Java 使用ApacheShiro根据数据库中的md5哈希验证纯文本密码
这是我的shiro.iniJava 使用ApacheShiro根据数据库中的md5哈希验证纯文本密码,java,security,shiro,Java,Security,Shiro,这是我的shiro.ini [main] ds = org.apache.shiro.jndi.JndiObjectFactory ds.requiredType = javax.sql.DataSource ds.resourceName = java:/comp/env/jdbc/at credentialsMatcher=org.apache.shiro.authc.credential.HashedCredentialsMatcher credentialsMatcher.
[main]
ds = org.apache.shiro.jndi.JndiObjectFactory
ds.requiredType = javax.sql.DataSource
ds.resourceName = java:/comp/env/jdbc/at
credentialsMatcher=org.apache.shiro.authc.credential.HashedCredentialsMatcher
credentialsMatcher.hashAlgorithmName=MD5
credentialsMatcher.hashIterations=1024
credentialsMatcher.storedCredentialsHexEncoded=true
jdbcRealm = org.apache.shiro.realm.jdbc.JdbcRealm
jdbcRealm.permissionsLookupEnabled = true
jdbcRealm.dataSource = $ds
jdbcRealm.authenticationQuery = SELECT password FROM accounts.users WHERE username = ?
jdbcRealm.userRolesQuery = SELECT role_id FROM accounts.org_user_roles WHERE user_id = (SELECT id FROM accounts.users WHERE username = ?)
jdbcRealm.permissionsQuery = SELECT feature_id FROM accounts.role_features WHERE role_id = ?
jdbcRealm.credentialsMatcher = $credentialsMatcher
shiro.loginUrl = /at/login.htm
authc = org.apache.shiro.web.filter.authc.FormAuthenticationFilter
authc.loginUrl = /at/login.htm
logout.redirectUrl = /at/login.htm
[urls]
/at/login.htm = authc
/at/forgotpw.htm = anon
/at/resources/** = authc
/at/tss/** = authc
/at/tde/** = authc
/at/lcs/** = authc
/at/cdt/** = authc
/at/tp/** = authc
/at/ip/** = authc
/at/dashboard/** = authc
/at/logout.htm = logout
当我进入登录页面并输入用户名和密码时,我会遇到一个异常:
org.apache.shiro.authc.IncorrectCredentialsException:为令牌[org.apache.shiro.authc.UsernamePasswordToken-root,rememberMe=false]提交的凭据与预期的凭据不匹配
My DB包含密码的MD5哈希。看来验证不起作用了。我不明白为什么。删除下面的属性使此工作正常。我认为对于MD5哈希,我们不需要指定以下属性
credentialsMatcher.hashIterations=1024
您是否使用单个哈希迭代构造密码哈希?接受第四个参数
int hashIterations
,但如果未写入,则默认为1。存储密码的最佳实践是。我建议您使用SHA256
或更高版本以及原始的hashIterations
值。