shiro+密码匹配器验证登陆

Posted cjq.java

tags:

篇首语:本文由小常识网(cha138.com)小编为大家整理,主要介绍了shiro+密码匹配器验证登陆相关的知识,希望对你有一定的参考价值。

1.先上工具类MD5Util   目前真正用到的是直接MD5加密的方法   未使用自定义加工密码加密

package cn.cjq.util;

import cn.cjq.entity.User;

import java.security.MessageDigest;
import java.util.Random;

public class MD5Util {

/**
* 加工密码,和登录一致。
* @param user
* @return
*/
public static User md5Pswd(User user){
//密码为 username + ‘#‘ + password,然后MD5
user.setPassword(md5Pswd(user.getUsername(),user.getPassword()));
return user;
}
/**
* 字符串返回值
* @param email
* @param pswd
* @return
*/
public static String md5Pswd(String email ,String pswd){
pswd = String.format("%s#%s", email,pswd);
pswd = getMD5(pswd);
return pswd;
}


/**
* MD5 加密
* @param str
* @return
* @throws Exception
*/
public static String getMD5(String str) {
MessageDigest messageDigest = null;
try {
messageDigest = MessageDigest.getInstance("MD5");
messageDigest.reset();
messageDigest.update(str.getBytes("UTF-8"));
} catch (Exception e) {
System.out.println("MD5转换异常!message:%s"+e.getMessage());
}

byte[] byteArray = messageDigest.digest();
StringBuffer md5StrBuff = new StringBuffer();
for (int i = 0; i < byteArray.length; i++) {
if (Integer.toHexString(0xFF & byteArray[i]).length() == 1)
md5StrBuff.append("0").append(Integer.toHexString(0xFF & byteArray[i]));
else
md5StrBuff.append(Integer.toHexString(0xFF & byteArray[i]));
}
return md5StrBuff.toString();
}


/**
* 获取随机的数值。
* @param length 长度
* @return
*/
public static String getRandom620(Integer length){
String result = "";
Random rand = new Random();
int n = 20;
if(null != length && length > 0){
n = length;
}
boolean[] bool = new boolean[n];
int randInt = 0;
for(int i = 0; i < length ; i++) {
do {
randInt = rand.nextInt(n);

}while(bool[randInt]);

bool[randInt] = true;
result += randInt;
}
return result;
}

/**
* 加密解密算法 执行一次加密,两次解密
*/
public static String convertMD5(String inStr){

char[] a = inStr.toCharArray();
for (int i = 0; i < a.length; i++){
a[i] = (char) (a[i] ^ ‘t‘);
}
String s = new String(a);
return s;

}

}

----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

2.密码加密实例   注册时会使用(只需要将加密的密码存入数据库),传给UsernamePasswordToken的密码参数是未加密的密码,由密码匹配器去自动匹配 

