Fatal编程技术网
  • hash/
  • Hash 如何指定ApacheShiro中要使用的哈希迭代次数?

Hash 如何指定ApacheShiro中要使用的哈希迭代次数?

hash

Hash 如何指定ApacheShiro中要使用的哈希迭代次数?,hash,shiro,Hash,Shiro,我正在使用一个JSF2应用程序,我想在其中使用apacheshiro。虽然我不知道如何指定要使用的Hash迭代次数,但我已经启动并运行了它 shiro.ini [main] user = com.nivis.filter.FacesAjaxAwareUserFilter shiro.loginUrl = /faces/login.xhtml user.loginUrl = /faces/login.xhtml jdbcRealm = org.apache.shiro.real

我正在使用一个
JSF2
应用程序,我想在其中使用
apacheshiro
。虽然我不知道如何指定要使用的
Hash
迭代次数,但我已经启动并运行了它

shiro.ini

[main]

user = com.nivis.filter.FacesAjaxAwareUserFilter    
shiro.loginUrl = /faces/login.xhtml    
user.loginUrl = /faces/login.xhtml

jdbcRealm = org.apache.shiro.realm.jdbc.JdbcRealm
jdbcRealm.permissionsLookupEnabled = true    
jdbcRealm.authenticationQuery = SELECT password FROM app_user WHERE username = ?  

dataSource = org.apache.shiro.jndi.JndiObjectFactory       
dataSource.requiredType = javax.sql.DataSource      
dataSource.resourceName = JNDImysql  

jdbcRealm.dataSource = $dataSource      
securityManager.realms = $jdbcRealm

passwordService = org.apache.shiro.authc.credential.DefaultPasswordService    
passwordMatcher = org.apache.shiro.authc.credential.PasswordMatcher    
passwordMatcher.passwordService = $passwordService

jdbcRealm.credentialsMatcher = $passwordMatcher

[urls]  

/faces/login.xhtml = user      
/faces/index.xhtml = user      
/faces/app/** = user
即使我没有明确指定
哈希服务
,也可以对密码进行哈希处理。我看到一个例子,使用:

hashService = org.apache.shiro.crypto.hash.DefaultHashService
hashService.hashIterations = 10000
hashService.hashAlgorithmName = SHA-256
passwordService.hashService = $hashService
我试着用它,虽然没什么区别。由于仅使用
PasswordService
就足以对密码进行哈希运算,我想知道是否有办法指定要使用多少次哈希迭代?

您可以尝试这样做:

# Configure Data Source --> see web.xml for full configuration
dataSource = org.apache.shiro.jndi.JndiObjectFactory
dataSource.resourceName = <resource name>
dataSource.resourceRef = true

# Create JDBC-Realm to connect to the Datasource and set the authenticationQuery
jdbcRealm = org.apache.shiro.realm.jdbc.JdbcRealm
jdbcRealm.dataSource = $dataSource
jdbcRealm.authenticationQuery = SELECT password FROM <user table> WHERE email = ?

# Configure JDBC realm password hashing.
hashService = org.apache.shiro.crypto.hash.DefaultHashService
hashService.hashIterations = <number of iterations>
hashService.hashAlgorithmName = SHA-256
hashService.generatePublicSalt = true
# privateSalt needs to be base64-encoded in shiro.ini but not in the Java code!
hashService.privateSalt = <base64-encoded Salt string>
passwordMatcher = org.apache.shiro.authc.credential.PasswordMatcher

passwordService = org.apache.shiro.authc.credential.DefaultPasswordService
passwordService.hashService = $hashService
passwordMatcher.passwordService = $passwordService

