开发者社区> 问答> 正文

shiro1.2.2自定义realm中认证问题报错 

/**

  • 认证回调函数, 登录时调用.

*/

@Override

protected AuthenticationInfo doGetAuthenticationInfo(

AuthenticationToken authcToken) throws IncorrectCredentialsException {

UsernamePasswordToken token = (UsernamePasswordToken) authcToken;

System.out.println(token.getUsername());

User user = userService.findUserByLoginName(token.getUsername());

System.out.println(user);

if (user != null) {

if (new String(token.getPassword()).equals(user.getPassword())) {

return new SimpleAuthenticationInfo(user.getName(), user.getPassword(), getName());

}else{

throw new IncorrectCredentialsException();

}

}

return null;

 }
想问下,UsernamePasswordToken这里存放的密码与SimpleAuthenticationInfo中user.getPassword()是什么关系, 前者不加密,后者用MD5加密后,可以正常使用,而前者加密后,后者使用加密后会报Submitted credentials for token [org.apache.shiro.authc.UsernamePasswordToken - admin, rememberMe=true] did not match the expected credentials.
请大伙帮忙给分析下,在线等。谢谢了!

展开
收起
kun坤 2020-06-03 09:41:49 631 0
1 条回答
写回答
取消 提交回答
  • 这里只获取数据,无需判断password是否与输入的一致。详情请参考

    //org.apache.shiro.realm.AuthenticatingRealm public final AuthenticationInfo getAuthenticationInfo(AuthenticationToken token) throws AuthenticationException {

        AuthenticationInfo info = getCachedAuthenticationInfo(token);
        if (info == null) {
            //otherwise not cached, perform the lookup:
            info = doGetAuthenticationInfo(token);
            log.debug("Looked up AuthenticationInfo [{}] from doGetAuthenticationInfo", info);
            if (token != null && info != null) {
                cacheAuthenticationInfoIfPossible(token, info);
            }
        } else {
            log.debug("Using cached authentication info [{}] to perform credentials matching.", info);
        }
    
        if (info != null) {
            assertCredentialsMatch(token, info);
        } else {
            log.debug("No AuthenticationInfo found for submitted AuthenticationToken [{}].  Returning null.", token);
        }
    
        return info;
    }</pre> 
    

    密码是否一致则在CredentialsMatcher内进行,如此一来,密码混淆的策略便不会在多处出现了。######

    引用来自“魏涛”的答案

    这里只获取数据,无需判断password是否与输入的一致。详情请参考
    //org.apache.shiro.realm.AuthenticatingRealm
    public final AuthenticationInfo getAuthenticationInfo(AuthenticationToken token) throws AuthenticationException {
    
            AuthenticationInfo info = getCachedAuthenticationInfo(token);
            if (info == null) {
                //otherwise not cached, perform the lookup:
                info = doGetAuthenticationInfo(token);
                log.debug("Looked up AuthenticationInfo [{}] from doGetAuthenticationInfo", info);
                if (token != null && info != null) {
                    cacheAuthenticationInfoIfPossible(token, info);
                }
            } else {
                log.debug("Using cached authentication info [{}] to perform credentials matching.", info);
            }
    
            if (info != null) {
                assertCredentialsMatch(token, info);
            } else {
                log.debug("No AuthenticationInfo found for submitted AuthenticationToken [{}].  Returning null.", token);
            }
    
            return info;
        }
    密码是否一致则在CredentialsMatcher内进行,如此一来,密码混淆的策略便不会在多处出现了。
    楼上能否贴个完整点的例子呐  ###### 我贴的是shiro的官方源码,位置在第一行以注释标出。这个方法说明了行为逻辑,检查密码并不是在 doGetAuthenticationInfo里完成的,仅此而已。细节请阅读源码。
    2020-06-03 09:41:55
    赞同 展开评论 打赏
问答排行榜
最热
最新

相关电子书

更多
低代码开发师(初级)实战教程 立即下载
冬季实战营第三期:MySQL数据库进阶实战 立即下载
阿里巴巴DevOps 最佳实践手册 立即下载