();
}
return null;
}
}
2,提供加密和校验密文的方法
/**
* 对密码进行md5加密,并返回密文和salt,包含在User对象中
* @param username 用户名
* @param password 密码
* @return 密文和salt
*/
public static User md5Password(String username,String password){
Preconditions.checkArgument(!Strings.isNullOrEmpty(username),"username不能为空");
Preconditions.checkArgument(!Strings.isNullOrEmpty(password),"password不能为空");
SecureRandomNumberGenerator secureRandomNumberGenerator=new SecureRandomNumberGenerator();
String salt= secureRandomNumberGenerator.nextBytes().toHex();
//组合username,两次迭代,对密码进行加密
String password_cipherText= new Md5Hash(password,username+salt,2).toHex();
User user=new User();
user.setPassword(password_cipherText);
user.setSalt(salt);
user.setUsername(username);
return user;
}
/**
* 通过username,password,salt,校验密文是否匹配 ,校验规则其实在配置文件中,这里为了清晰,写下来
* @param username 用户名
* @param password 原密码
* @param salt 盐
* @param md5cipherText 密文
* @return
*/
public static boolean checkMd5Password(String username,String password,String salt,String md5cipherText)
{
Preconditions.checkArgument(!Strings.isNullOrEmpty(username),"username不能为空");
Preconditions.checkArgument(!Strings.isNullOrEmpty(password),"password不能为空");
Preconditions.checkArgument(!Strings.isNullOrEmpty(md5cipherText),"md5cipherText不能为空");
//组合username,两次迭代,对密码进行加密
String password_cipherText= new Md5Hash(password,username+salt,2).toHex();
return md5cipherText.equals(password_cipherText);
}
3,配置认证的数据源使用的密码校验接口
<bean id="myRealm" class="com.util.MysqlJdbcRealM"><property name="credentialsMatcher" ref="passwordMatcher"></property>
</bean>
<bean id="passwordMatcher" class="com.util.LimitRetryHashedMatcher">
<property name="hashAlgorithmName" value="md5"></property>
<property name="hashIterations" value="2"></property>
<property name="storedCredentialsHexEncoded" value="true"></property>
</bean>
4,注册和登录方法的修改
/*** 用户注册
*
* @param entity
* @return
*/
@Override
public ResponseEntity<Map> createSubmit(User entity) {
//加密用户输入的密码,得到密码的摘要和盐,保存到数据库
User user = EndecryptUtils.md5Password(entity.getUsername(), entity.getPassword());
entity.setPassword(user.getPassword());
entity.setSalt(user.getSalt());
Map<String, Object> map = Maps.newHashMap();
try {
boolean createResult = service.modify(entity, OperationType.create);
map.put("success", createResult);
} catch (Exception e) {
e.printStackTrace();
}
return new ResponseEntity<Map>(map, HttpStatus.OK);
}
------------------------------------------------------------------华丽的分割线---------------------------------------------------------------------------------------------------
@RequestMapping(value = "login", method = RequestMethod.POST)
public ResponseEntity<Message> loginSubmit(String username, String password, String vcode, HttpServletRequest request) {
message.setSuccess();
validateLogin(message, username, password, vcode);
try {
// String code = request.getSession().getAttribute(AppConstant.KAPTCHA_SESSION_KEY).toString();
// if (!vcode.equalsIgnoreCase(code)) {
// message.setCode(AppConstant.VALIDCODE_ERROR);
// message.setMsg("验证码错误");
// }
if (message.isSuccess()) {
Subject subject = SecurityUtils.getSubject();
subject.login(new UsernamePasswordToken(username, password,false));
if (subject.isAuthenticated()) {
message.setMsg("登录成功");
} else {
message.setCode(AppConstant.USERNAME_NOTEXIST);
message.setMsg("用户名/密码错误");
}
}
}catch (ExcessiveAttemptsException ex)