jdbcRealm.credentialsMatcher = $passwordMatcher

#配置数据源-->有关完整配置,请参见web.xml
dataSource=org.apache.shiro.jndi.JndiObjectFactory
dataSource.resourceName=
dataSource.resourceRef=true
#创建JDBC领域以连接到数据源并设置authenticationQuery
jdbcream=org.apache.shiro.realm.jdbc.jdbcream
jdbcRealm.dataSource=$dataSource
jdbcRealm.authenticationQuery=从电子邮件=?
#配置JDBC域密码哈希。
hashService=org.apache.shiro.crypto.hash.DefaultHashService
hashService.hashIterations=
hashService.hashAlgorithmName=SHA-256
hashService.GeneratePublicAlt=true
#privateSalt需要在shiro.ini中进行base64编码,而不是在Java代码中!
hashService.PrivateSolt=
passwordMatcher=org.apache.shiro.authc.credential.passwordMatcher
passwordService=org.apache.shiro.authc.credential.DefaultPasswordService
passwordService.hashService=$hashService
passwordMatcher.passwordService=$passwordService
jdbcRealm.credentialsMatcher=$passwordMatcher
注意:本例还使用了一种专用盐。为了增加对使用rainbow表/暴力攻击计算的密码的安全性,我强烈建议使用salt。上面的示例代码可能不是处理盐渍的最佳方法,但效果很好。还要注意,Salt需要在shiro.ini中进行base64编码,而不是在java代码中进行编码。

您可以尝试这样做:

# Configure Data Source --> see web.xml for full configuration
dataSource = org.apache.shiro.jndi.JndiObjectFactory
dataSource.resourceName = <resource name>
dataSource.resourceRef = true

# Create JDBC-Realm to connect to the Datasource and set the authenticationQuery
jdbcRealm = org.apache.shiro.realm.jdbc.JdbcRealm
jdbcRealm.dataSource = $dataSource
jdbcRealm.authenticationQuery = SELECT password FROM <user table> WHERE email = ?

# Configure JDBC realm password hashing.
hashService = org.apache.shiro.crypto.hash.DefaultHashService
hashService.hashIterations = <number of iterations>
hashService.hashAlgorithmName = SHA-256
hashService.generatePublicSalt = true
# privateSalt needs to be base64-encoded in shiro.ini but not in the Java code!
hashService.privateSalt = <base64-encoded Salt string>
passwordMatcher = org.apache.shiro.authc.credential.PasswordMatcher

passwordService = org.apache.shiro.authc.credential.DefaultPasswordService
passwordService.hashService = $hashService
passwordMatcher.passwordService = $passwordService

jdbcRealm.credentialsMatcher = $passwordMatcher

#配置数据源-->有关完整配置,请参见web.xml
dataSource=org.apache.shiro.jndi.JndiObjectFactory
dataSource.resourceName=
dataSource.resourceRef=true
#创建JDBC领域以连接到数据源并设置authenticationQuery
jdbcream=org.apache.shiro.realm.jdbc.jdbcream
jdbcRealm.dataSource=$dataSource
jdbcRealm.authenticationQuery=从电子邮件=?
#配置JDBC域密码哈希。
hashService=org.apache.shiro.crypto.hash.DefaultHashService
hashService.hashIterations=
hashService.hashAlgorithmName=SHA-256
hashService.GeneratePublicAlt=true
#privateSalt需要在shiro.ini中进行base64编码,而不是在Java代码中!
hashService.PrivateSolt=
passwordMatcher=org.apache.shiro.authc.credential.passwordMatcher
passwordService=org.apache.shiro.authc.credential.DefaultPasswordService
passwordService.hashService=$hashService
passwordMatcher.passwordService=$passwordService
jdbcRealm.credentialsMatcher=$passwordMatcher
注意:本例还使用了一种专用盐。为了增加对使用rainbow表/暴力攻击计算的密码的安全性,我强烈建议使用salt。上面的示例代码可能不是处理盐渍的最佳方法,但效果很好。还要注意,Salt需要在shiro.ini中进行base64编码,而不是在java代码中进行编码。

您可以尝试这样做:

# Configure Data Source --> see web.xml for full configuration
dataSource = org.apache.shiro.jndi.JndiObjectFactory
dataSource.resourceName = <resource name>
dataSource.resourceRef = true

# Create JDBC-Realm to connect to the Datasource and set the authenticationQuery
jdbcRealm = org.apache.shiro.realm.jdbc.JdbcRealm
jdbcRealm.dataSource = $dataSource
jdbcRealm.authenticationQuery = SELECT password FROM <user table> WHERE email = ?

