shiro最闪亮的四大特征是认证,授权,加密,会话管理。
上一篇已经演示了如何使用shiro的授权模块,有了shiro这个利器,可以以统一的编码方式对用户的登入,登出,认证进行管理,相当的优雅。
为了提高应用系统的安全性,这里主要关注shiro提供的密码服务模块;
1,加密工具类的熟悉
首先来个结构图,看看shiro哥哥提供了哪些加密工具类:
为此,写了一个工具类来探测和熟悉这些工具类的使用:
| package com.util; |
2,一个综合点的例子,配置帐号的密码生成方式,并利用ehcache,设定输错密码多少次,用户被锁定一个小时;
1,提供一个ehcache的简单实用类
| package com.util.cache; import net.sf.ehcache.Cache; import net.sf.ehcache.CacheManager; import net.sf.ehcache.Element; import net.sf.ehcache.config.CacheConfiguration; import net.sf.ehcache.store.MemoryStoreEvictionPolicy; /** * User: cutter.li * Date: 2014/6/30 0030 * Time: 15:32 * 备注: ehcache的缓存工具类 */ public final class EhcacheUtil { private static final CacheManager cacheManager = CacheManager.getInstance(); /** * 创建ehcache缓存,创建之后的有效期是1小时 */ private static Cache cache = new Cache(new CacheConfiguration("systemCache", 5000).memoryStoreEvictionPolicy(MemoryStoreEvictionPolicy.FIFO).timeoutMillis(300).timeToLiveSeconds( 60 * 60)); static { cacheManager.addCache(cache); } public static void putItem(String key, Object item) { if (cache.get(key) != null) { cache.remove(key); } Element element = new Element(key, item); cache.put(element); } public static void removeItem(String key) { cache.remove(key); } public static void updateItem(String key, Object value) { putItem(key, value); } public static Object getItem(String key) { Element element= cache.get(key); if(null!=element) { return element.getObjectValue(); } return null; } } |
2,提供加密和校验密文的方法
| /** * 对密码进行md5加密,并返回密文和salt,包含在User对象中 * @param username 用户名 * @param password 密码 * @return 密文和salt */ public static User md5Password(String username,String password){ Preconditions.checkArgument(!Strings.isNullOrEmpty(username),"username不能为空"); Preconditions.checkArgument(!Strings.isNullOrEmpty(password),"password不能为空"); SecureRandomNumberGenerator secureRandomNumberGenerator=new SecureRandomNumberGenerator(); String salt= secureRandomNumberGenerator.nextBytes().toHex(); //组合username,两次迭代,对密码进行加密 String password_cipherText= new Md5Hash(password,username+salt,2).toHex(); User user=new User(); user.setPassword(password_cipherText); user.setSalt(salt); user.setUsername(username); return user; } /** * 通过username,password,salt,校验密文是否匹配 ,校验规则其实在配置文件中,这里为了清晰,写下来 * @param username 用户名 * @param password 原密码 * @param salt 盐 * @param md5cipherText 密文 * @return */ public static boolean checkMd5Password(String username,String password,String salt,String md5cipherText) { Preconditions.checkArgument(!Strings.isNullOrEmpty(username),"username不能为空"); Preconditions.checkArgument(!Strings.isNullOrEmpty(password),"password不能为空"); Preconditions.checkArgument(!Strings.isNullOrEmpty(md5cipherText),"md5cipherText不能为空"); //组合username,两次迭代,对密码进行加密 String password_cipherText= new Md5Hash(password,username+salt,2).toHex(); return md5cipherText.equals(password_cipherText); } |
3,配置认证的数据源使用的密码校验接口
| <bean id="myRealm" class="com.util.MysqlJdbcRealM"> <property name="credentialsMatcher" ref="passwordMatcher"></property> </bean> <bean id="passwordMatcher" class="com.util.LimitRetryHashedMatcher"> <property name="hashAlgorithmName" value="md5"></property> <property name="hashIterations" value="2"></property> <property name="storedCredentialsHexEncoded" value="true"></property> </bean> |
4,注册和登录方法的修改
