diff --git a/nutzboot-demo/nutzboot-demo-simple/nutzboot-demo-simple-mvc-shiro/src/main/java/io/nutz/demo/simple/MainLauncher.java b/nutzboot-demo/nutzboot-demo-simple/nutzboot-demo-simple-mvc-shiro/src/main/java/io/nutz/demo/simple/MainLauncher.java index 7069c7a0..dc76fdde 100644 --- a/nutzboot-demo/nutzboot-demo-simple/nutzboot-demo-simple-mvc-shiro/src/main/java/io/nutz/demo/simple/MainLauncher.java +++ b/nutzboot-demo/nutzboot-demo-simple/nutzboot-demo-simple-mvc-shiro/src/main/java/io/nutz/demo/simple/MainLauncher.java @@ -5,6 +5,8 @@ import java.util.Date; import javax.servlet.http.HttpSession; import org.apache.shiro.SecurityUtils; +import org.apache.shiro.crypto.RandomNumberGenerator; +import org.apache.shiro.crypto.SecureRandomNumberGenerator; import org.apache.shiro.crypto.hash.Sha256Hash; import org.apache.shiro.subject.Subject; import org.nutz.boot.NbApp; @@ -20,40 +22,43 @@ import io.nutz.demo.simple.bean.User; @IocBean(create="init") public class MainLauncher { - - @Inject - protected Dao dao; - + + @Inject + protected Dao dao; + @Ok("raw") @At("/time/now") public long now() { return System.currentTimeMillis(); } - + @Ok("raw") @At("/shiro/test") public boolean isAuthenticated(HttpSession session) { - Subject subject = SecurityUtils.getSubject(); - return subject.isAuthenticated(); + Subject subject = SecurityUtils.getSubject(); + return subject.isAuthenticated(); } - + public void init() { - Daos.createTablesInPackage(dao, User.class, false); - dao.insert(newUser("admin", "123456")); - dao.insert(newUser("wendal", "123123")); + Daos.createTablesInPackage(dao, User.class, false); + dao.insert(newUser("admin", "123456")); + dao.insert(newUser("wendal", "123123")); } - + protected static User newUser(String name, String password) { - User user = new User(); - user.setName(name); - user.setSalt(R.UU32()); - user.setPassword(new Sha256Hash(password, user.getSalt()).toHex()); - user.setCreateTime(new Date()); - return user; + User user = new User(); + user.setName(name); + RandomNumberGenerator rng = new SecureRandomNumberGenerator(); + String salt = rng.nextBytes().toBase64(); + user.setSalt(salt); + String hashedPasswordBase64 = new Sha256Hash(password, salt, 1024).toBase64(); + user.setPassword(hashedPasswordBase64); + user.setCreateTime(new Date()); + return user; } public static void main(String[] args) throws Exception { - new NbApp().setPrintProcDoc(true).run(); + new NbApp().setPrintProcDoc(true).run(); } } diff --git a/nutzboot-demo/nutzboot-demo-simple/nutzboot-demo-simple-mvc-shiro/src/main/java/io/nutz/demo/simple/module/UserModule.java b/nutzboot-demo/nutzboot-demo-simple/nutzboot-demo-simple-mvc-shiro/src/main/java/io/nutz/demo/simple/module/UserModule.java index f1ec3ab7..62a09797 100644 --- a/nutzboot-demo/nutzboot-demo-simple/nutzboot-demo-simple-mvc-shiro/src/main/java/io/nutz/demo/simple/module/UserModule.java +++ b/nutzboot-demo/nutzboot-demo-simple/nutzboot-demo-simple-mvc-shiro/src/main/java/io/nutz/demo/simple/module/UserModule.java @@ -39,12 +39,9 @@ public class UserModule { User user = dao.fetch(User.class, username); if (user == null) return false; - Sha256Hash hash = new Sha256Hash(password, user.getSalt()); - if (!hash.toHex().equals(user.getPassword())) { - return false; - } Subject subject = SecurityUtils.getSubject(); - subject.login(new SimpleShiroToken(user.getId())); + ThreadContext.bind(subject); + subject.login(new UsernamePasswordToken(username,password,false)); return true; } diff --git a/nutzboot-demo/nutzboot-demo-simple/nutzboot-demo-simple-mvc-shiro/src/main/java/io/nutz/demo/simple/shiro/SimpleAuthorizingRealm.java b/nutzboot-demo/nutzboot-demo-simple/nutzboot-demo-simple-mvc-shiro/src/main/java/io/nutz/demo/simple/shiro/SimpleAuthorizingRealm.java index 4ab0b00e..4a059715 100644 --- a/nutzboot-demo/nutzboot-demo-simple/nutzboot-demo-simple-mvc-shiro/src/main/java/io/nutz/demo/simple/shiro/SimpleAuthorizingRealm.java +++ b/nutzboot-demo/nutzboot-demo-simple/nutzboot-demo-simple-mvc-shiro/src/main/java/io/nutz/demo/simple/shiro/SimpleAuthorizingRealm.java @@ -1,25 +1,29 @@ package io.nutz.demo.simple.shiro; -import org.apache.shiro.authc.AuthenticationException; -import org.apache.shiro.authc.AuthenticationInfo; -import org.apache.shiro.authc.AuthenticationToken; -import org.apache.shiro.authc.SimpleAccount; +import org.apache.shiro.authc.