{
message.setCode(AppConstant.USERNAME_NOTEXIST);
message.setMsg("帐号被锁定1小时");
ex.printStackTrace();
}
catch (AuthenticationException ex){
message.setCode(AppConstant.USERNAME_NOTEXIST);
message.setMsg("用户名/密码错误");
ex.printStackTrace();
}
finally {
return new ResponseEntity<Message>(message, HttpStatus.OK);
}
}
---------------------------------------------------------------认证的修改-------------------------------------------------------------------------------------
//登录认证
@Override
protected AuthenticationInfo doGetAuthenticationInfo(AuthenticationToken token) throws AuthenticationException {
UsernamePasswordToken usernamePasswordToken = (UsernamePasswordToken) token;
String username = String.valueOf(usernamePasswordToken.getUsername());
User user = userService.findByUserName(username);
SimpleAuthenticationInfo authenticationInfo = null;
if (null != user) {
String password = new String(usernamePasswordToken.getPassword());
//密码校验移交给了shiro的提供的一个接口实现类,所以这里注释掉
// if (EndecryptUtils.checkMd5Password(username,password,user.getSalt(),user.getPassword())) {
authenticationInfo = new SimpleAuthenticationInfo(user.getUsername(), user.getPassword(), getName());
authenticationInfo.setCredentialsSalt(ByteSource.Util.bytes(username+user.getSalt()));
// }
}
return authenticationInfo;
}
5,重写密码校验的方法
package com.util;import com.util.cache.EhcacheUtil;
import org.apache.shiro.authc.AuthenticationInfo;
import org.apache.shiro.authc.AuthenticationToken;
import org.apache.shiro.authc.ExcessiveAttemptsException;
import org.apache.shiro.authc.credential.HashedCredentialsMatcher;
import java.util.concurrent.atomic.AtomicInteger;
/**
* User: cutter.li
* Date: 2014/6/30 0030
* Time: 15:22
* 备注: 限制登录次数,如果5次出错,锁定1个小时
*/
public class LimitRetryHashedMatcher extends HashedCredentialsMatcher {
@Override
public boolean doCredentialsMatch(AuthenticationToken token, AuthenticationInfo info) {
String username = (String) token.getPrincipal();
//retrycount + 1
Object element = EhcacheUtil.getItem(username);
if (element == null) {
EhcacheUtil.putItem(username, 1);
element=0;
}else{
int count=Integer.parseInt(element.toString())+1;
element=count;
EhcacheUtil.putItem(username,element);
}
AtomicInteger retryCount = new AtomicInteger(Integer.parseInt(element.toString()));
if (retryCount.incrementAndGet() > 5) {
//if retrycount >5 throw
throw new ExcessiveAttemptsException();
}
boolean matches = super.doCredentialsMatch(token, info);
if (matches) {
//clear retrycount
EhcacheUtil.removeItem(username);
}
return matches;
}
}
6,搞定收工
连续输错5次密码之后,出现如下提示;
7,小结
通过封装常用的加密解密工具类,降低了对jdk自带密码工具类的学习成本;
可以灵活定义密码的生成和判断方式,并改变密码判断过程的逻辑;
- 灵活使用shiro的密码服务模块
- shiro的使用2 灵活使用shiro的密码服务模块
- shiro的使用2 灵活使用shiro的密码服务模块
- Shiro密码加密验证服务
- 使用各种 ESB 实现灵活的服务连接性
- 权限模块设计 - shiro框架的使用及扩展
- Shiro密码的MD5加密
- Shiro-密码的MD5加密
- Shiro-密码的MD5加密
- Shiro密码的MD5加密
- Log4j 的灵活使用
- TRECT的灵活使用
- TRECT的灵活使用
- TRECT的灵活使用
- getchar()的灵活使用
- angularJs的灵活使用
- Visio的灵活使用
- shiro-密码比较的设计 CredentialsMatcher -为什么Java中的密码优先使用 char[] 而不是String?
- 串口初始化
- iOS UILabel显示HTML文本
- FFXI-darkstar源码阅读
- css3 svg 背景图 data:image/svg+xml;base64
- Openvpn安装
- 灵活使用shiro的密码服务模块
- Zookeeper(分布式应用程序协调服务)
- LSM树由来、设计思想以及应用到HBase的索引
- 解析angularjs中的三种数据绑定策略
- 串口termios结构体的详细设置
- Redhat Enterprise 下kernel编译方法
- MySQL的“load data infile”中文件找不到的问题
- 动态规划之最长公共子序列
- Oracle 保密字段截取 例如手机号,身份证信息