shiro1.2.2自定义realm中认证问题报错
/**
- 认证回调函数, 登录时调用.
*/
@Override
protected AuthenticationInfo doGetAuthenticationInfo(
AuthenticationToken authcToken) throws IncorrectCredentialsException {
UsernamePasswordToken token = (UsernamePasswordToken) authcToken;
System.out.println(token.getUsername());
User user = userService.findUserByLoginName(token.getUsername());
System.out.println(user);
if (user != null) {
if (new String(token.getPassword()).equals(user.getPassword())) {
return new SimpleAuthenticationInfo(user.getName(), user.getPassword(), getName());
}else{
throw new IncorrectCredentialsException();
}
}
return null;
}
想问下,UsernamePasswordToken这里存放的密码与SimpleAuthenticationInfo中user.getPassword()是什么关系, 前者不加密,后者用MD5加密后,可以正常使用,而前者加密后,后者使用加密后会报Submitted credentials for token [org.apache.shiro.authc.UsernamePasswordToken - admin, rememberMe=true] did not match the expected credentials.
请大伙帮忙给分析下,在线等。谢谢了!
写回答
-
这里只获取数据,无需判断password是否与输入的一致。详情请参考
//org.apache.shiro.realm.AuthenticatingRealm public final AuthenticationInfo getAuthenticationInfo(AuthenticationToken token) throws AuthenticationException {AuthenticationInfo info = getCachedAuthenticationInfo(token); if (info == null) { //otherwise not cached, perform the lookup: info = doGetAuthenticationInfo(token); log.debug("Looked up AuthenticationInfo [{}] from doGetAuthenticationInfo", info); if (token != null && info != null) { cacheAuthenticationInfoIfPossible(token, info); } } else { log.debug("Using cached authentication info [{}] to perform credentials matching.", info); } if (info != null) { assertCredentialsMatch(token, info); } else { log.debug("No AuthenticationInfo found for submitted AuthenticationToken [{}]. Returning null.", token); } return info; }</pre>密码是否一致则在CredentialsMatcher内进行,如此一来,密码混淆的策略便不会在多处出现了。######
引用来自“魏涛”的答案
这里只获取数据,无需判断password是否与输入的一致。详情请参考//org.apache.shiro.realm.AuthenticatingRealm public final AuthenticationInfo getAuthenticationInfo(AuthenticationToken token) throws AuthenticationException { AuthenticationInfo info = getCachedAuthenticationInfo(token); if (info == null) { //otherwise not cached, perform the lookup: info = doGetAuthenticationInfo(token); log.debug("Looked up AuthenticationInfo [{}] from doGetAuthenticationInfo", info); if (token != null && info != null) { cacheAuthenticationInfoIfPossible(token, info); } } else { log.debug("Using cached authentication info [{}] to perform credentials matching.", info); } if (info != null) { assertCredentialsMatch(token, info); } else { log.debug("No AuthenticationInfo found for submitted AuthenticationToken [{}]. Returning null.", token); } return info; }密码是否一致则在CredentialsMatcher内进行,如此一来,密码混淆的策略便不会在多处出现了。楼上能否贴个完整点的例子呐 ###### 我贴的是shiro的官方源码,位置在第一行以注释标出。这个方法说明了行为逻辑,检查密码并不是在 doGetAuthenticationInfo里完成的,仅此而已。细节请阅读源码。2020-06-03 09:41:55赞同 展开评论 打赏
版权声明:本文内容由阿里云实名注册用户自发贡献,版权归原作者所有,阿里云开发者社区不拥有其著作权,亦不承担相应法律责任。具体规则请查看《阿里云开发者社区用户服务协议》和《阿里云开发者社区知识产权保护指引》。如果您发现本社区中有涉嫌抄袭的内容,填写侵权投诉表单进行举报,一经查实,本社区将立刻删除涉嫌侵权内容。
