本文共 4911 字，大约阅读时间需要 16 分钟。

一、Shiro配置添加：

package com.how2java.tmall.config; import org.apache.shiro.authc.credential.HashedCredentialsMatcher;import org.apache.shiro.mgt.SecurityManager;import org.apache.shiro.spring.LifecycleBeanPostProcessor;import org.apache.shiro.spring.security.interceptor.AuthorizationAttributeSourceAdvisor;import org.apache.shiro.spring.web.ShiroFilterFactoryBean;import org.apache.shiro.web.mgt.DefaultWebSecurityManager;import org.springframework.context.annotation.Bean;import org.springframework.context.annotation.Configuration; import com.how2java.tmall.realm.JPARealm; @Configurationpublic class ShiroConfiguration {
       @Bean    public ShiroFilterFactoryBean shirFilter(SecurityManager securityManager){
           ShiroFilterFactoryBean shiroFilterFactoryBean  = new ShiroFilterFactoryBean();        shiroFilterFactoryBean.setSecurityManager(securityManager);        return shiroFilterFactoryBean;    }         @Bean    public SecurityManager securityManager(){
           DefaultWebSecurityManager securityManager =  new DefaultWebSecurityManager();        securityManager.setRealm(getJPARealm());        return securityManager;    }     @Bean    public JPARealm getJPARealm(){
           JPARealm myShiroRealm = new JPARealm();        myShiroRealm.setCredentialsMatcher(hashedCredentialsMatcher());        return myShiroRealm;    }        //密码加密后的匹配机制设置， 若不设置， 则无法解析加密后的密码了    @Bean    public HashedCredentialsMatcher hashedCredentialsMatcher(){
           HashedCredentialsMatcher hashedCredentialsMatcher = new HashedCredentialsMatcher();        //加密方式 采取 md5 方式        hashedCredentialsMatcher.setHashAlgorithmName("md5");        //加密次数 加密2次        hashedCredentialsMatcher.setHashIterations(2);        return hashedCredentialsMatcher;    }}

注：不仅要添加解析密码加密的配置类， 还要在 JPARealm 对象 myShiroRealm 中设置 ：myShiroRealm.setCredentialsMatcher(hashedCredentialsMatcher());

二、 登陆调用验证方法时加上盐值（否则缺少盐值则无法解析加密密码了）：

package com.how2java.tmall.realm;import org.apache.shiro.authc.AuthenticationException;import org.apache.shiro.authc.AuthenticationInfo;import org.apache.shiro.authc.AuthenticationToken;import org.apache.shiro.authc.SimpleAuthenticationInfo;import org.apache.shiro.authc.UsernamePasswordToken;import org.apache.shiro.authz.AuthorizationInfo;import org.apache.shiro.authz.SimpleAuthorizationInfo;import org.apache.shiro.realm.AuthorizingRealm;import org.apache.shiro.subject.PrincipalCollection;import org.apache.shiro.util.ByteSource;import org.springframework.beans.factory.annotation.Autowired;import com.how2java.tmall.pojo.User;import com.how2java.tmall.service.UserService;public class JPARealm extends AuthorizingRealm{
   		@Autowired	private UserService userService;		//授权	@Override	protected AuthorizationInfo doGetAuthorizationInfo(PrincipalCollection principals) {
   		SimpleAuthorizationInfo s = new SimpleAuthorizationInfo();		return s;	}		//验证	@Override	protected AuthenticationInfo doGetAuthenticationInfo(AuthenticationToken token) throws AuthenticationException {
   		UsernamePasswordToken upt = (UsernamePasswordToken) token;		String userName = upt.getUsername();		User user = userService.getByName(userName);		String dBpassword = user.getPassword();		String salt = user.getSalt();				return new SimpleAuthenticationInfo(userName/*携带的信息*/, dBpassword/*数据库中的密码， 会自动与登录的密码比较*/, ByteSource.Util.bytes(salt)/*盐值*/, getName());	}}

三、登陆时，将账号与密码生成令牌调用shiro函数：

public Result login(@RequestBody User bean, HttpServletSession session){		System.out.println("bean.getAccount()" + bean.getAccount());		System.out.println("bean.getPassword()" + bean.getPassword());				String account = bean.getAccount();		account = HtmlUtils.htmlEscape(account);				//获取subject		Subject subject = SecurityUtils.getSubject();		//将前端账号和密码包装成令牌		UsernamePasswordToken token = new UsernamePasswordToken(account, bean.getPassword());				try{			/**			 * 传入令牌，令牌中有前端输入的账号密码，调用shiro的配置函数与数据库的账号密码比对			 * 如果比对错误将抛出异常， 正确则继续执行			 */			subject.login(token);			User _user = userService.checkLogin(bean);			//设置session			session.setAttribute("user", _user);			return Result.success();		}		catch(AuthenticationException e){			String msg = "账号或密码错误";			return Result.fail(msg);		}	}

三、 注册时的密码加密：

@PostMapping("foreregister")	public Object register(@RequestBody User user){
   		String name = user.getName();		String password = user.getPassword();		//对用户注册的昵称进行转义，避免SQL注入攻击		name = HtmlUtils.htmlEscape(name);		user.setName(name);				boolean exit = userService.IsExit(name);		if(exit){
   			String message = "用户名已存在，请使用其他用户名";			return Result.fail(message);		}				//盐值		String salt = new SecureRandomNumberGenerator().nextBytes().toString();		//加密次数		int times = 2;		//加密方式		String algorithmName = "md5";		//初始化加密密码		String encodedPassword = new SimpleHash(algorithmName/*加密方式*/, password, salt, times).toString();			user.setSalt(salt);		user.setPassword(encodedPassword);		userService.add(user);				return Result.success();	}

转载地址：http://xyern.baihongyu.com/