shiro与jdbc和哈希密码 [英] shiro with jdbc and hashed passwords

查看：180 发布时间：2018/6/1 18:55:42 java jsp jdbc hash shiro

本文介绍了shiro与jdbc和哈希密码的处理方法，对大家解决问题具有一定的参考价值，需要的朋友们下面随着小编来一起学习吧！

问题描述

这是我的shiro配置

  [main] 
 authc.loginUrl = /site/index.jsp 
 authc.usernameParam = user 
 authc.passwordParam = pass 
 authc.rememberMeParam =记住
 authc.successUrl = /site/home.jsp 
 
 
 jdbcRealm = org.apache.shiro.realm.jdbc.JdbcRealm 
 jdbcRealm.permissionsLookupEnabled = true 
 jdbcRealm.authenticationQuery =从用户名中选择密码，其中username =？ 
 jdbcRealm.userRolesQuery =从用户名中选择角色，其中username =？ 
 
 credentialsMatcher = org.apache.shiro.authc.credential.HashedCredentialsMatcher 
 credentialsMatcher.hashAlgorithmName = SHA-256 
 credentialsMatcher.storedCredentialsHexEncoded = true 
 credentialsMatcher.hashIterations = 5000 
 jdbcRealm.credentialsMatcher = $ credentialsMatcher 
 
 
 
 jof = org.apache.shiro.jndi.JndiObjectFactory 
 jof.resourceName = jdbc / postgres 
 jof.requiredType = javax.sql.DataSource 
 jof.resourceRef = true 
 jdbcRealm.dataSource = $ jof 
 securityManager.realms = jdbcRealm 
 
 [url] 
 / theme / ** = anon 
 / site / ** = authc 
 /site/cards.jsp = roles [smoto，admin] 
 /site/jobs.jsp =角色[admin]

我为此管理员密码创建了这样的哈希值admin

 字符串hashedPassword = new Sha256Hash（admin，，5000）.toHex（）;

我将哈希插入到数据库中，但每次验证都失败，是否有人有任何此经验种与shiro的设置？编辑：
这里是正确的设置这种认证，发现它在另一个stackoverflow帖子

  [main] 
 authc.loginUrl = /site/index.jsp 
 authc.usernameParam = user 
 authc.passwordParam = pass 
 authc.rememberMeParam =记住
 authc.successUrl = /site/home.jsp 
 
 jdbcRealm = org.apache.shiro.realm。 jdbc.JdbcRealm 
 jdbcRealm.permissionsLookupEnabled = false 
 jdbcRealm.authenticationQuery =从用户名中选择密码，其中username =？ 
 jdbcRealm.userRolesQuery =从用户名中选择角色，其中username =？ 
 
 ps = org.apache.shiro.authc.credential.DefaultPasswordService 
 pm = org.apache.shiro.authc.credential.PasswordMatcher 
 pm.passwordService = $ ps 
 
 jof = org.apache.shiro.jndi.JndiObjectFactory 
 jof.resourceName = jdbc / postgres 
 jof.requiredType = javax.sql.DataSource 
 jof.resourceRef = true 
 
 jdbcRealm.dataSource = $ jof 
 jdbcRealm.credentialsMatcher = $ pm 
 
＃securityManager.realms = jdbcRealm 
 
 [url] 
 / theme / ** = anon 
 / site / ** = authc 
 /site/cards.jsp = roles [smoto，admin] 
 /site/jobs.jsp = roles [b] b 
 
 
 诀窍是使用shiro提供的哈希工具，并将确切的输出复制到数据库中字段密码，整个字符串将包含什么算法被用于多少次迭代等信息，例如：
 
 $ $ p $ $ $ $ $ $ $ shiro1 $ SHA-256 $ 500000 $ salthere $ hashhere

解决方案

HashedCredential sMatcher虽然够用了，但有点旧了。您可能会发现Shiro的新 PasswordMatcher 更易于使用。您可以很容易地配置其内部的 PasswordService ：

  [main] 
 passwordService = org.apache.shiro.authc.credential.DefaultPasswordService 
＃配置passwordService以使用您所需的设置
＃... 
 passwordMatcher = org.apache.shiro.authc.credential.PasswordMatcher 
 passwordMatcher.passwordService = $ passwordService 
＃。 .. 
＃最后，将匹配器设置为需要密码匹配进行帐户验证的领域：
 myRealm = ... 
 myRealm.credentialsMatcher = $ passwordMatcher 
  PasswordService 的一个实例来创建密码哈希当您创建一个帐户或更新帐户的密码时： 
 
