java web 密码加密_JavaWeb日记——Shiro之密码加密
一般我們把密碼存在數(shù)據(jù)庫里都是采用加密的方式,確保了即使數(shù)據(jù)庫泄漏,不法分子也無法登錄帳號。常見的加密算法有MD5,SHA1等,本篇博客將給大家講解如何在Shiro中使用MD5算法給密碼加密。
POM
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
4.0.0
com.jk.shiroLearning
chapter4
1.0-SNAPSHOT
junit
junit
4.9
commons-logging
commons-logging
1.1.3
org.apache.shiro
shiro-core
1.2.2
mysql
mysql-connector-java
5.1.25
com.alibaba
druid
0.2.23
shiro-realm.ini
[main]
#自定義authorizer
authorizer=org.apache.shiro.authz.ModularRealmAuthorizer
securityManager.authorizer=$authorizer
#自定義realm 一定要放在securityManager.authorizer賦值之后(因為調用setRealms會將realms設置給authorizer,并給各個Realm設置permissionResolver和rolePermissionResolver)
realm=com.jk.realm.MyRealm
#配置加密匹配器
credentialsMatcher=org.apache.shiro.authc.credential.HashedCredentialsMatcher
#加密算法
credentialsMatcher.hashAlgorithmName=MD5
#加密次數(shù)
credentialsMatcher.hashIterations=1024
realm.credentialsMatcher=$credentialsMatcher
securityManager.realms=$realm
配置比以前多了加密匹配器的部分
自定義Realm
public class MyRealm extends AuthorizingRealm {
//授權,調用checkRole/checkPermission/hasRole/isPermitted都會執(zhí)行該方法
@Override
protected AuthorizationInfo doGetAuthorizationInfo(PrincipalCollection principals) {
SimpleAuthorizationInfo authorizationInfo = new SimpleAuthorizationInfo();
//可通過不同principal賦予不同權限
if (principals.getPrimaryPrincipal().equals("jack")){
//授予角色role1
authorizationInfo.addRole("role1");
authorizationInfo.addRole("role2");
//授予對user任何行為任何實例的權限
authorizationInfo.addObjectPermission(new WildcardPermission("user:*"));
//等同于
//authorizationInfo.addStringPermission("user:*");
}
return authorizationInfo;
}
//認證
@Override
protected AuthenticationInfo doGetAuthenticationInfo(AuthenticationToken token) throws AuthenticationException {
String username = (String)token.getPrincipal(); //得到用戶名
//加密算法
String hashAlgorithName="MD5";
//加密明文
String credentials="123456";
//加密鹽值
ByteSource salt = null;
//加密鹽值
//鹽值通常取唯一的,我們這用用戶名作為鹽值
//ByteSource salt= ByteSource.Util.bytes(username);
//加密次數(shù)
int hashIterations = 1024;
Object password = new SimpleHash(hashAlgorithName,credentials,salt,hashIterations);
return new SimpleAuthenticationInfo(username, password, getName());
}
}
在一般開發(fā)過程中我們不會直接用MD5加密,還要加上一個鹽值,這個鹽值一般是唯一的。
驗證登錄
public class UseMD5 {
public static void main(String[]args){
//1、獲取SecurityManager工廠,此處使用Ini配置文件初始化SecurityManager
Factory factory =
new IniSecurityManagerFactory("classpath:shiro-realm.ini");
//2、得到SecurityManager實例 并綁定給SecurityUtils
org.apache.shiro.mgt.SecurityManager securityManager = factory.getInstance();
SecurityUtils.setSecurityManager(securityManager);
//3、得到Subject及創(chuàng)建用戶名/密碼身份驗證Token(即用戶身份/憑證)
Subject subject = SecurityUtils.getSubject();
//登錄信息傳密碼明文
UsernamePasswordToken token = new UsernamePasswordToken("jack", "123456");
try {
//4、登錄,即身份驗證
subject.login(token);
//驗證是否有user1的create權限
System.out.println(subject.isPermitted("user1:create:*"));
//驗證是否有role1角色
System.out.println(subject.hasRole("role1"));
} catch (AuthenticationException e) {
//5、身份驗證失敗
e.printStackTrace();
}
//6、退出
subject.logout();
}
}
登錄時我們傳的是明文123456,校驗時比較的是用MD5加鹽用戶名加密1024次后的值
開發(fā)中我們一般會采用數(shù)據(jù)庫儲存用戶名,加密后密碼還要鹽值,,需要使用到JdbcRealm
