这里我们以md5加密方法举例,首先我们写一个main方法测试我们的密码经过md5加密之后的得到什么样的字符串:
/** * 书写方法测试Md5Hash将密码“houru”加密之后的密文 * 但是仅仅加密还是不够的,别人知道你的加密算法之后还是可以轻易破解密码的,因此我们还要“加盐” * 加盐:(调味)就是我们在加密密码的基础上在增加一些其他元素 * @param a */ public static void main(String a[]){ Md5Hash md5Hash1=new Md5Hash("houru");//只加密不加盐 Md5Hash md5Hash2=new Md5Hash("houru","jiayan");//加密又加盐 System.err.println(md5Hash1.toString()); System.err.println(md5Hash2.toString()); //没有加盐的加密结果:8a126ba89f60b97abf6185cd666ed8b4 // 加盐的加密结果: b7f30984e630bd6bd18f0b4a3196a257 }
下面的代码在上一篇博客基础上修改:
MyrealmTest.java:
package com.shiro.shiroframe; import com.shiro.myrealm.CustomRealm; import org.apache.shiro.SecurityUtils; import org.apache.shiro.authc.UsernamePasswordToken; import org.apache.shiro.authc.credential.HashedCredentialsMatcher; import org.apache.shiro.mgt.DefaultSecurityManager; import org.apache.shiro.subject.Subject; import org.junit.jupiter.api.Test; public class MyrealmTest { //引入我们自定义的realm CustomRealm customRealm = new CustomRealm(); @Test public void MyrealmTest() { //引入加密工具类HashedCredentialsMatcher: HashedCredentialsMatcher hashedCredentialsMatcher=new HashedCredentialsMatcher(); //设置我们要采用的加密方法的名称: hashedCredentialsMatcher.setHashAlgorithmName("md5"); //设置加密的次数: hashedCredentialsMatcher.setHashIterations(1); //给我们的自定义的realm设置hashedCredentialsMatcher对象 customRealm.setCredentialsMatcher(hashedCredentialsMatcher); DefaultSecurityManager defaultSecurityManager = new DefaultSecurityManager(); defaultSecurityManager.setRealm(customRealm); SecurityUtils.setSecurityManager(defaultSecurityManager); Subject subject = SecurityUtils.getSubject(); UsernamePasswordToken usernamePasswordToken = new UsernamePasswordToken("miyue", "houru"); subject.login(usernamePasswordToken); System.err.println(subject.isAuthenticated()); subject.checkRoles("admin"); subject.checkPermission("user:add"); } }
CustomRealm.java:
package com.shiro.myrealm; import org.apache.shiro.authc.AuthenticationException; import org.apache.shiro.authc.AuthenticationInfo; import org.apache.shiro.authc.AuthenticationToken; import org.apache.shiro.authc.SimpleAuthenticationInfo; import org.apache.shiro.authz.AuthorizationInfo; import org.apache.shiro.authz.SimpleAuthorizationInfo; import org.apache.shiro.crypto.hash.Hash; import org.apache.shiro.crypto.hash.Md5Hash; import org.apache.shiro.realm.AuthorizingRealm; import org.apache.shiro.subject.PrincipalCollection; import org.apache.shiro.util.ByteSource; import java.util.HashMap; import java.util.HashSet; import java.util.Map; import java.util.Set; public class CustomRealm extends AuthorizingRealm { //认证方法 @Override protected AuthenticationInfo doGetAuthenticationInfo(AuthenticationToken authenticationToken) throws AuthenticationException { /** * 重写认证方法 */ //1、从主体传过来的认证信息中获取用户名 String username = (String) authenticationToken.getPrincipal(); //2、通过用户名到数据库获取凭证 String password = getPassWordByUsername(username); if (password == null) { return null; } SimpleAuthenticationInfo simpleAuthenticationInfo = new SimpleAuthenticationInfo("miyue", password, "test"); //注意,如果我们采用了加盐的方式加密,那么我们要给simpleAuthenticationInfo设置盐: simpleAuthenticationInfo.setCredentialsSalt(ByteSource.Util.bytes("jiayan")); return simpleAuthenticationInfo; } //授权方法 @Override protected AuthorizationInfo doGetAuthorizationInfo(PrincipalCollection principalCollection) { /** * 重新授权方法 */ String username = (String) principalCollection.getPrimaryPrincipal(); //从角色和缓存中获取角色数据 Set<String> roles = getRolesByUsername(username); //从角色和缓存中获取权限数据 Set<String> permission = getPermissionsByUsername(username); SimpleAuthorizationInfo simpleAuthorizationInfo=new SimpleAuthorizationInfo(); simpleAuthorizationInfo.setRoles(roles); simpleAuthorizationInfo.setStringPermissions(permission); return simpleAuthorizationInfo; } //下面使用map,set模拟数据库数据返回 Map<String, String> map = new HashMap<String, String>(); { // map.put("miyue", "houru"); //模拟数据库返回的密文 map.put("miyue", "b7f30984e630bd6bd18f0b4a3196a257"); } private String getPassWordByUsername(String username) { return map.get(username) == null ? null : map.get(username); } private Set<String> getRolesByUsername(String username) { Set<String> set = new HashSet<>(); set.add("admin"); set.add("user"); return set; } private Set<String> getPermissionsByUsername(String username) { Set<String> set = new HashSet<>(); set.add("user:delete"); set.add("user:add"); return set; } }