如何获取/设置JdbcRealm的salt

Question

我试图使用Shiro JdbcRealm和SHA256 hashedcredentialsMatcher.我需要更新遗留数据库并为每个用户分配适当的盐(通过批处理例程).

如何使用Shiro框架获取/设置给定帐户的盐？

Answer 1

使用Shiro 1.2.3,您需要做的就是:

1. 扩展JdbcRealm并设置盐样式.

   public class JdbcSaltRealm extends JdbcRealm {
       public JdbcSaltRealm() {
           setSaltStyle(SaltStyle.COLUMN);
       }
   }
   

2. 更新shiro.ini以使用扩展领域并从DB获取salt列

   credentialsMatcher = org.apache.shiro.authc.credential.HashedCredentialsMatcher
   credentialsMatcher.hashAlgorithmName = SHA-256
   jdbcRealm = com.mypackage.JdbcSaltRealm
   jdbcRealm.authenticationQuery = SELECT password, salt FROM user WHERE username = ?
   jdbcRealm.credentialsMatcher = $credentialsMatcher
   

3. 哈希和盐当前/新用户密码.应该对所有现有用户以及新用户注册执行此操作.

   private void saltHashPassword(String password) {
   
       String salt = new BigInteger(250, new SecureRandom()).toString(32);
   
       //TODO: save salt value to "salt" column in user table
   
       Sha256Hash hash = new Sha256Hash(password, 
                             (new SimpleByteSource(salt)).getBytes());
       String saltedHashedPassword = hash.toHex();
   
       //TODO: save saltedHashedPassword value to "password" column in user table
   }
   

我希望我的回答清楚易懂.