| /** * 用户注册 * * @param entity * @return */ @Override public ResponseEntity<Map> createSubmit(User entity) { //加密用户输入的密码,得到密码的摘要和盐,保存到数据库 User user = EndecryptUtils.md5Password(entity.getUsername(), entity.getPassword()); entity.setPassword(user.getPassword()); entity.setSalt(user.getSalt()); Map<String, Object> map = Maps.newHashMap(); try { boolean createResult = service.modify(entity, OperationType.create); map.put("success", createResult); } catch (Exception e) { e.printStackTrace(); } return new ResponseEntity<Map>(map, HttpStatus.OK); } ------------------------------------------------------------------华丽的分割线--------------------------------------------------------------------------------------------------- @RequestMapping(value = "login", method = RequestMethod.POST) public ResponseEntity<Message> loginSubmit(String username, String password, String vcode, HttpServletRequest request) { message.setSuccess(); validateLogin(message, username, password, vcode); try { // String code = request.getSession().getAttribute(AppConstant.KAPTCHA_SESSION_KEY).toString(); // if (!vcode.equalsIgnoreCase(code)) { // message.setCode(AppConstant.VALIDCODE_ERROR); // message.setMsg("验证码错误"); // } if (message.isSuccess()) { Subject subject = SecurityUtils.getSubject(); subject.login(new UsernamePasswordToken(username, password,false)); if (subject.isAuthenticated()) { message.setMsg("登录成功"); } else { message.setCode(AppConstant.USERNAME_NOTEXIST); message.setMsg("用户名/密码错误"); } } }catch (ExcessiveAttemptsException ex) { message.setCode(AppConstant.USERNAME_NOTEXIST); message.setMsg("帐号被锁定1小时"); ex.printStackTrace(); } catch (AuthenticationException ex){ message.setCode(AppConstant.USERNAME_NOTEXIST); message.setMsg("用户名/密码错误"); ex.printStackTrace(); } finally { return new ResponseEntity<Message>(message, HttpStatus.OK); } } ---------------------------------------------------------------认证的修改------------------------------------------------------------------------------------- //登录认证 @Override protected AuthenticationInfo doGetAuthenticationInfo(AuthenticationToken token) throws AuthenticationException { UsernamePasswordToken usernamePasswordToken = (UsernamePasswordToken) token; String username = String.valueOf(usernamePasswordToken.getUsername()); User user = userService.findByUserName(username); SimpleAuthenticationInfo authenticationInfo = null; if (null != user) { String password = new String(usernamePasswordToken.getPassword()); //密码校验移交给了shiro的提供的一个接口实现类,所以这里注释掉 // if (EndecryptUtils.checkMd5Password(username,password,user.getSalt(),user.getPassword())) { authenticationInfo = new SimpleAuthenticationInfo(user.getUsername(), user.getPassword(), getName()); authenticationInfo.setCredentialsSalt(ByteSource.Util.bytes(username+user.getSalt())); // } } return authenticationInfo; } |
5,重写密码校验的方法
| package com.util; import com.util.cache.EhcacheUtil; import org.apache.shiro.authc.AuthenticationInfo; import org.apache.shiro.authc.AuthenticationToken; import org.apache.shiro.authc.ExcessiveAttemptsException; import org.apache.shiro.authc.credential.HashedCredentialsMatcher; import java.util.concurrent.atomic.AtomicInteger; /** * User: cutter.li * Date: 2014/6/30 0030 * Time: 15:22 * 备注: 限制登录次数,如果5次出错,锁定1个小时 */ public class LimitRetryHashedMatcher extends HashedCredentialsMatcher { @Override public boolean doCredentialsMatch(AuthenticationToken token, AuthenticationInfo info) { String username = (String) token.getPrincipal(); //retrycount + 1 Object element = EhcacheUtil.getItem(username); if (element == null) { EhcacheUtil.putItem(username, 1); element=0; }else{ int count=Integer.parseInt(element.toString())+1; element=count; EhcacheUtil.putItem(username,element); } AtomicInteger retryCount = new AtomicInteger(Integer.parseInt(element.toString())); if (retryCount.incrementAndGet() > 5) { //if retrycount >5 throw throw new ExcessiveAttemptsException(); } boolean matches = super.doCredentialsMatch(token, info); if (matches) { //clear retrycount EhcacheUtil.removeItem(username); } return matches; } } |
6,搞定收工
连续输错5次密码之后,出现如下提示;
7,小结
通过封装常用的加密解密工具类,降低了对jdk自带密码工具类的学习成本;
可以灵活定义密码的生成和判断方式,并改变密码判断过程的逻辑;
