【shiro】shiro学习笔记3-散列功能

对于密码，有很多种加密方式散列是其中 最常用的，shiro提供了直接支持。

环境

    <dependencies>        <!-- shiro -->        <dependency>            <groupId>org.apache.shiro</groupId>            <artifactId>shiro-core</artifactId>            <version>1.2.4</version>        </dependency>        <!--日志问题的解决-->        <dependency>            <groupId>org.slf4j</groupId>            <artifactId>slf4j-log4j12</artifactId>            <version>1.7.15</version>        </dependency>        <!--日志-->        <dependency>            <groupId>commons-logging</groupId>            <artifactId>commons-logging</artifactId>            <version>1.2</version>        </dependency>        <dependency>            <groupId>junit</groupId>            <artifactId>junit</artifactId>            <version>4.12</version>            <scope>test</scope>        </dependency>    </dependencies>

目录结构

shiro封装的散列对象(列举常用)

Md5Hash

Md5Hash(Object source, Object salt, int hashIterations)

SimpleHash

SimpleHash(String algorithmName, Object source, Object salt, int hashIterations)

参数含意：source: 要散列的值（这里是明文密码）salt: 盐，用于与source一起散列的值，一般随机生成，用于防止暴力破解hashIterations: 散列的次数algorithmName: simpleHash是其它散列的父类（如下图），如果要用simpleHash就要告诉shiro使用哪种hash方式

代码

log4j.properties

log4j.rootLogger=DEBUG, stdoutlog4j.appender.stdout=org.apache.log4j.ConsoleAppenderlog4j.appender.stdout.layout=org.apache.log4j.PatternLayoutlog4j.appender.stdout.layout.ConversionPattern=%5p [%t] - %m%n

shiro-realm-md5.ini

[main]#注入凭证匹配器cridentialMatcher = org.apache.shiro.authc.credential.HashedCredentialsMatchercridentialMatcher.hashAlgorithmName = MD5cridentialMatcher.hashIterations = 3#注入自定义的realmhashRealm = xyz.mrwood.study.realm.HashRealmhashRealm.credentialsMatcher = $cridentialMatchersecurityManager.realms = $hashRealm

User.java(模拟数据库中的表)

package xyz.mrwood.study.model;/** * Created by Administrator on 2016/2/16. */public class User {    private String username;    private String password;    private String salt;    public User(String username, String password, String salt) {        this.username = username;        this.password = password;        this.salt = salt;    }    public String getUsername() {        return username;    }    public void setUsername(String username) {        this.username = username;    }    public String getPassword() {        return password;    }    public void setPassword(String password) {        this.password = password;    }    public String getSalt() {        return salt;    }    public void setSalt(String salt) {        this.salt = salt;    }    @Override    public String toString() {        return "User{" +            "username='" + username + '\'' +            ", password='" + password + '\'' +            ", salt='" + salt + '\'' +            '}';    }}

HashRealm.java

package xyz.mrwood.study.realm;import org.apache.shiro.authc.AuthenticationException;import org.apache.shiro.authc.AuthenticationInfo;import org.apache.shiro.authc.AuthenticationToken;import org.apache.shiro.authc.SimpleAuthenticationInfo;import org.apache.shiro.authz.AuthorizationInfo;import org.apache.shiro.crypto.hash.Md5Hash;import org.apache.shiro.realm.AuthorizingRealm;import org.apache.shiro.subject.PrincipalCollection;import org.apache.shiro.util.ByteSource;import xyz.mrwood.study.model.User;import java.util.HashMap;import java.util.Map;/** * Created by Administrator on 2016/2/16. */public class HashRealm extends AuthorizingRealm {    //授权    @Override    protected AuthorizationInfo doGetAuthorizationInfo(PrincipalCollection principalCollection) {        return null;    }    //认证    @Override    protected AuthenticationInfo doGetAuthenticationInfo(AuthenticationToken authenticationToken) throws AuthenticationException {        //获得主体（帐号）        String principal = (String) authenticationToken.getPrincipal();        //模拟数据库        Map<String, User> users = new HashMap<>();        users.put("kiwi", new User("kiwi", new Md5Hash("22222", "324", 3).toString(), "324"));        users.put("fly", new User("fly", new Md5Hash("111111", "123", 3).toString(), "123"));        //验证帐号是否存在        if (users.containsKey(principal)){            User user = users.get(principal);            System.out.printf(user.toString());            //在realm中只要判断帐号是否存在，密码是否正确交给shiro比较            return new SimpleAuthenticationInfo(principal, user.getPassword(), ByteSource.Util.bytes(user.getSalt()), getName());        }else{            return null;        }    }}

AuthenticationTest.java

package xyz.mrwood.study.authentication;import org.apache.shiro.SecurityUtils;import org.apache.shiro.authc.*;import org.apache.shiro.config.IniSecurityManagerFactory;import org.apache.shiro.mgt.SecurityManager;import org.apache.shiro.subject.Subject;import org.apache.shiro.util.Factory;import org.junit.Test;/** * Created by Administrator on 2016/2/12. */public class AuthenticationTest {    @Test    public void testHash(){//        构建SecurityManager对象        Factory<SecurityManager> factory = new IniSecurityManagerFactory("classpath:shiro-realm-md5.ini");        SecurityManager securityManager = factory.getInstance();//        设置SecurityManager进入运行环境        SecurityUtils.setSecurityManager(securityManager);//        构建主体对象        Subject subject = SecurityUtils.getSubject();//        封装帐号密码对象//        密码传明文，所有如果要用这个以后客户端不能再加密了        AuthenticationToken token = new UsernamePasswordToken("kiwi", "22222");//        提交验证        try {            subject.login(token);        } catch (IncorrectCredentialsException e) {            System.out.println("错误的凭证！");        } catch (UnknownAccountException e){            System.out.println("未知帐号！");        }        System.out.println("认证：" + subject.isAuthenticated());    }}

总结

1. 在realm中只要判断帐号是否存在，密码是否正确交给shiro比较
2. shiro的凭证匹配器的作用，就是得到明文密码与salt后怎么去散列，匹配器通过配置，有如下几种