在自定义领域中使用Shiro的PasswordMatcher [英] Using Shiro's PasswordMatcher with a custom realm
问题描述
我正在将Apache Shiro与自定义JDBC领域结合使用,以从数据库中检索用户的盐,密码,哈希算法名称和哈希迭代次数,这些都存储为单独的列.
I'm using Apache Shiro with a custom JDBC realm to retrieve a user’s salt, password, hash algorithm name and number of hash iterations from the database which are all stored as separate columns.
问题是当使用PasswordMatcher验证用户的密码与数据库中存储的密码匹配时,我不确定如何处理从数据库中检索到的盐.
The problem is I'm unsure how I should handle the salt that has been retrieved from the database when using the PasswordMatcher to verify the user's password matches that stored in the database.
使用HashedCredentialsMatcher时,使用setCredentialsSalt方法设置了盐,但是使用PasswordMatcher而不是HashedCredentialsMatcher似乎不是这种情况.
When using the HashedCredentialsMatcher the salt is set using the setCredentialsSalt method, however it seems that this isn't the case when using the PasswordMatcher instead of the HashedCredentialsMatcher.
我在自定义JDBC领域中使用的代码如下
The code I'm using in the custom JDBC realm is as follows
@Override
protected AuthenticationInfo doGetAuthenticationInfo(AuthenticationToken token) throws AuthenticationException {
//code to retrieve user details from database removed for brevity
SimpleAuthenticationInfo info = new SimpleAuthenticationInfo(username, passwdSalt.password, getName());
info.setCredentialsSalt(new SimpleByteSource(passwdSalt.salt));
DefaultPasswordService passwordService = new DefaultPasswordService();
DefaultHashService hashService = new DefaultHashService();
PasswordMatcher passwordMatcher = new PasswordMatcher();
hashService.setHashAlgorithmName(passwdSalt.hashAlgorithmName);
hashService.setHashIterations(passwdSalt.hashIterations);
passwordService.setHashService(hashService);
passwordMatcher.setPasswordService(passwordService);
setCredentialsMatcher(passwordMatcher);
return info;
}
单步执行代码后,我已经确认问题肯定是由于在哈希用户输入的密码以使其与数据库中的哈希密码匹配时未使用盐.在DefaultPasswordService.java中,当在第160行上调用方法passwordsMatch(对象SubmittedPlaintext,保存字符串)时,名为request的对象包含以下
Having stepped through the code I've confirmed that the problem is definitely due to the salt not being used when hashing the password entered by the user in order to match it against the hashed password in the database. In DefaultPasswordService.java when the method passwordsMatch(Object submittedPlaintext, String saved) is called on line 160 the object named request contains the following
algorithmName=null
iterations=0
salt=null
source=cGFzc3dvcmQ=
第161行的下一行代码调用computeHash(request)
The next line of code on line 161 calls computeHash(request)
在DefaultHashService.java中,当调用方法computeHash(HashRequest request)时,在第155和157行中,变量algorithmName和迭代分别正确设置为SHA-256和1.在第159行,调用了方法getPublicSalt(request),但其重新调整为null.
In DefaultHashService.java when the method computeHash(HashRequest request) is called, on lines 155 and 157 the variables algorithmName and iterations are correctly set to SHA-256 and 1 respectively. On line 159 the method getPublicSalt(request) is called however it retuns null.
还有其他人将Shiro的PasswordMatcher与自定义领域一起使用吗?如果您告诉Shiro使用盐,则该怎么办?
Has anyone else used Shiro's PasswordMatcher with a custom realm and if how do you tell Shiro to use the salt?
推荐答案
我在Shiro邮件列表上发布了一条消息,并得到答复说,默认情况下,PasswordMatcher不会查看AuthenticationInfo中的任何内容,而不是authenticationInfo.getCredentials( ).
I posted a message on the Shiro mailing list and got a reply saying that the PasswordMatcher by default does not look at anything in the AuthenticationInfo other than authenticationInfo.getCredentials().
For further details, the archived message on the mailing list is available at http://shiro-user.582556.n2.nabble.com/Migrating-from-HashedCredentialMatcher-to-PasswordMatcher-td7577808.html
这篇关于在自定义领域中使用Shiro的PasswordMatcher的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
