Hash 如何指定ApacheShiro中要使用的哈希迭代次数?
我正在使用一个Hash 如何指定ApacheShiro中要使用的哈希迭代次数?,hash,shiro,Hash,Shiro,我正在使用一个JSF2应用程序,我想在其中使用apacheshiro。虽然我不知道如何指定要使用的Hash迭代次数,但我已经启动并运行了它 shiro.ini [main] user = com.nivis.filter.FacesAjaxAwareUserFilter shiro.loginUrl = /faces/login.xhtml user.loginUrl = /faces/login.xhtml jdbcRealm = org.apache.shiro.real
JSF2
应用程序,我想在其中使用apacheshiro
。虽然我不知道如何指定要使用的Hash
迭代次数,但我已经启动并运行了它
shiro.ini
[main]
user = com.nivis.filter.FacesAjaxAwareUserFilter
shiro.loginUrl = /faces/login.xhtml
user.loginUrl = /faces/login.xhtml
jdbcRealm = org.apache.shiro.realm.jdbc.JdbcRealm
jdbcRealm.permissionsLookupEnabled = true
jdbcRealm.authenticationQuery = SELECT password FROM app_user WHERE username = ?
dataSource = org.apache.shiro.jndi.JndiObjectFactory
dataSource.requiredType = javax.sql.DataSource
dataSource.resourceName = JNDImysql
jdbcRealm.dataSource = $dataSource
securityManager.realms = $jdbcRealm
passwordService = org.apache.shiro.authc.credential.DefaultPasswordService
passwordMatcher = org.apache.shiro.authc.credential.PasswordMatcher
passwordMatcher.passwordService = $passwordService
jdbcRealm.credentialsMatcher = $passwordMatcher
[urls]
/faces/login.xhtml = user
/faces/index.xhtml = user
/faces/app/** = user
即使我没有明确指定哈希服务
,也可以对密码进行哈希处理。我看到一个例子,使用:
hashService = org.apache.shiro.crypto.hash.DefaultHashService
hashService.hashIterations = 10000
hashService.hashAlgorithmName = SHA-256
passwordService.hashService = $hashService
我试着用它,虽然没什么区别。由于仅使用
PasswordService
就足以对密码进行哈希运算,我想知道是否有办法指定要使用多少次哈希迭代?您可以尝试这样做:
# Configure Data Source --> see web.xml for full configuration
dataSource = org.apache.shiro.jndi.JndiObjectFactory
dataSource.resourceName = <resource name>
dataSource.resourceRef = true
# Create JDBC-Realm to connect to the Datasource and set the authenticationQuery
jdbcRealm = org.apache.shiro.realm.jdbc.JdbcRealm
jdbcRealm.dataSource = $dataSource
jdbcRealm.authenticationQuery = SELECT password FROM <user table> WHERE email = ?
# Configure JDBC realm password hashing.
hashService = org.apache.shiro.crypto.hash.DefaultHashService
hashService.hashIterations = <number of iterations>
hashService.hashAlgorithmName = SHA-256
hashService.generatePublicSalt = true
# privateSalt needs to be base64-encoded in shiro.ini but not in the Java code!
hashService.privateSalt = <base64-encoded Salt string>
passwordMatcher = org.apache.shiro.authc.credential.PasswordMatcher
passwordService = org.apache.shiro.authc.credential.DefaultPasswordService
passwordService.hashService = $hashService
passwordMatcher.passwordService = $passwordService
jdbcRealm.credentialsMatcher = $passwordMatcher
#配置数据源-->有关完整配置,请参见web.xml
dataSource=org.apache.shiro.jndi.JndiObjectFactory
dataSource.resourceName=
dataSource.resourceRef=true
#创建JDBC领域以连接到数据源并设置authenticationQuery
jdbcream=org.apache.shiro.realm.jdbc.jdbcream
jdbcRealm.dataSource=$dataSource
jdbcRealm.authenticationQuery=从电子邮件=?
