diff --git a/modules/core/src/main/java/com/jeesite/common/shiro/filter/LogoutFilter.java b/modules/core/src/main/java/com/jeesite/common/shiro/filter/LogoutFilter.java index 8f458932..4d7279cd 100644 --- a/modules/core/src/main/java/com/jeesite/common/shiro/filter/LogoutFilter.java +++ b/modules/core/src/main/java/com/jeesite/common/shiro/filter/LogoutFilter.java @@ -18,9 +18,6 @@ import com.jeesite.common.config.Global; import com.jeesite.common.shiro.realm.BaseAuthorizingRealm; import com.jeesite.common.shiro.realm.LoginInfo; import com.jeesite.common.web.http.ServletUtils; -import com.jeesite.modules.sys.entity.Log; -import com.jeesite.modules.sys.utils.LogUtils; -import com.jeesite.modules.sys.utils.UserUtils; /** * 登出过滤器 @@ -41,16 +38,16 @@ public class LogoutFilter extends org.apache.shiro.web.filter.authc.LogoutFilter try { Object principal = subject.getPrincipal(); if (principal != null){ - // 记录用户退出日志(@Deprecated v4.0.5支持setAuthorizingRealm,之后版本可删除此if子句) - if (authorizingRealm == null){ - LogUtils.saveLog(UserUtils.getUser(), ServletUtils.getRequest(), - "系统退出", Log.TYPE_LOGIN_LOGOUT); - } - // 退出成功之前初始化授权信息并处理登录后的操作 - else{ +// // 记录用户退出日志(@Deprecated v4.0.5支持setAuthorizingRealm,之后版本可删除此if子句) +// if (authorizingRealm == null){ +// LogUtils.saveLog(UserUtils.getUser(), ServletUtils.getRequest(), +// "系统退出", Log.TYPE_LOGIN_LOGOUT); +// } +// else{ + // 退出成功之前初始化授权信息并处理登录后的操作 authorizingRealm.onLogoutSuccess((LoginInfo)subject.getPrincipal(), (HttpServletRequest)request); - } +// } } // 退出登录 subject.logout(); diff --git a/modules/core/src/main/java/com/jeesite/common/shiro/realm/AuthorizingRealm.java b/modules/core/src/main/java/com/jeesite/common/shiro/realm/AuthorizingRealm.java index f14a0b98..4f1e7d1a 100644 --- a/modules/core/src/main/java/com/jeesite/common/shiro/realm/AuthorizingRealm.java +++ b/modules/core/src/main/java/com/jeesite/common/shiro/realm/AuthorizingRealm.java @@ -5,6 +5,10 @@ package com.jeesite.common.shiro.realm; import javax.servlet.http.HttpServletRequest; +import org.apache.shiro.authc.credential.HashedCredentialsMatcher; + +import com.jeesite.common.codec.EncodeUtils; +import com.jeesite.common.codec.Sha1Utils; import com.jeesite.common.utils.SpringUtils; import com.jeesite.modules.sys.entity.Log; import com.jeesite.modules.sys.entity.User; @@ -18,11 +22,48 @@ import com.jeesite.modules.sys.utils.UserUtils; * @version 2018-7-11 */ public class AuthorizingRealm extends BaseAuthorizingRealm { - + + public static final String HASH_ALGORITHM = "SHA-1"; + public static final int HASH_INTERATIONS = 1024; + public static final int SALT_SIZE = 8; + private UserService userService; public AuthorizingRealm() { super(); + // 设定密码校验的Hash算法与迭代次数 + HashedCredentialsMatcher matcher = new HashedCredentialsMatcher(HASH_ALGORITHM); + matcher.setHashIterations(HASH_INTERATIONS); + this.setCredentialsMatcher(matcher); + } + + /** + * 生成密文密码,生成随机的16位salt并经过1024次 sha-1 hash + * @param plainPassword 明文密码 + * @return 16位salt密钥 + 40位hash密码 + */ + public String encryptPassword(String plainPassword) { + String plain = EncodeUtils.decodeHtml(plainPassword); + byte[] salt = Sha1Utils.genSalt(SALT_SIZE); + byte[] hashPassword = Sha1Utils.sha1(plain.getBytes(), salt, HASH_INTERATIONS); + return EncodeUtils.encodeHex(salt) + EncodeUtils.encodeHex(hashPassword); + } + + /** + * 验证密码正确性 + * @param plainPassword 明文密码 + * @param password 密文密码 + * @return 验证成功返回true + */ + public boolean validatePassword(String plainPassword, String password) { + try{ + String plain = EncodeUtils.decodeHtml(plainPassword); + byte[] salt = EncodeUtils.decodeHex(password.substring(0, 16)); + byte[] hashPassword = Sha1Utils.sha1(plain.getBytes(), salt, HASH_INTERATIONS); + return password.equals(EncodeUtils.encodeHex(salt) + EncodeUtils.encodeHex(hashPassword)); + }catch(Exception e){ + return false; + } } @Override