这是我的shiro配置
[main] authc.loginUrl = /site/index.jsp authc.usernameParam = user authc.passwordParam = pass authc.rememberMeParam = remember authc.successUrl = /site/home.jsp jdbcRealm=org.apache.shiro.realm.jdbc.JdbcRealm jdbcRealm.permissionsLookupEnabled=true jdbcRealm.authenticationQuery = select password from users where username = ? jdbcRealm.userRolesQuery = select role from users where username = ? credentialsMatcher = org.apache.shiro.authc.credential.HashedCredentialsMatcher credentialsMatcher.hashAlgorithmName = SHA-256 credentialsMatcher.storedCredentialsHexEncoded = true credentialsMatcher.hashIterations = 5000 jdbcRealm.credentialsMatcher = $credentialsMatcher jof = org.apache.shiro.jndi.JndiObjectFactory jof.resourceName = jdbc/postgres jof.requiredType = javax.sql.DataSource jof.resourceRef = true jdbcRealm.dataSource = $jof securityManager.realms = jdbcRealm [urls] /theme/** = anon /site/** = authc /site/cards.jsp = roles[smoto,admin] /site/jobs.jsp = roles[admin]
我为管理员密码admin创建了像这样的Hash
String hashedPassword = new Sha256Hash("admin", "",5000).toHex();
我将哈希值插入db,但是每次验证都失败,有人对shiro进行这种设置有任何经验吗?另外,如何启用shiro的调试或日志记录?
编辑:这是这种身份验证的正确设置,在另一个stackoverflow帖子中找到了它
[main] authc.loginUrl = /site/index.jsp authc.usernameParam = user authc.passwordParam = pass authc.rememberMeParam = remember authc.successUrl = /site/home.jsp jdbcRealm=org.apache.shiro.realm.jdbc.JdbcRealm jdbcRealm.permissionsLookupEnabled=false jdbcRealm.authenticationQuery = select password from users where username = ? jdbcRealm.userRolesQuery = select role from users where username = ? ps = org.apache.shiro.authc.credential.DefaultPasswordService pm = org.apache.shiro.authc.credential.PasswordMatcher pm.passwordService = $ps jof = org.apache.shiro.jndi.JndiObjectFactory jof.resourceName = jdbc/postgres jof.requiredType = javax.sql.DataSource jof.resourceRef = true jdbcRealm.dataSource = $jof jdbcRealm.credentialsMatcher = $pm #securityManager.realms = jdbcRealm [urls] /theme/** = anon /site/** = authc /site/cards.jsp = roles[smoto,admin] /site/jobs.jsp = roles[admin]
诀窍是使用shiro提供的哈希工具,然后将确切的输出复制到数据库字段“ password”中,整个字符串将包含有关使用了哪种算法,进行了多少次迭代等的信息,例如:
$shiro1$SHA-256$500000$salthere$hashhere
是的,虽然足够,但HashedCredentialsMatcher有点旧。您可能会发现Shiro较新的PasswordMatcher易于使用。您可以很容易地配置其内部PasswordService:
[main] passwordService = org.apache.shiro.authc.credential.DefaultPasswordService #configure the passwordService to use the settings you desire #... passwordMatcher = org.apache.shiro.authc.credential.PasswordMatcher passwordMatcher.passwordService = $passwordService #... # Finally, set the matcher on a realm that requires password matching for account authentication: myRealm = ... myRealm.credentialsMatcher = $passwordMatcher
PasswordService创建帐户或更新帐户密码时,可以在应用程序中使用的实例创建密码哈希:
PasswordService
String submittedPlaintextPassword = ... String encryptedValue = passwordService.encryptPassword(submittedPlaintextPassword); ... userAccount.setPassword(encryptedValue); userAccount.save(); //create or update to your data store
只需确保配置的passwordService shiro.ini与passwordService应用程序代码中使用的配置相同即可。
shiro.ini
passwordService
