Apache Shiro的身份验证问题
问题描述:
我是Apache Shiro的初学者。我一直在关注文档和其他许多教程,博客等,但我无法使认证工作。当我尝试使用有效的用户名和密码登录时,我总是会抛出InvalidCredentialsException
。我使用DynamoDB作为存储用户凭证的自定义领域,但我真的不认为这很重要。这显然是我存储和/或进行凭证匹配的方式,这是不正确的。这里是我的设置:Apache Shiro的身份验证问题
Shiro.ini:
[main]
myRealm = com.enki.closing.users.DynamoDBRealm
credentialsMatcher = org.apache.shiro.authc.credential.Sha256CredentialsMatcher
credentialsMatcher.storedCredentialsHexEncoded = false
credentialsMatcher.hashIterations = 1024
myRealm.credentialsMatcher = $credentialsMatcher
创建用户帐户:
String password = ...
ByteSource passwordSalt = new SecureRandomNumberGenerator().nextBytes();
String hashedPasswordBase64 = new Sha256Hash(password, passwordSalt, 1024).toBase64();
// store the hashedPassword and salt in DynamoDB...
// I've tried storing the salt with and without base64 encoding.
密码和盐储存罚款DynamoDB,该值看起来没事。下面是认证的自定义领域:
protected AuthenticationInfo doGetAuthenticationInfo(AuthenticationToken token) throws AuthenticationException {
UsernamePasswordToken userPass = (UsernamePasswordToken) token;
String username = userPass.getUsername();
...
// pull the matching password and salt out of DynamoDB, no problems...
ByteSource passwordSalt = ByteSource.Util.bytes(storedPasswordSalt);
return new SimpleAuthenticationInfo(username, passwordHash, passwordSalt, getName());
}
这一切几乎什么文档告诉我这样做,但有不对的东西。当我尝试登录时,它会得到InvalidCredentialsException
。
答
我想出了如何让它工作。我不得不改变这一点(在我的自定义领域IMPL):
ByteSource passwordSalt = ByteSource.Util.bytes(storedPasswordSalt);
这样:
ByteSource passwordSalt = ByteSource.Util.bytes(
Base64.decode(storedPasswordSalt));