之前讲了Shiro Security如何结合验证码,这次讲讲如何限制用户登录尝试次数,防止多次尝试,暴力破解密码情况出现。要限制用户登录尝试次数,必然要对用户名密码验证失败做记录,Shiro中用户名密码的验证交给了CredentialsMatcher
所以在CredentialsMatcher里面检查,记录登录次数是最简单的做法。Shiro天生和Ehcache是一对好搭档,无论是单机还是集群,都可以在Ehcache中存储登录尝试次数信息。
现在介绍一个简单的登录次数验证做法,实现一个RetryLimitCredentialsMatchers继承至HashedCredentialsMatcher,加入缓存, 在每次验证用户名密码之前先验证用户名尝试次数,如果超过5次就抛出尝试过多异常,否则验证用户名密码,验证成功把尝试次数清零,不成功则直接退出。这里依靠Ehcache自带的timeToIdleSeconds来保证锁定时间(帐号锁定之后的最后一次尝试间隔timeToIdleSeconds秒之后自动清除)。
public class RetryLimitCredentialsMatcher extends HashedCredentialsMatcher { //集群中可能会导致出现验证多过5次的现象,因为AtomicInteger只能保证单节点并发 private Cache<String, AtomicInteger> passwordRetryCache; public RetryLimitHashedCredentialsMatcher(CacheManager cacheManager) { passwordRetryCache = cacheManager.getCache("passwordRetryCache"); } @Override public boolean doCredentialsMatch(AuthenticationToken token, AuthenticationInfo info) { String username = (String)token.getPrincipal(); //retry count + 1 AtomicInteger retryCount = passwordRetryCache.get(username); if(null == retryCount) { retryCount = new AtomicInteger(0); passwordRetryCache.put(username, retryCount); } if(retryCount.incrementAndGet() > 5) { logger.warn("username: " + username + " tried to login more than 5 times in period"); throw new ExcessiveAttemptsException("username: " + username + " tried to login more than 5 times in period" ); } boolean matches = super.doCredentialsMatch(token, info); if(matches) { //clear retry data passwordRetryCache.remove(username); } return matches; } }
Spring配置CacheManager
<bean id="springCacheManager" class="org.springframework.cache.ehcache.EhCacheCacheManager"> <property name="cacheManager" ref="ehcacheManager"/> </bean> <!--ehcache--> <bean id="ehcacheManager" class="org.springframework.cache.ehcache.EhCacheManagerFactoryBean"> <property name="configLocation" value="classpath:ehcache/ehcache.xml"/> </bean>
Ehcache配置
<ehcache name="es"> <diskStore path="java.io.tmpdir"/> <!-- 登录记录缓存 锁定100分钟 --> <cache name="passwordRetryCache" maxEntriesLocalHeap="20000" eternal="false" timeToIdleSeconds="36000" timeToLiveSeconds="0" overflowToDisk="false" statistics="false"> </cache> </ehcache>
Spring Shiro配置
UserRealm继承AuthorizingRealm,在其父类AuthenticatingRealm的getAuthenticationInfo方法中会调用credentialsMatcher的
doCredentialsMatch
来验证用户输入用户名密码是否匹配。
<bean id="credentialsMatcher" class="com.cloud.service.security.credentials.RetryLimitCredentialsMatcher"> <constructor-arg ref="springCacheManager"/> <property name="storedCredentialsHexEncoded" value="true"/> </bean> <bean id="myRealm" class="com.cloud.service.security.UserRealm"> <property name="credentialsMatcher" ref="credentialsMatcher"/> <property name="cachingEnabled" value="false"/> <!--<property name="authenticationCachingEnabled" value="true"/>--> <!--<property name="authenticationCacheName" value="authenticationCache"/>--> <!--<property name="authorizationCachingEnabled" value="true"/>--> <!--<property name="authorizationCacheName" value="authorizationCache"/>--> </bean>