Shulou(Shulou.com)06/01 Report--

This article mainly introduces the method of "Spring Boot integrates Shiro and uses SHA-256 to encrypt passwords". In daily operation, I believe that many people have doubts about the method of Spring Boot integrating Shiro and using SHA-256 to encrypt passwords. Xiaobian consulted all kinds of materials and sorted out simple and easy-to-use methods of operation. I hope it will be helpful to answer the doubts of "Spring Boot integrates Shiro and uses SHA-256 to encrypt passwords". Next, please follow the editor to study!

We cannot store the user's password in clear text, otherwise if our own database is hacked, the user's account on other sites may also be stolen.

Born into ciphertext at the time of registration

Shiro provides a SimpleHash class that makes it easy to encrypt strings and encrypts passwords with just one line of code.

String hashPassword = new SimpleHash (SHA-256, password, username+ "reg", 1024). ToString ()

Its first parameter is the encryption algorithm, the second is the content to be encrypted, the third is salt (this parameter is whatever you want), and the fourth is the desired number of times.

With the encrypted password, you can store the entire User object in the database and query it later through Realm when you log in.

/ * *

* injection for storing user objects

, /

@ Autowired

Private UserService userService

@ GetMapping ("reg")

Public Object reg (@ RequestParam (name = "username") String username

@ RequestParam (name = "password") String password) {

String hashPassword = new SimpleHash (SHA-256, password, username+ "reg", 1024). ToString ()

User user = new User ()

User.setUsername (username)

User.setPassword (hashPassword)

User.setSalt (username + "reg")

UserService.addUser (user)

Return "registered successfully"

}

Realm

The last article talked about how to log in, but the password was not encrypted at the time.

How to write the encrypted Realm?

Shiro gives people the impression that I have all the basic things ready, so you can add whatever you want.

So you just need to rewrite its setCredentialsMatcher interface in the custom Realm and specify the type of algorithm and the desired number of times.

@ Override

Public void setCredentialsMatcher (CredentialsMatcher credentialsMatcher) {

HashedCredentialsMatcher matcher = new HashedCredentialsMatcher ()

Matcher.setHashAlgorithmName ("SHA-256")

Matcher.setHashIterations (1024)

Super.setCredentialsMatcher (matcher)

}

This is basically the same as at the time of registration, but there seems to be no specified salt?

Salt is used in encryption, and it is necessary to verify it, but it is not written here, after all, the salt of each user may be inconsistent (salt is set according to your own ideas).

But remember that the doGetAuthenticationInfo method returns an authentication information object for Shiro authentication, and after using salt, just pass the salt in when you create the object.

Note: because what you need now is not only a password, but also salt. So when you simulate querying the database, you can't just return a string, but you should return an object, and then extract the password and salt from the object.

/ * *

* injection for storing user objects

, /

@ Autowired

Private UserService userService

@ Override

Protected AuthenticationInfo doGetAuthenticationInfo (AuthenticationToken token) throws AuthenticationException {

String username = token.getPrincipal () .toString ()

User user = userService.getUserByUsername (username)

If (user! = null) {

String password = user.getPassword ()

AuthenticationInfo authenticationInfo = new SimpleAuthenticationInfo (

Username

Password

/ / incoming salt

ByteSource.Util.bytes (user.getSalt ())

GetName ()

Return authenticationInfo

}

Return null

}

Analog access User object

It's all for simplicity.

@ Service

Public class UserService {

Private HashMap users = new HashMap ()

Public void addUser (User user) {

Users.put (user.getUsername (), user)

}

Public User getUserByUsername (String username) {

Return users.get (username)

}

}

At this point, the study on "Spring Boot integrates Shiro and uses SHA-256 to encrypt passwords" is over. I hope to be able to solve your doubts. The collocation of theory and practice can better help you learn, go and try it! If you want to continue to learn more related knowledge, please continue to follow the website, the editor will continue to work hard to bring you more practical articles!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.