我正在使用 shiro,并且我使用散列凭证作为我的凭证。
这是我的 shiro.ini 配置:
credentialsMatcher = org.apache.shiro.authc.credential.Sha256CredentialsMatcher
credentialsMatcher.storedCredentialsHexEncoded = false
credentialsMatcher.hashIterations = 1024
realmA.credentialsMatcher = $credentialsMatcher
securityManager.realms = $realmA
下面是我如何生成盐和散列密码:
RandomNumberGenerator rng = new SecureRandomNumberGenerator();
ByteSource salt = rng.nextBytes();
String passwordsalt=salt.toBase64();
String hashedPasswordBase64 = new Sha256Hash(user.getPassword(),
salt, 1024).toBase64();
user.setPassword(hashedPasswordBase64);
user.setByteTabSalt(passwordsalt);
dao.createUser(user);
这是我扩展的领域:
protected AuthenticationInfo doGetAuthenticationInfo(
AuthenticationToken authToken) throws AuthenticationException {
UsernamePasswordToken token = (UsernamePasswordToken) authToken;
User user = dao.getForUsername(token.getUsername());
if (user != null) {
SimpleAuthenticationInfo info = new SimpleAuthenticationInfo(
user.getEmail_account(), user.getPassword(), getName());
ByteSource salt = new SimpleByteSource(Base64.decode(user
.getByteTabSalt()));
info.setCredentialsSalt(salt);
return info;
} else {
return null;
}
}
但是当我使用我新生成的帐户登录时,我从来没有成功过。调试结果是我正确获得了用户对象。任何想法?
太感谢了。