shiro1.2.2自定义realm中认证问题

象牙塔爱情 发布于 2013/08/29 11:15
阅读 9K+
收藏 0
/**
* 认证回调函数, 登录时调用.
*/
@Override
protected AuthenticationInfo doGetAuthenticationInfo(
AuthenticationToken authcToken) throws IncorrectCredentialsException {
UsernamePasswordToken token = (UsernamePasswordToken) authcToken;
System.out.println(token.getUsername());

User user = userService.findUserByLoginName(token.getUsername());
System.out.println(user);
if (user != null) {
if (new String(token.getPassword()).equals(user.getPassword())) {
return new SimpleAuthenticationInfo(user.getName(), user.getPassword(), getName());
}else{
throw new IncorrectCredentialsException();
}
}
return null;

 }

想问下,UsernamePasswordToken这里存放的密码与SimpleAuthenticationInfo中user.getPassword()是什么关系, 前者不加密,后者用MD5加密后,可以正常使用,而前者加密后,后者使用加密后会报Submitted credentials for token [org.apache.shiro.authc.UsernamePasswordToken - admin, rememberMe=true] did not match the expected credentials.

请大伙帮忙给分析下,在线等。谢谢了!


加载中
0
魏涛
魏涛

这里只获取数据,无需判断password是否与输入的一致。详情请参考

//org.apache.shiro.realm.AuthenticatingRealm
public final AuthenticationInfo getAuthenticationInfo(AuthenticationToken token) throws AuthenticationException {

        AuthenticationInfo info = getCachedAuthenticationInfo(token);
        if (info == null) {
            //otherwise not cached, perform the lookup:
            info = doGetAuthenticationInfo(token);
            log.debug("Looked up AuthenticationInfo [{}] from doGetAuthenticationInfo", info);
            if (token != null && info != null) {
                cacheAuthenticationInfoIfPossible(token, info);
            }
        } else {
            log.debug("Using cached authentication info [{}] to perform credentials matching.", info);
        }

        if (info != null) {
            assertCredentialsMatch(token, info);
        } else {
            log.debug("No AuthenticationInfo found for submitted AuthenticationToken [{}].  Returning null.", token);
        }

        return info;
    }


密码是否一致则在CredentialsMatcher内进行,如此一来,密码混淆的策略便不会在多处出现了。
0
cenguocheng
cenguocheng

引用来自“魏涛”的答案

这里只获取数据,无需判断password是否与输入的一致。详情请参考

//org.apache.shiro.realm.AuthenticatingRealm
public final AuthenticationInfo getAuthenticationInfo(AuthenticationToken token) throws AuthenticationException {

        AuthenticationInfo info = getCachedAuthenticationInfo(token);
        if (info == null) {
            //otherwise not cached, perform the lookup:
            info = doGetAuthenticationInfo(token);
            log.debug("Looked up AuthenticationInfo [{}] from doGetAuthenticationInfo", info);
            if (token != null && info != null) {
                cacheAuthenticationInfoIfPossible(token, info);
            }
        } else {
            log.debug("Using cached authentication info [{}] to perform credentials matching.", info);
        }

        if (info != null) {
            assertCredentialsMatch(token, info);
        } else {
            log.debug("No AuthenticationInfo found for submitted AuthenticationToken [{}].  Returning null.", token);
        }

        return info;
    }


密码是否一致则在CredentialsMatcher内进行,如此一来,密码混淆的策略便不会在多处出现了。
楼上能否贴个完整点的例子呐 
0
魏涛
魏涛

我贴的是shiro的官方源码,位置在第一行以注释标出。这个方法说明了行为逻辑,检查密码并不是在doGetAuthenticationInfo里完成的,仅此而已。细节请阅读源码。

返回顶部
顶部