怎样从数据库中存储和行使shiro的盐
发布时间:2021-05-25 03:16:51 所属栏目:编程 来源:网络整理
导读:我在申请认证时行使shiro.我行使散列暗码和盐,我将它们存储在我的数据库中,如下所示: private User createUserWithHashedPassword(String inName,String inFirstName,String inLastName,String inPassword){ ByteSource salt = randomNumberGenerator.nextBy
|
我在申请认证时行使shiro.我行使散列暗码和盐,我将它们存储在我的数据库中,如下所示: private User createUserWithHashedPassword(String inName,String inFirstName,String inLastName,String inPassword){
ByteSource salt = randomNumberGenerator.nextBytes(32);
byte[] byteTabSalt = salt.getBytes();
String strSalt = byteArrayToHexString(byteTabSalt);
String hashedPasswordBase64 = new Sha256Hash(inPassword,salt,1024).toBase64();
return new User(inName,inFirstName,inLastName,hashedPasswordBase64,strSalt);
}
我在我的数据库中行使String存储salt.此刻在我的规模我想从数据库中获取我的数据,我行使了一个transactionnal处事.可是我的salt是一个Strong,以是我但愿它行使静态要领返回ByteSource范例: ByteSource byteSourceSalt = Util.bytes(salt); //where the salt is a String 可是当我建设我的SaltedAuthenticationInfo时,它不会授权. 我以为我的题目来自我的转换要领: private String byteArrayToHexString(byte[] bArray){
StringBuffer buffer = new StringBuffer();
for(byte b : bArray) {
buffer.append(Integer.toHexString(b));
buffer.append(" ");
}
return buffer.toString().toUpperCase();
}
感谢你的辅佐. 办理要领正如在优越的谜底 https://stackoverflow.com/a/20206115/603901中所提到的,Shiro的DefaultPasswordService已经为每个暗码天生了独一的salt.可是,不必要实现自界说PasswordService来向每个用户的salt添加私有盐(偶然称为“pepper”).私有盐可以在shiro.ini中设置: [main] hashService = org.apache.shiro.crypto.hash.DefaultHashService hashService.hashIterations = 500000 hashService.hashAlgorithmName = SHA-256 hashService.generatePublicSalt = true # privateSalt needs to be base64-encoded in shiro.ini but not in the Java code hashService.privateSalt = myVERYSECRETBase64EncodedSalt passwordMatcher = org.apache.shiro.authc.credential.PasswordMatcher passwordService = org.apache.shiro.authc.credential.DefaultPasswordService passwordService.hashService = $hashService passwordMatcher.passwordService = $passwordService 用于天生匹配暗码哈希的Java代码: DefaultHashService hashService = new DefaultHashService();
hashService.setHashIterations(HASH_ITERATIONS); // 500000
hashService.setHashAlgorithmName(Sha256Hash.ALGORITHM_NAME);
hashService.setPrivateSalt(new SimpleByteSource(PRIVATE_SALT)); // Same salt as in shiro.ini,but NOT base64-encoded.
hashService.setGeneratePublicSalt(true);
DefaultPasswordService passwordService = new DefaultPasswordService();
passwordService.setHashService(hashService);
String encryptedPassword = passwordService.encryptPassword("PasswordForThisUser");
天生的哈希看起来像这样: $shiro1$SHA-256$500000$An4HRyqMJlZ58utACtyGDQ==$nKbIY9Nd9vC89G4SjdnDfka49mZiesjWgDsO/4Ly4Qs= 私有盐不存储在数据库中,假如进攻者得到对数据库转储的会见权限,则很难破解暗码. 此示例是行使shiro-1.2.2建设的 感激https://github.com/Multifarious/shiro-jdbi-realm/blob/master/src/test/resources/shiro.ini获取shiro.ini语法的辅佐 (编辑:湖南网) 【声明】本站内容均来自网络,其相关言论仅代表作者个人观点,不代表本站立场。若无意侵犯到您的权利,请及时与联系站长删除相关内容! |
站长推荐
热点阅读