#配置JDBC域密码哈希。
hashService=org.apache.shiro.crypto.hash.DefaultHashService
hashService.hashIterations=
hashService.hashAlgorithmName=SHA-256
hashService.GeneratePublicAlt=true
#privateSalt需要在shiro.ini中进行base64编码,而不是在Java代码中!
hashService.PrivateSolt=
passwordMatcher=org.apache.shiro.authc.credential.passwordMatcher
passwordService=org.apache.shiro.authc.credential.DefaultPasswordService
passwordService.hashService=$hashService
passwordMatcher.passwordService=$passwordService
jdbcRealm.credentialsMatcher=$passwordMatcher
注意:本例还使用了一种专用盐。为了增加对使用rainbow表/暴力攻击计算的密码的安全性,我强烈建议使用salt。上面的示例代码可能不是处理盐渍的最佳方法,但效果很好。还要注意,Salt需要在shiro.ini中进行base64编码,而不是在java代码中进行编码。您可以尝试这样做:
# Configure Data Source --> see web.xml for full configuration
dataSource = org.apache.shiro.jndi.JndiObjectFactory
dataSource.resourceName = <resource name>
dataSource.resourceRef = true
# Create JDBC-Realm to connect to the Datasource and set the authenticationQuery
jdbcRealm = org.apache.shiro.realm.jdbc.JdbcRealm
jdbcRealm.dataSource = $dataSource
jdbcRealm.authenticationQuery = SELECT password FROM <user table> WHERE email = ?
# Configure JDBC realm password hashing.
hashService = org.apache.shiro.crypto.hash.DefaultHashService
hashService.hashIterations = <number of iterations>
hashService.hashAlgorithmName = SHA-256
hashService.generatePublicSalt = true
# privateSalt needs to be base64-encoded in shiro.ini but not in the Java code!
hashService.privateSalt = <base64-encoded Salt string>
passwordMatcher = org.apache.shiro.authc.credential.PasswordMatcher
passwordService = org.apache.shiro.authc.credential.DefaultPasswordService
passwordService.hashService = $hashService
passwordMatcher.passwordService = $passwordService
jdbcRealm.credentialsMatcher = $passwordMatcher
#配置数据源-->有关完整配置,请参见web.xml
dataSource=org.apache.shiro.jndi.JndiObjectFactory
dataSource.resourceName=
dataSource.resourceRef=true
#创建JDBC领域以连接到数据源并设置authenticationQuery
jdbcream=org.apache.shiro.realm.jdbc.jdbcream
jdbcRealm.dataSource=$dataSource
jdbcRealm.authenticationQuery=从电子邮件=?
#配置JDBC域密码哈希。
hashService=org.apache.shiro.crypto.hash.DefaultHashService
hashService.hashIterations=
hashService.hashAlgorithmName=SHA-256
hashService.GeneratePublicAlt=true
#privateSalt需要在shiro.ini中进行base64编码,而不是在Java代码中!
hashService.PrivateSolt=
passwordMatcher=org.apache.shiro.authc.credential.passwordMatcher
passwordService=org.apache.shiro.authc.credential.DefaultPasswordService
passwordService.hashService=$hashService
passwordMatcher.passwordService=$passwordService
jdbcRealm.credentialsMatcher=$passwordMatcher
注意:本例还使用了一种专用盐。为了增加对使用rainbow表/暴力攻击计算的密码的安全性,我强烈建议使用salt。上面的示例代码可能不是处理盐渍的最佳方法,但效果很好。还要注意,Salt需要在shiro.ini中进行base64编码,而不是在java代码中进行编码。您可以尝试这样做:
# Configure Data Source --> see web.xml for full configuration
dataSource = org.apache.shiro.jndi.JndiObjectFactory
dataSource.resourceName = <resource name>
dataSource.resourceRef = true
# Create JDBC-Realm to connect to the Datasource and set the authenticationQuery
jdbcRealm = org.apache.shiro.realm.jdbc.JdbcRealm
jdbcRealm.dataSource = $dataSource
jdbcRealm.authenticationQuery = SELECT password FROM <user table> WHERE email = ?
