Shiro 认证失败

Question

我在 JSF2+Hibernate 项目中使用 shiro 1.2.3。没有运气让用户通过身份验证。无法弄清楚我做错了什么。

shiro.ini

[main]
cacheManager = org.apache.shiro.cache.ehcache.EhCacheManager
securityManager.cacheManager = $cacheManager

hashService = org.apache.shiro.crypto.hash.DefaultHashService
hashService.hashIterations = 100000
hashService.hashAlgorithmName = SHA-256
hashService.generatePublicSalt = true

passwordService = org.apache.shiro.authc.credential.DefaultPasswordService
passwordService.hashService = $hashService
passwordMatcher = org.apache.shiro.authc.credential.PasswordMatcher
passwordMatcher.passwordService = $passwordService

customSecurityRealm = com.sapienzo.common.CustomSecurityRealm
customSecurityRealm.credentialsMatcher = $passwordMatcher
securityManager.realms = $customSecurityRealm

ShiroUtils 类（创建加盐哈希的帮助类）

public class ShiroUtils {

private static int HASH_ITERATIONS = 100000;

public static String createSaltedHash(String plainTextPassword) {
    DefaultHashService hashService = new DefaultHashService();
    hashService.setHashIterations(HASH_ITERATIONS);
    hashService.setHashAlgorithmName(Sha256Hash.ALGORITHM_NAME);
    hashService.setGeneratePublicSalt(true);

    DefaultPasswordService passwordService = new DefaultPasswordService();
    passwordService.setHashService(hashService);
    String encryptedPassword = passwordService.encryptPassword(plainTextPassword);

    return encryptedPassword;
}
}

注册时将用户保存到数据库（从表单字段中获取用户名和密码）

...
user.setUsername(username);
user.setPassword(ShiroUtils.createSaltedHash(password);
userService.saveUser(user);
...

登录（再次来自表单字段的用户名和密码）

UsernamePasswordToken token = new UsernamePasswordToken(user.getUsername(), ShiroUtils.createSaltedHash(user.getPassword()));
Subject currentUser = SecurityUtils.getSubject();
currentUser.login(token);

CustomSecurityRealm.java

public class CustomSecurityRealm extends AuthorizingRealm {
    public CustomSecurityRealm() {
        setName("CustomSecurityRealm");
    }

    @Override
    protected AuthenticationInfo doGetAuthenticationInfo(AuthenticationToken authenticationToken) throws AuthenticationException {
        UsernamePasswordToken token = (UsernamePasswordToken) authenticationToken;
        if (token.getUsername() == null) {
            return null;
        }
        UserService userService = new UserService();
        String saltedHashPassword = userService.getPasswordByUsername(token.getUsername()); //get encrypted password from DB

        if( saltedHashPassword != null ) {
            SimpleAuthenticationInfo authn = new SimpleAuthenticationInfo(token.getUsername(), saltedHashPassword, getName());
            return authn;
        } else {
            return null;
        }
    }
    @Override
    protected AuthorizationInfo doGetAuthorizationInfo(PrincipalCollection principalCollection) {
        return null;    
    }
}

Answer 1

在逐行挖掘代码后，我注意到用于密码比较的passwordsMatch方法总是返回false，无论输入如何。

例如：

String plainTextPassword = "foo";
DefaultPasswordService passwordService = new DefaultPasswordService();
String encryptedPassword = passwordService.encryptPassword(plainTextPassword);
boolean result = passwordService.passwordsMatch(plainTextPassword, encryptedPassword);
System.out.println(result);

输出为 假。后来找到this post。导致这是一个报告的错误。如果您的默认语言环境与 English 不同，则 shiro 在（取消）大写字母时会感到困惑。您应该将默认语言环境设置为 Locale.ENGLISH 来解决此问题。