 
 字符串submittedPlaintextPassword = ... 
 String encryptedValue = passwordService。 ENCR yptPassword（submittedPlaintextPassword）; 
 ... 
 userAccount.setPassword（encryptedValue）; 
 userAccount.save（）; //创建或更新到你的数据存储区
  
只要确保在 shiro.ini 与应用程序代码中使用的 passwordService 具有相同的配置。
 
Here is my shiro config 
[main]
authc.loginUrl = /site/index.jsp
authc.usernameParam = user
authc.passwordParam = pass
authc.rememberMeParam = remember
authc.successUrl = /site/home.jsp


jdbcRealm=org.apache.shiro.realm.jdbc.JdbcRealm
jdbcRealm.permissionsLookupEnabled=true
jdbcRealm.authenticationQuery = select password from users where username = ?
jdbcRealm.userRolesQuery = select role from users where username = ?

credentialsMatcher = org.apache.shiro.authc.credential.HashedCredentialsMatcher
credentialsMatcher.hashAlgorithmName = SHA-256
credentialsMatcher.storedCredentialsHexEncoded = true
credentialsMatcher.hashIterations = 5000
jdbcRealm.credentialsMatcher = $credentialsMatcher



jof = org.apache.shiro.jndi.JndiObjectFactory
jof.resourceName = jdbc/postgres
jof.requiredType = javax.sql.DataSource
jof.resourceRef = true
jdbcRealm.dataSource = $jof
securityManager.realms = jdbcRealm

[urls]
/theme/** = anon
/site/** = authc
/site/cards.jsp = roles[smoto,admin]
/site/jobs.jsp = roles[admin]
I created the hash like this for admin password admin
String hashedPassword = new Sha256Hash("admin", "",5000).toHex();
I inserted the hash into the db but my authentication fails every time, does anyone have any experience with this kind of setup with shiro? Also how would I enable debugging or logging for shiro?

EDIT:
here is the correct set up for this kind of authentication, found it in another stackoverflow post 
[main]
authc.loginUrl = /site/index.jsp
authc.usernameParam = user
authc.passwordParam = pass
authc.rememberMeParam = remember
authc.successUrl = /site/home.jsp

jdbcRealm=org.apache.shiro.realm.jdbc.JdbcRealm
jdbcRealm.permissionsLookupEnabled=false
jdbcRealm.authenticationQuery = select password from users where username = ?
jdbcRealm.userRolesQuery = select role from users where username = ?

ps = org.apache.shiro.authc.credential.DefaultPasswordService
pm = org.apache.shiro.authc.credential.PasswordMatcher
pm.passwordService = $ps

jof = org.apache.shiro.jndi.JndiObjectFactory
jof.resourceName = jdbc/postgres
jof.requiredType = javax.sql.DataSource
jof.resourceRef = true

jdbcRealm.dataSource = $jof
jdbcRealm.credentialsMatcher = $pm

#securityManager.realms = jdbcRealm

[urls]
/theme/** = anon
/site/** = authc
/site/cards.jsp = roles[smoto,admin]
/site/jobs.jsp = roles[admin]
The trick is to use the hashing tool that shiro provides and copy the exact output into database field "password", the whole string will contain info on what algorithm is used how many iteration etc, example:
$shiro1$SHA-256$500000$salthere$hashhere

 解决方案 
Yes, the HashedCredentialsMatcher, while sufficient, is a bit older.  You'll probably find Shiro's newer PasswordMatcher easier to use.  You can configure its internal PasswordService pretty easily:
[main]
passwordService = org.apache.shiro.authc.credential.DefaultPasswordService
#configure the passwordService to use the settings you desire
#...
passwordMatcher = org.apache.shiro.authc.credential.PasswordMatcher
passwordMatcher.passwordService = $passwordService
#...
# Finally, set the matcher on a realm that requires password matching for account authentication:
myRealm = ...
myRealm.credentialsMatcher = $passwordMatcher
You can use an instance of the PasswordService in your application to create the password hash when you create an account or update the account's password:
String submittedPlaintextPassword = ...
String encryptedValue = passwordService.encryptPassword(submittedPlaintextPassword);
...
userAccount.setPassword(encryptedValue);
userAccount.save(); //create or update to your data store
Just make sure the passwordService configured in shiro.ini has the same configuration as the passwordService used in your application code.

                        这篇关于shiro与jdbc和哈希密码的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！

查看全文

shiro与jdbc和哈希密码 [英] shiro with jdbc and hashed passwords

问题描述

相关文章

Java开发最新文章

热门教程

热门工具

登录关闭

shiro与jdbc和哈希密码 [英] shiro with jdbc and hashed passwords

问题描述

相关文章

Java开发最新文章

热门教程

热门工具

登录 关闭

登录关闭