Login Verification and Password Encryption
Shiro is a lightweight framework that encapsulates many functions related to login verification. It can easily implement password encryption verification, login user management and other functions. It can achieve the required functions by inheriting and rewriting some of the classes inside.
The login verification is realized by rewriting the AuthorizingRealm class of shiro. If you use eclipse, you can move the cursor to the class name, and use the shortcut key Ctrl+T to view the specific inheritance and implementation of the class.
As for the password encryption, the MD5 algorithm that comes with shiro is used. Note that the third parameter (that is, the salt value) of the function used in encryption and verification is not the same. The blogger directly uses the user name for encryption. The three parameters are directly the username, and they are used for verification ByteSource.Util.bytes(currentUser.getUsername())
(currentUser is the token passed in by the method of the reaml implementation class)
- pom.xml
<!--EHcache版本 -->
<properties>
<shiro.version>1.3.0</shiro.version>
</properties>
<dependency>
<groupId>net.sf.ehcache</groupId>
<artifactId>ehcache-core</artifactId>
<version>2.4.8</version>
</dependency>
<!-- shiro start -->
<dependency>
<groupId>org.apache.shiro</groupId>
<artifactId>shiro-core</artifactId>
<version>${shiro.version}</version>
</dependency>
<dependency>
<groupId>org.apache.shiro</groupId>
<artifactId>shiro-ehcache</artifactId>
<version>${shiro.version}</version>
</dependency>
<dependency>
<groupId>org.apache.shiro</groupId>
<artifactId>shiro-spring</artifactId>
<version>${shiro.version}</version>
</dependency>
<dependency>
<groupId>org.apache.shiro</groupId>
<artifactId>shiro-web</artifactId>
<version>${shiro.version}</version>
</dependency>
<!-- shiro end -->- web.xml
<context-param>
<param-name>contextConfigLocation</param-name>
<!-- 将Shiro的配置文件交给Spring监听器初始化 -->
<param-value>classpath:spring/applicationContext.xml,classpath:shiro/spring-shiro-web.xml</param-value>
</context-param>
<!-- shiro所需的过滤器 -->
<filter>
<filter-name>shiroFilter</filter-name>
<filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
<init-param>
<param-name>targetFilterLifecycle</param-name>
<param-value>true</param-value>
</init-param>
</filter>
<filter-mapping>
<filter-name>shiroFilter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>- shiro-spring.xml (only shows the code required for encryption)
<!-- 安全管理器 -->
<bean id="securityManager" class="org.apache.shiro.web.mgt.DefaultWebSecurityManager">
<property name="realm" ref="userRealm" />
<property name="cacheManager" ref="cacheManager" />
<!-- <property name="rememberMeManager" ref="rememberMeManager"/> -->
</bean>
<!-- 缓存管理器 使用Ehcache实现 -->
<bean id="cacheManager" class="org.apache.shiro.cache.ehcache.EhCacheManager">
<property name="cacheManagerConfigFile" value="classpath:shiro/ehcache.xml" />
</bean>
<!-- 凭证匹配器 MD5算法实现-->
<bean id="credentialsMatcher" class="org.apache.shiro.authc.credential.HashedCredentialsMatcher">
<property name="hashAlgorithmName" value="MD5" />
<property name="hashIterations" value="2" />
</bean>
<!-- Realm实现 -->
<bean id="userRealm" class="com.mdy.student.shiro.realm.MyRealm">
<property name="credentialsMatcher" ref="credentialsMatcher" />
</bean>
<!-- 多realm实现可使用ModularRealmAuthorizer+认证策略 -->
<!-- <bean id="authenticator" class="org.apache.shiro.authz.ModularRealmAuthorizer">
<property name="realms"></property>
</bean> -->- Realm class implemented by yourself
public class MyRealm extends AuthorizingRealm {
@Autowired
private UserService userService;
@Override
// 身份认证api
protected AuthenticationInfo doGetAuthenticationInfo(AuthenticationToken token) throws AuthenticationException {
SimpleAuthenticationInfo info = null;
// 将传进来的token进行类型转化
UsernamePasswordToken currentUser = (UsernamePasswordToken) token;
// 获得数据库里面的账户密码
String password = userService.getUserPassword(currentUser.getUsername());
if (password != null) {
// 比对密码
info = new SimpleAuthenticationInfo(currentUser.getPrincipal(), password,
ByteSource.Util.bytes(currentUser.getCredentials()), this.getName());
} else {
throw new UnknownAccountException();
}
return info;
}
// 授权认证api省略