2

我正在使用 shiro,并且我使用散列凭证作为我的凭证。

这是我的 shiro.ini 配置:

credentialsMatcher = org.apache.shiro.authc.credential.Sha256CredentialsMatcher
credentialsMatcher.storedCredentialsHexEncoded = false
credentialsMatcher.hashIterations = 1024
realmA.credentialsMatcher = $credentialsMatcher
securityManager.realms = $realmA

下面是我如何生成盐和散列密码:

RandomNumberGenerator rng = new SecureRandomNumberGenerator();
ByteSource salt = rng.nextBytes();
String passwordsalt=salt.toBase64();
String hashedPasswordBase64 = new Sha256Hash(user.getPassword(),
                    salt, 1024).toBase64();
user.setPassword(hashedPasswordBase64);
user.setByteTabSalt(passwordsalt);
dao.createUser(user);

这是我扩展的领域:

protected AuthenticationInfo doGetAuthenticationInfo(
            AuthenticationToken authToken) throws AuthenticationException {
        UsernamePasswordToken token = (UsernamePasswordToken) authToken;
        User user = dao.getForUsername(token.getUsername());
        if (user != null) {
            SimpleAuthenticationInfo info = new SimpleAuthenticationInfo(
                    user.getEmail_account(), user.getPassword(), getName());
            ByteSource salt = new SimpleByteSource(Base64.decode(user
                    .getByteTabSalt()));
            info.setCredentialsSalt(salt);
            return info;
        } else {
            return null;
        }
    }

但是当我使用我新生成的帐户登录时,我从来没有成功过。调试结果是我正确获得了用户对象。任何想法?

太感谢了。

4

2 回答 2

2

HashedCredentialsMatcher是一个较旧的 Shiro 概念。相反,我强烈建议使用PasswordService它,它与此处记录的对应PasswordMatcher

https://shiro.apache.org/static/1.2.2/apidocs/org/apache/shiro/authc/credential/PasswordService.html

于 2013-06-13T20:31:36.767 回答
0

问题解决了,我需要在我的自定义 EnvironmentLoaderListener 中设置凭据匹配器:

    WebEnvironment environment = super.createEnvironment(pServletContext);
    RealmSecurityManager rsm = (RealmSecurityManager) environment
            .getSecurityManager();
    HashedCredentialsMatcher matcher = new HashedCredentialsMatcher();
    matcher.setHashAlgorithmName(Sha256Hash.ALGORITHM_NAME);
    matcher.setHashIterations(1024);
    matcher.setStoredCredentialsHexEncoded(false);
于 2013-06-12T03:31:17.087 回答