Java 使用ApacheShiro根据数据库中的md5哈希验证纯文本密码

这是我的shiro.ini

[main]

ds = org.apache.shiro.jndi.JndiObjectFactory   
ds.requiredType = javax.sql.DataSource  
ds.resourceName = java:/comp/env/jdbc/at

credentialsMatcher=org.apache.shiro.authc.credential.HashedCredentialsMatcher
credentialsMatcher.hashAlgorithmName=MD5

credentialsMatcher.hashIterations=1024

credentialsMatcher.storedCredentialsHexEncoded=true

jdbcRealm = org.apache.shiro.realm.jdbc.JdbcRealm

jdbcRealm.permissionsLookupEnabled = true 

jdbcRealm.dataSource = $ds

jdbcRealm.authenticationQuery = SELECT password FROM accounts.users WHERE username = ?

jdbcRealm.userRolesQuery = SELECT role_id FROM accounts.org_user_roles WHERE user_id = (SELECT id FROM accounts.users WHERE username = ?)

jdbcRealm.permissionsQuery = SELECT feature_id FROM accounts.role_features WHERE role_id = ?

jdbcRealm.credentialsMatcher = $credentialsMatcher


shiro.loginUrl = /at/login.htm

authc = org.apache.shiro.web.filter.authc.FormAuthenticationFilter

authc.loginUrl = /at/login.htm

logout.redirectUrl = /at/login.htm

[urls]

/at/login.htm = authc

/at/forgotpw.htm  = anon

/at/resources/** = authc

/at/tss/** = authc

/at/tde/** = authc

/at/lcs/** = authc

/at/cdt/** = authc

/at/tp/** = authc

/at/ip/** = authc

/at/dashboard/** = authc

/at/logout.htm = logout

当我进入登录页面并输入用户名和密码时，我会遇到一个异常：

org.apache.shiro.authc.IncorrectCredentialsException:为令牌[org.apache.shiro.authc.UsernamePasswordToken-root，rememberMe=false]提交的凭据与预期的凭据不匹配

---

My DB包含密码的MD5哈希。看来验证不起作用了。我不明白为什么。

删除下面的属性使此工作正常。我认为对于MD5哈希，我们不需要指定以下属性

credentialsMatcher.hashIterations=1024

---

您是否使用单个哈希迭代构造密码哈希？接受第四个参数

int hashIterations

，但如果未写入，则默认为1。存储密码的最佳实践是。我建议您使用

SHA256

或更高版本以及原始的

hashIterations

值。