一、Shiro配置添加:
package com.how2java.tmall.config;
import org.apache.shiro.authc.credential.HashedCredentialsMatcher;
import org.apache.shiro.mgt.SecurityManager;
import org.apache.shiro.spring.LifecycleBeanPostProcessor;
import org.apache.shiro.spring.security.interceptor.AuthorizationAttributeSourceAdvisor;
import org.apache.shiro.spring.web.ShiroFilterFactoryBean;
import org.apache.shiro.web.mgt.DefaultWebSecurityManager;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import com.how2java.tmall.realm.JPARealm;
@Configuration
public class ShiroConfiguration {
@Bean
public ShiroFilterFactoryBean shirFilter(SecurityManager securityManager){
ShiroFilterFactoryBean shiroFilterFactoryBean = new ShiroFilterFactoryBean();
shiroFilterFactoryBean.setSecurityManager(securityManager);
return shiroFilterFactoryBean;
}
@Bean
public SecurityManager securityManager(){
DefaultWebSecurityManager securityManager = new DefaultWebSecurityManager();
securityManager.setRealm(getJPARealm());
return securityManager;
}
@Bean
public JPARealm getJPARealm(){
JPARealm myShiroRealm = new JPARealm();
myShiroRealm.setCredentialsMatcher(hashedCredentialsMatcher());
return myShiroRealm;
}
@Bean
public HashedCredentialsMatcher hashedCredentialsMatcher(){
HashedCredentialsMatcher hashedCredentialsMatcher = new HashedCredentialsMatcher();
hashedCredentialsMatcher.setHashAlgorithmName("md5");
hashedCredentialsMatcher.setHashIterations(2);
return hashedCredentialsMatcher;
}
}
注:不仅要添加解析密码加密的配置类, 还要在 JPARealm 对象 myShiroRealm 中设置 :myShiroRealm.setCredentialsMatcher(hashedCredentialsMatcher());
二、 登陆调用验证方法时加上盐值(否则缺少盐值则无法解析加密密码了):
package com.how2java.tmall.realm;
import org.apache.shiro.authc.AuthenticationException;
import org.apache.shiro.authc.AuthenticationInfo;
import org.apache.shiro.authc.AuthenticationToken;
import org.apache.shiro.authc.SimpleAuthenticationInfo;
import org.apache.shiro.authc.UsernamePasswordToken;
import org.apache.shiro.authz.AuthorizationInfo;
import org.apache.shiro.authz.SimpleAuthorizationInfo;
import org.apache.shiro.realm.AuthorizingRealm;
import org.apache.shiro.subject.PrincipalCollection;
import org.apache.shiro.util.ByteSource;
import org.springframework.beans.factory.annotation.Autowired;
import com.how2java.tmall.pojo.User;
import com.how2java.tmall.service.UserService;
public class JPARealm extends AuthorizingRealm{
@Autowired
private UserService userService;
@Override
protected AuthorizationInfo doGetAuthorizationInfo(PrincipalCollection principals) {
SimpleAuthorizationInfo s = new SimpleAuthorizationInfo();
return s;
}
@Override
protected AuthenticationInfo doGetAuthenticationInfo(AuthenticationToken token) throws AuthenticationException {
UsernamePasswordToken upt = (UsernamePasswordToken) token;
String userName = upt.getUsername();
User user = userService.getByName(userName);
String dBpassword = user.getPassword();
String salt = user.getSalt();
return new SimpleAuthenticationInfo(userName, dBpassword, ByteSource.Util.bytes(salt), getName());
}
}
三、 注册时的密码加密:
@PostMapping("foreregister")
public Object register(@RequestBody User user){
String name = user.getName();
String password = user.getPassword();
name = HtmlUtils.htmlEscape(name);
user.setName(name);
boolean exit = userService.IsExit(name);
if(exit){
String message = "用户名已存在,请使用其他用户名";
return Result.fail(message);
}
String salt = new SecureRandomNumberGenerator().nextBytes().toString();
int times = 2;
String algorithmName = "md5";
String encodedPassword = new SimpleHash(algorithmName, password, salt, times).toString();
user.setSalt(salt);
user.setPassword(encodedPassword);
userService.add(user);
return Result.success();
}