首先執(zhí)行sql語句創(chuàng)建數(shù)據(jù)庫并插入數(shù)據(jù)
drop database if exists shiro;
create database shiro;
use shiro;
create table users (
id bigint auto_increment,
username varchar(100),
password varchar(100),
password_salt varchar(100),
constraint pk_users primary key(id)
) charset=utf8 ENGINE=InnoDB;
create unique index idx_users_username on users(username);
create table user_roles(
id bigint auto_increment,
username varchar(100),
role_name varchar(100),
constraint pk_user_roles primary key(id)
) charset=utf8 ENGINE=InnoDB;
create unique index idx_user_roles on user_roles(username, role_name);
create table roles_permissions(
id bigint auto_increment,
role_name varchar(100),
permission varchar(100),
constraint pk_roles_permissions primary key(id)
) charset=utf8 ENGINE=InnoDB;
create unique index idx_roles_permissions on roles_permissions(role_name, permission);
insert into users(username, password, password_salt) values('jack', 'fc1709d0a95a6be30bc5926fdb7f22f4', 'jack');
insert into user_roles(username, role_name) values('jack', 'role1');
insert into user_roles(username, role_name) values('jack', 'role2');
insert into roles_permissions(role_name, permission) values('role1', 'user1:*');
insert into roles_permissions(role_name, permission) values('role1', 'user2:*');
insert into roles_permissions(role_name, permission) values('role2', 'user3:*');
shiro-jdbc.ini
[main]
authorizer=org.apache.shiro.authz.ModularRealmAuthorizer
securityManager.authorizer=$authorizer
#自定義realm 一定要放在securityManager.authorizer賦值之后(因為調用setRealms會將realms設置給authorizer,并給各個Realm設置permissionResolver和rolePermissionResolver)
jdbcRealm=org.apache.shiro.realm.jdbc.JdbcRealm
dataSource=com.alibaba.druid.pool.DruidDataSource
dataSource.driverClassName=com.mysql.jdbc.Driver
dataSource.url=jdbc:mysql://localhost:3306/shiro
dataSource.username=root
dataSource.password=root
jdbcRealm.dataSource=$dataSource
jdbcRealm.permissionsLookupEnabled=true
#配置加密匹配器
credentialsMatcher=org.apache.shiro.authc.credential.HashedCredentialsMatcher
#加密算法
credentialsMatcher.hashAlgorithmName=MD5
#加密次數(shù)
credentialsMatcher.hashIterations=1024
jdbcRealm.credentialsMatcher=$credentialsMatcher
securityManager.realms=$jdbcRealm
這個也是比之前的多了配置加密匹配器
校驗登錄
public class UseJdbcMD5 {
public static void main(String[]args){
//1、獲取SecurityManager工廠,此處使用Ini配置文件初始化SecurityManager
Factory factory =
new IniSecurityManagerFactory("classpath:shiro-jdbc.ini");
//2、得到SecurityManager實例 并綁定給SecurityUtils
SecurityManager securityManager = factory.getInstance();
SecurityUtils.setSecurityManager(securityManager);
//3、得到Subject及創(chuàng)建用戶名/密碼身份驗證Token(即用戶身份/憑證)
Subject subject = SecurityUtils.getSubject();
//登錄信息傳密碼明文
UsernamePasswordToken token = new UsernamePasswordToken("jack", "123456");
try {
//4、登錄,即身份驗證
subject.login(token);
//驗證是否有user1的create權限
System.out.println(subject.isPermitted("user1:create:*"));
//驗證是否有role1角色
System.out.println(subject.hasRole("role1"));
} catch (AuthenticationException e) {
//5、身份驗證失敗
e.printStackTrace();
}
//6、退出
subject.logout();
}
}
總結
以上是生活随笔為你收集整理的java web 密码加密_JavaWeb日记——Shiro之密码加密的全部內容,希望文章能夠幫你解決所遇到的問題。
- 上一篇: 深度学习之卷积神经网络 GoogleNe
- 下一篇: Java毕业设计教程源码分享——简易网盘