*; import org.apache.shiro.authc.credential.CredentialsMatcher; +import org.apache.shiro.authc.credential.HashedCredentialsMatcher; import org.apache.shiro.authz.AuthorizationException; import org.apache.shiro.authz.AuthorizationInfo; import org.apache.shiro.authz.SimpleAuthorizationInfo; import org.apache.shiro.cache.CacheManager; +import org.apache.shiro.realm.AuthorizingRealm; import org.apache.shiro.subject.PrincipalCollection; +import org.apache.shiro.util.ByteSource; +import org.nutz.dao.Dao; import org.nutz.integration.shiro.AbstractSimpleAuthorizingRealm; import org.nutz.integration.shiro.SimpleShiroToken; +import org.nutz.ioc.loader.annotation.Inject; import org.nutz.ioc.loader.annotation.IocBean; import io.nutz.demo.simple.bean.User; -@IocBean(name="shiroRealm", fields="dao") -public class SimpleAuthorizingRealm extends AbstractSimpleAuthorizingRealm { - - +@IocBean(name="shiroRealm") +public class SimpleAuthorizingRealm extends AuthorizingRealm { + + @Inject + Dao dao; + @Override protected AuthorizationInfo doGetAuthorizationInfo(PrincipalCollection principals) { // null usernames are invalid @@ -27,23 +31,28 @@ public class SimpleAuthorizingRealm extends AbstractSimpleAuthorizingRealm { throw new AuthorizationException("PrincipalCollection method argument cannot be null."); } long userId = ((Number) principals.getPrimaryPrincipal()).longValue(); - User user = dao().fetch(User.class, userId); + User user = dao.fetch(User.class, userId); if (user == null) return null; SimpleAuthorizationInfo auth = new SimpleAuthorizationInfo(); auth.addRole(user.getName()); auth.addStringPermission("user:list"); - return auth; + return auth; } @Override protected AuthenticationInfo doGetAuthenticationInfo(AuthenticationToken token) throws AuthenticationException { - SimpleShiroToken upToken = (SimpleShiroToken) token; + UsernamePasswordToken upToken = (UsernamePasswordToken) token; - User user = dao().fetch(User.class, (Long)upToken.getPrincipal()); - if (user == null) + User user = dao.fetch(User.class, upToken.getUsername()); + if (user == null) { return null; - return new SimpleAccount(user.getId(), user.getPassword(), getName()); + } + SimpleAuthenticationInfo info = new SimpleAuthenticationInfo(user, + user.getPassword().toCharArray(), ByteSource.Util.bytes(user.getSalt()), getName()); + info.setCredentialsSalt(ByteSource.Util.bytes(user.getSalt())); +// info. + return info; } public SimpleAuthorizingRealm() { @@ -52,7 +61,14 @@ public class SimpleAuthorizingRealm extends AbstractSimpleAuthorizingRealm { public SimpleAuthorizingRealm(CacheManager cacheManager, CredentialsMatcher matcher) { super(cacheManager, matcher); - setAuthenticationTokenClass(SimpleShiroToken.class); + HashedCredentialsMatcher hashedCredentialsMatcher = new HashedCredentialsMatcher(); + hashedCredentialsMatcher.setHashAlgorithmName("SHA-256"); + hashedCredentialsMatcher.setHashIterations(1024); + // 这一行决定hex还是base64 + hashedCredentialsMatcher.setStoredCredentialsHexEncoded(false); + // 设置token类型是关键!!! + setCredentialsMatcher(hashedCredentialsMatcher); + setAuthenticationTokenClass(UsernamePasswordToken.class); } public SimpleAuthorizingRealm(CacheManager cacheManager) { @@ -62,5 +78,5 @@ public class SimpleAuthorizingRealm extends AbstractSimpleAuthorizingRealm { public SimpleAuthorizingRealm(CredentialsMatcher matcher) { this(null, matcher); } - + }