支持开发者自定义控制用户密码加密和验证策略。
This commit is contained in:
thinkgem
@@ -18,9 +18,6 @@ import com.jeesite.common.config.Global;
|
||||
import com.jeesite.common.shiro.realm.BaseAuthorizingRealm;
|
||||
import com.jeesite.common.shiro.realm.LoginInfo;
|
||||
import com.jeesite.common.web.http.ServletUtils;
|
||||
import com.jeesite.modules.sys.entity.Log;
|
||||
import com.jeesite.modules.sys.utils.LogUtils;
|
||||
import com.jeesite.modules.sys.utils.UserUtils;
|
||||
|
||||
/**
|
||||
* 登出过滤器
|
||||
@@ -41,16 +38,16 @@ public class LogoutFilter extends org.apache.shiro.web.filter.authc.LogoutFilter
|
||||
try {
|
||||
Object principal = subject.getPrincipal();
|
||||
if (principal != null){
|
||||
// 记录用户退出日志(@Deprecated v4.0.5支持setAuthorizingRealm,之后版本可删除此if子句)
|
||||
if (authorizingRealm == null){
|
||||
LogUtils.saveLog(UserUtils.getUser(), ServletUtils.getRequest(),
|
||||
"系统退出", Log.TYPE_LOGIN_LOGOUT);
|
||||
}
|
||||
// 退出成功之前初始化授权信息并处理登录后的操作
|
||||
else{
|
||||
// // 记录用户退出日志(@Deprecated v4.0.5支持setAuthorizingRealm,之后版本可删除此if子句)
|
||||
// if (authorizingRealm == null){
|
||||
// LogUtils.saveLog(UserUtils.getUser(), ServletUtils.getRequest(),
|
||||
// "系统退出", Log.TYPE_LOGIN_LOGOUT);
|
||||
// }
|
||||
// else{
|
||||
// 退出成功之前初始化授权信息并处理登录后的操作
|
||||
authorizingRealm.onLogoutSuccess((LoginInfo)subject.getPrincipal(),
|
||||
(HttpServletRequest)request);
|
||||
}
|
||||
// }
|
||||
}
|
||||
// 退出登录
|
||||
subject.logout();
|
||||
|
||||
@@ -5,6 +5,10 @@ package com.jeesite.common.shiro.realm;
|
||||
|
||||
import javax.servlet.http.HttpServletRequest;
|
||||
|
||||
import org.apache.shiro.authc.credential.HashedCredentialsMatcher;
|
||||
|
||||
import com.jeesite.common.codec.EncodeUtils;
|
||||
import com.jeesite.common.codec.Sha1Utils;
|
||||
import com.jeesite.common.utils.SpringUtils;
|
||||
import com.jeesite.modules.sys.entity.Log;
|
||||
import com.jeesite.modules.sys.entity.User;
|
||||
@@ -18,11 +22,48 @@ import com.jeesite.modules.sys.utils.UserUtils;
|
||||
* @version 2018-7-11
|
||||
*/
|
||||
public class AuthorizingRealm extends BaseAuthorizingRealm {
|
||||
|
||||
|
||||
public static final String HASH_ALGORITHM = "SHA-1";
|
||||
public static final int HASH_INTERATIONS = 1024;
|
||||
public static final int SALT_SIZE = 8;
|
||||
|
||||
private UserService userService;
|
||||
|
||||
public AuthorizingRealm() {
|
||||
super();
|
||||
// 设定密码校验的Hash算法与迭代次数
|
||||
HashedCredentialsMatcher matcher = new HashedCredentialsMatcher(HASH_ALGORITHM);
|
||||
matcher.setHashIterations(HASH_INTERATIONS);
|
||||
this.setCredentialsMatcher(matcher);
|
||||
}
|
||||
|
||||
/**
|
||||
* 生成密文密码,生成随机的16位salt并经过1024次 sha-1 hash
|
||||
* @param plainPassword 明文密码
|
||||
* @return 16位salt密钥 + 40位hash密码
|
||||
*/
|
||||
public String encryptPassword(String plainPassword) {
|
||||
String plain = EncodeUtils.decodeHtml(plainPassword);
|
||||
byte[] salt = Sha1Utils.genSalt(SALT_SIZE);
|
||||
byte[] hashPassword = Sha1Utils.sha1(plain.getBytes(), salt, HASH_INTERATIONS);
|
||||
return EncodeUtils.encodeHex(salt) + EncodeUtils.encodeHex(hashPassword);
|
||||
}
|
||||
|
||||
/**
|
||||
* 验证密码正确性
|
||||
* @param plainPassword 明文密码
|
||||
* @param password 密文密码
|
||||
* @return 验证成功返回true
|
||||
*/
|
||||
public boolean validatePassword(String plainPassword, String password) {
|
||||
try{
|
||||
String plain = EncodeUtils.decodeHtml(plainPassword);
|
||||
byte[] salt = EncodeUtils.decodeHex(password.substring(0, 16));
|
||||
byte[] hashPassword = Sha1Utils.sha1(plain.getBytes(), salt, HASH_INTERATIONS);
|
||||
return password.equals(EncodeUtils.encodeHex(salt) + EncodeUtils.encodeHex(hashPassword));
|
||||
}catch(Exception e){
|
||||
return false;
|
||||
}
|
||||
}
|
||||
|
||||
@Override
|
||||
|
||||
Reference in New Issue
Block a user