/**
* 注册 && 登录
* @param vcode 验证码
* @return
*/
@RequestMapping(value="subRegister")
@ResponseBody
@SystemControllerLog(description = "用户注册登陆")
public Response subRegister(@RequestParam(value="userName",required=false,defaultValue="") String userName,
@RequestParam(value="passWord",required=false,defaultValue="") String passWord,
@RequestParam(value="realname",required=false,defaultValue="") String realname,
@RequestParam(value="userType",required=false,defaultValue="") String userType,
@RequestParam(value="vcode",required=false,defaultValue="") String vcode)throws Exception{
//手机号不合法
if(!isMobileNO(userName)){
return new Response(ExceptionMsg.UserNameError);
}
//用户名已存在
User user = userServiceImpl.findByUserName(userName);
if(null != user){
return new Response(ExceptionMsg.UserNameUsed);
}
//验证码错误
KeyValue data=(KeyValue)stringRedisServiceImpl.get(userName);
if(data==null){
return new Response(ExceptionMsg.VcodeNotExists);
}else if(!data.getValue().equals(vcode)){
return new Response(ExceptionMsg.VcodeError);
}
//把密码md5
String password = MD5Util.getMD5(passWord);
//注册
User newuser =new User();
String uuid = UUID.randomUUID().toString().replaceAll("-", "");
newuser.setUerid(uuid);
newuser.setAddtime(new Date());
newuser.setCreateperson(uuid);
newuser.setUsername(userName);
newuser.setEnditime(new Date());
newuser.setIsdelete(0);
newuser.setStatus("1");
newuser.setPassword(password);
newuser.setRealname(realname);
newuser.setPhone(userName);
newuser.setDifference(1);
userServiceImpl.insertuser(newuser);
//登陆验证
UsernamePasswordToken token = new UsernamePasswordToken(userName,passWord,false);
SecurityUtils.getSubject().login(token);
Session sessions = SecurityUtils.getSubject().getSession();
sessions.setAttribute("user",newuser );
//清理内存
stringRedisServiceImpl.remove(userName);
return new Response(ExceptionMsg.SUCCESS);
}
--------------------------------------------------------------------------------------------------------------------------
3.shiro.xml配置密码匹配器 两个bean 配置在自定义的realm里
属性hashIterations的值目前为1,代表加密一次,其他值未试过,不明觉厉,待续
<!-- 凭证匹配器-->
<bean id="credentialsMatcher" class="cn.cjq.util.shiro.RetryLimitHashedCredentialsMatcher">
<constructor-arg ref="cacheManager"/>
<property name="hashAlgorithmName" value="md5"/>
<property name="hashIterations" value="1"/>
<property name="storedCredentialsHexEncoded" value="true"/>
</bean>
<bean id="myShiroRealm" class="cn.cjq.util.shiro.UserRealm">
<!-- 配置密码匹配器 -->
<property name="credentialsMatcher" ref="credentialsMatcher"/>
<property name="cachingEnabled" value="true"/>
<property name="authenticationCachingEnabled" value="true"/>
<property name="authenticationCacheName" value="authenticationCache"/>
<property name="authorizationCachingEnabled" value="true"/>
<property name="authorizationCacheName" value="authorizationCache"/>
</bean>
--------------------- ----------------------------------------------------------------------------------------------------------------
4.自定义的密码匹配器 目前使用的md5
package cn.cjq.util.shiro;

import org.apache.shiro.authc.AuthenticationInfo;
import org.apache.shiro.authc.AuthenticationToken;
import org.apache.shiro.authc.ExcessiveAttemptsException;
import org.apache.shiro.authc.credential.HashedCredentialsMatcher;
import org.apache.shiro.cache.Cache;
import org.apache.shiro.cache.CacheManager;

import java.util.concurrent.atomic.AtomicInteger;

public class RetryLimitHashedCredentialsMatcher extends
HashedCredentialsMatcher {
private Cache<String, AtomicInteger> passwordRetryCache;

public RetryLimitHashedCredentialsMatcher(CacheManager cacheManager) {
passwordRetryCache = cacheManager.getCache("passwordRetryCache");
}

@Override
public boolean doCredentialsMatch(AuthenticationToken token, AuthenticationInfo info) {
String username = (String)token.getPrincipal();
//retry count + 1
AtomicInteger retryCount = passwordRetryCache.get(username);
if(retryCount == null) {
retryCount = new AtomicInteger(0);
passwordRetryCache.put(username, retryCount);
}
if(retryCount.incrementAndGet() > 5) {
//if retry count > 5 throw
throw new ExcessiveAttemptsException();
}

boolean matches = super.doCredentialsMatch(token, info);
if(matches) {
//clear retry count
passwordRetryCache.remove(username);
}
return matches;
}
}

以上是关于shiro+密码匹配器验证登陆的主要内容,如果未能解决你的问题,请参考以下文章

springboot + shiro 尝试登录次数限制与并发登录人数控制

shiro real的理解,密码匹配等

spring项目篇5----shiro以及实现登陆认证

Python用户密码登陆匹配验证

cms-登陆

JSP 设计教师与学生不同登陆界面(带验证码)