# Configure JDBC realm password hashing.
hashService = org.apache.shiro.crypto.hash.DefaultHashService
hashService.hashIterations = <number of iterations>
hashService.hashAlgorithmName = SHA-256
hashService.generatePublicSalt = true
# privateSalt needs to be base64-encoded in shiro.ini but not in the Java code!
hashService.privateSalt = <base64-encoded Salt string>
passwordMatcher = org.apache.shiro.authc.credential.PasswordMatcher
passwordService = org.apache.shiro.authc.credential.DefaultPasswordService
passwordService.hashService = $hashService
passwordMatcher.passwordService = $passwordService
jdbcRealm.credentialsMatcher = $passwordMatcher
#配置数据源-->有关完整配置,请参见web.xml
dataSource=org.apache.shiro.jndi.JndiObjectFactory
dataSource.resourceName=
dataSource.resourceRef=true
#创建JDBC领域以连接到数据源并设置authenticationQuery
jdbcream=org.apache.shiro.realm.jdbc.jdbcream
jdbcRealm.dataSource=$dataSource
jdbcRealm.authenticationQuery=从电子邮件=?
#配置JDBC域密码哈希。
hashService=org.apache.shiro.crypto.hash.DefaultHashService
hashService.hashIterations=
hashService.hashAlgorithmName=SHA-256
hashService.GeneratePublicAlt=true
#privateSalt需要在shiro.ini中进行base64编码,而不是在Java代码中!
hashService.PrivateSolt=
passwordMatcher=org.apache.shiro.authc.credential.passwordMatcher
passwordService=org.apache.shiro.authc.credential.DefaultPasswordService
passwordService.hashService=$hashService
passwordMatcher.passwordService=$passwordService
jdbcRealm.credentialsMatcher=$passwordMatcher
注意:本例还使用了一种专用盐。为了增加对使用rainbow表/暴力攻击计算的密码的安全性,我强烈建议使用salt。上面的示例代码可能不是处理盐渍的最佳方法,但效果很好。还要注意,Salt需要在shiro.ini中进行base64编码,而不是在java代码中进行编码。您可以尝试这样做:
# Configure Data Source --> see web.xml for full configuration
dataSource = org.apache.shiro.jndi.JndiObjectFactory
dataSource.resourceName = <resource name>
dataSource.resourceRef = true
# Create JDBC-Realm to connect to the Datasource and set the authenticationQuery
jdbcRealm = org.apache.shiro.realm.jdbc.JdbcRealm
jdbcRealm.dataSource = $dataSource
jdbcRealm.authenticationQuery = SELECT password FROM <user table> WHERE email = ?
# Configure JDBC realm password hashing.
hashService = org.apache.shiro.crypto.hash.DefaultHashService
hashService.hashIterations = <number of iterations>
hashService.hashAlgorithmName = SHA-256
hashService.generatePublicSalt = true
# privateSalt needs to be base64-encoded in shiro.ini but not in the Java code!
hashService.privateSalt = <base64-encoded Salt string>
passwordMatcher = org.apache.shiro.authc.credential.PasswordMatcher
passwordService = org.apache.shiro.authc.credential.DefaultPasswordService
passwordService.hashService = $hashService
passwordMatcher.passwordService = $passwordService
jdbcRealm.credentialsMatcher = $passwordMatcher
#配置数据源-->有关完整配置,请参见web.xml
dataSource=org.apache.shiro.jndi.JndiObjectFactory
dataSource.resourceName=
dataSource.resourceRef=true
#创建JDBC领域以连接到数据源并设置authenticationQuery
jdbcream=org.apache.shiro.realm.jdbc.jdbcream
jdbcRealm.dataSource=$dataSource
jdbcRealm.authenticationQuery=从电子邮件=?
#配置JDBC域密码哈希。
hashService=org.apache.shiro.crypto.hash.DefaultHashService
hashService.hashIterations=
hashService.hashAlgorithmName=SHA-256
hashService.GeneratePublicAlt=true
#privateSalt需要在shiro.ini中进行base64编码,而不是在Java代码中!
hashService.PrivateSolt=
passwordMatcher=org.apache.shiro.authc.credential.passwordMatcher
passwordService=org.apache.shiro.authc.credential.DefaultPasswordService
passwordService.hashService=$hashService
passwordMatcher.passwordS