1. 首页
  2. 问答
  3. 四郎与JDBC和哈希密码

四郎与JDBC和哈希密码

2013-12-23 44 views
3

这里是我的四郎配置四郎与JDBC和哈希密码

[main] 
authc.loginUrl = /site/index.jsp 
authc.usernameParam = user 
authc.passwordParam = pass 
authc.rememberMeParam = remember 
authc.successUrl = /site/home.jsp 


jdbcRealm=org.apache.shiro.realm.jdbc.JdbcRealm 
jdbcRealm.permissionsLookupEnabled=true 
jdbcRealm.authenticationQuery = select password from users where username = ? 
jdbcRealm.userRolesQuery = select role from users where username = ? 

credentialsMatcher = org.apache.shiro.authc.credential.HashedCredentialsMatcher 
credentialsMatcher.hashAlgorithmName = SHA-256 
credentialsMatcher.storedCredentialsHexEncoded = true 
credentialsMatcher.hashIterations = 5000 
jdbcRealm.credentialsMatcher = $credentialsMatcher 



jof = org.apache.shiro.jndi.JndiObjectFactory 
jof.resourceName = jdbc/postgres 
jof.requiredType = javax.sql.DataSource 
jof.resourceRef = true 
jdbcRealm.dataSource = $jof 
securityManager.realms = jdbcRealm 

[urls] 
/theme/** = anon 
/site/** = authc 
/site/cards.jsp = roles[smoto,admin] 
/site/jobs.jsp = roles[admin]

我创建的哈希像这样admin密码admin

String hashedPassword = new Sha256Hash("admin", "",5000).toHex();

我插入散列到分贝,但我的身份验证失败每时间,有没有人有与shiro这种设置的任何经验?另外我将如何启用调试或日志记录?

编辑: 这里是正确的设置了这种身份验证,发现它在另一个StackOverflow的发布

[main] 
authc.loginUrl = /site/index.jsp 
authc.usernameParam = user 
authc.passwordParam = pass 
authc.rememberMeParam = remember 
authc.successUrl = /site/home.jsp 

jdbcRealm=org.apache.shiro.realm.jdbc.JdbcRealm 
jdbcRealm.permissionsLookupEnabled=false 
jdbcRealm.authenticationQuery = select password from users where username = ? 
jdbcRealm.userRolesQuery = select role from users where username = ? 

ps = org.apache.shiro.authc.credential.DefaultPasswordService 
pm = org.apache.shiro.authc.credential.PasswordMatcher 
pm.passwordService = $ps 

jof = org.apache.shiro.jndi.JndiObjectFactory 
jof.resourceName = jdbc/postgres 
jof.requiredType = javax.sql.DataSource 
jof.resourceRef = true 

jdbcRealm.dataSource = $jof 
jdbcRealm.credentialsMatcher = $pm 

#securityManager.realms = jdbcRealm 

[urls] 
/theme/** = anon 
/site/** = authc 
/site/cards.jsp = roles[smoto,admin] 
/site/jobs.jsp = roles[admin]

诀窍是使用散列工具,四郎提供和精确的输出复制到数据库场“密码”,整个字符串将包含哪些算法用于多少个迭代等,例如信息:

$shiro1$SHA-256$500000$salthere$hashhere

来源

2013-12-23 abdu

回答

6

是的,HashedCredentialsMatcher,而充足的,有点老。你可能会发现Shiro的新型PasswordMatcher更易于使用。您可以配置其内部PasswordService很容易:

[main] 
passwordService = org.apache.shiro.authc.credential.DefaultPasswordService 
#configure the passwordService to use the settings you desire 
#... 
passwordMatcher = org.apache.shiro.authc.credential.PasswordMatcher 
passwordMatcher.passwordService = $passwordService 
#... 
# Finally, set the matcher on a realm that requires password matching for account authentication: 
myRealm = ... 
myRealm.credentialsMatcher = $passwordMatcher

当你创建一个帐户,您可以使用PasswordService的实例在应用程序中创建密码散列或更新帐户的密码:

String submittedPlaintextPassword = ... 
String encryptedValue = passwordService.encryptPassword(submittedPlaintextPassword); 
... 
userAccount.setPassword(encryptedValue); 
userAccount.save(); //create or update to your data store

只要确保在shiro.ini中配置的passwordService与应用程序代码中使用的passwordService具有相同的配置。

来源

2014-01-12 03:00:34

+0

有没有办法将通过的密码记录到shiro.ini?我的应用总是返回,我传递的密码是错误的...我使用一些更复杂的散列...我的数据库中的密码看起来像:$ shiro1 $ SHA-256 $ 1028 $ 8Q4AlwW/3NloawqM4ijdQQ == $ DWE96wyrASHjA/vKCDFtSanDrw44L3wF1/DXPrJrtio = – Marcel

相关问题

 相关问题