四郎與JDBC和哈希密碼

Question

這裏是我的四郎配置

[main] 
authc.loginUrl = /site/index.jsp 
authc.usernameParam = user 
authc.passwordParam = pass 
authc.rememberMeParam = remember 
authc.successUrl = /site/home.jsp 


jdbcRealm=org.apache.shiro.realm.jdbc.JdbcRealm 
jdbcRealm.permissionsLookupEnabled=true 
jdbcRealm.authenticationQuery = select password from users where username = ? 
jdbcRealm.userRolesQuery = select role from users where username = ? 

credentialsMatcher = org.apache.shiro.authc.credential.HashedCredentialsMatcher 
credentialsMatcher.hashAlgorithmName = SHA-256 
credentialsMatcher.storedCredentialsHexEncoded = true 
credentialsMatcher.hashIterations = 5000 
jdbcRealm.credentialsMatcher = $credentialsMatcher 



jof = org.apache.shiro.jndi.JndiObjectFactory 
jof.resourceName = jdbc/postgres 
jof.requiredType = javax.sql.DataSource 
jof.resourceRef = true 
jdbcRealm.dataSource = $jof 
securityManager.realms = jdbcRealm 

[urls] 
/theme/** = anon 
/site/** = authc 
/site/cards.jsp = roles[smoto,admin] 
/site/jobs.jsp = roles[admin] 

我創建的哈希像這樣admin密碼admin

String hashedPassword = new Sha256Hash("admin", "",5000).toHex(); 

我插入散列到分貝，但我的身份驗證失敗每時間，有沒有人有與shiro這種設置的任何經驗？另外我將如何啓用調試或日誌記錄？

編輯： 這裏是正確的設置了這種身份驗證，發現它在另一個StackOverflow的發佈

[main] 
authc.loginUrl = /site/index.jsp 
authc.usernameParam = user 
authc.passwordParam = pass 
authc.rememberMeParam = remember 
authc.successUrl = /site/home.jsp 

jdbcRealm=org.apache.shiro.realm.jdbc.JdbcRealm 
jdbcRealm.permissionsLookupEnabled=false 
jdbcRealm.authenticationQuery = select password from users where username = ? 
jdbcRealm.userRolesQuery = select role from users where username = ? 

ps = org.apache.shiro.authc.credential.DefaultPasswordService 
pm = org.apache.shiro.authc.credential.PasswordMatcher 
pm.passwordService = $ps 

jof = org.apache.shiro.jndi.JndiObjectFactory 
jof.resourceName = jdbc/postgres 
jof.requiredType = javax.sql.DataSource 
jof.resourceRef = true 

jdbcRealm.dataSource = $jof 
jdbcRealm.credentialsMatcher = $pm 

#securityManager.realms = jdbcRealm 

[urls] 
/theme/** = anon 
/site/** = authc 
/site/cards.jsp = roles[smoto,admin] 
/site/jobs.jsp = roles[admin] 

訣竅是使用散列工具，四郎提供和精確的輸出複製到數據庫場「密碼」，整個字符串將包含哪些算法用於多少個迭代等，例如信息：

$shiro1$SHA-256$500000$salthere$hashhere 

Answer 1

是的，HashedCredentialsMatcher，而充足的，有點老。你可能會發現Shiro的新型PasswordMatcher更易於使用。您可以配置其內部PasswordService很容易：

[main] 
passwordService = org.apache.shiro.authc.credential.DefaultPasswordService 
#configure the passwordService to use the settings you desire 
#... 
passwordMatcher = org.apache.shiro.authc.credential.PasswordMatcher 
passwordMatcher.passwordService = $passwordService 
#... 
# Finally, set the matcher on a realm that requires password matching for account authentication: 
myRealm = ... 
myRealm.credentialsMatcher = $passwordMatcher 

當你創建一個帳戶，您可以使用PasswordService的實例在應用程序中創建密碼散列或更新帳戶的密碼：

String submittedPlaintextPassword = ... 
String encryptedValue = passwordService.encryptPassword(submittedPlaintextPassword); 
... 
userAccount.setPassword(encryptedValue); 
userAccount.save(); //create or update to your data store 

只要確保在shiro.ini中配置的passwordService與應用程序代碼中使用的passwordService具有相同的配置。