# Configure JDBC realm password hashing.
hashService = org.apache.shiro.crypto.hash.DefaultHashService
hashService.hashIterations = <number of iterations>
hashService.hashAlgorithmName = SHA-256
hashService.generatePublicSalt = true
# privateSalt needs to be base64-encoded in shiro.ini but not in the Java code!
hashService.privateSalt = <base64-encoded Salt string>
passwordMatcher = org.apache.shiro.authc.credential.PasswordMatcher

passwordService = org.apache.shiro.authc.credential.DefaultPasswordService
passwordService.hashService = $hashService
passwordMatcher.passwordService = $passwordService

jdbcRealm.credentialsMatcher = $passwordMatcher

#配置数据源-->有关完整配置,请参见web.xml
dataSource=org.apache.shiro.jndi.JndiObjectFactory
dataSource.resourceName=
dataSource.resourceRef=true
#创建JDBC领域以连接到数据源并设置authenticationQuery
jdbcream=org.apache.shiro.realm.jdbc.jdbcream
jdbcRealm.dataSource=$dataSource
jdbcRealm.authenticationQuery=从电子邮件=?
#配置JDBC域密码哈希。
hashService=org.apache.shiro.crypto.hash.DefaultHashService
hashService.hashIterations=
hashService.hashAlgorithmName=SHA-256
hashService.GeneratePublicAlt=true
#privateSalt需要在shiro.ini中进行base64编码,而不是在Java代码中!
hashService.PrivateSolt=
passwordMatcher=org.apache.shiro.authc.credential.passwordMatcher
passwordService=org.apache.shiro.authc.credential.DefaultPasswordService
passwordService.hashService=$hashService
passwordMatcher.passwordService=$passwordService
jdbcRealm.credentialsMatcher=$passwordMatcher
注意:本例还使用了一种专用盐。为了增加对使用rainbow表/暴力攻击计算的密码的安全性,我强烈建议使用salt。上面的示例代码可能不是处理盐渍的最佳方法,但效果很好。还要注意,Salt需要在shiro.ini中进行base64编码,而不是在java代码中进行编码。

您可以尝试这样做:

# Configure Data Source --> see web.xml for full configuration
dataSource = org.apache.shiro.jndi.JndiObjectFactory
dataSource.resourceName = <resource name>
dataSource.resourceRef = true

# Create JDBC-Realm to connect to the Datasource and set the authenticationQuery
jdbcRealm = org.apache.shiro.realm.jdbc.JdbcRealm
jdbcRealm.dataSource = $dataSource
jdbcRealm.authenticationQuery = SELECT password FROM <user table> WHERE email = ?

# Configure JDBC realm password hashing.
hashService = org.apache.shiro.crypto.hash.DefaultHashService
hashService.hashIterations = <number of iterations>
hashService.hashAlgorithmName = SHA-256
hashService.generatePublicSalt = true
# privateSalt needs to be base64-encoded in shiro.ini but not in the Java code!
hashService.privateSalt = <base64-encoded Salt string>
passwordMatcher = org.apache.shiro.authc.credential.PasswordMatcher

passwordService = org.apache.shiro.authc.credential.DefaultPasswordService
passwordService.hashService = $hashService
passwordMatcher.passwordService = $passwordService

jdbcRealm.credentialsMatcher = $passwordMatcher

#配置数据源-->有关完整配置,请参见web.xml
dataSource=org.apache.shiro.jndi.JndiObjectFactory
dataSource.resourceName=
dataSource.resourceRef=true
#创建JDBC领域以连接到数据源并设置authenticationQuery
jdbcream=org.apache.shiro.realm.jdbc.jdbcream
jdbcRealm.dataSource=$dataSource
jdbcRealm.authenticationQuery=从电子邮件=?
#配置JDBC域密码哈希。
hashService=org.apache.shiro.crypto.hash.DefaultHashService
hashService.hashIterations=
hashService.hashAlgorithmName=SHA-256
hashService.GeneratePublicAlt=true
#privateSalt需要在shiro.ini中进行base64编码,而不是在Java代码中!
hashService.PrivateSolt=
passwordMatcher=org.apache.shiro.authc.credential.passwordMatcher
passwordService=org.apache.shiro.authc.credential.DefaultPasswordService
passwordService.hashService=$hashService
passwordMatcher.passwordS