在Grails中使用Shiro安全框架

[b]先安装插件[/b] shiro-1.1.4

[b]然后初始化[/b](windows环境参数要加冒号,其它环境不用)
cd myoa
grails shiro-quick-start "--prefix=myoa."

[b]会创建或修改以下文件[/b] 先允许修改,然后再用idea的diff功能人工整合
| Environment set to development.....
> User.groovy already exists. Overwrite? [y/n] y
| Created file grails-app/domain/myoa/User.groovy
| Created file grails-app/domain/myoa/Role.groovy
| Created file grails-app/realms/myoa/DbRealm.groovy
| Created file grails-app/controllers/myoa/AuthController.groovy
| Created file grails-app/views/auth/login.gsp
> SecurityFilters.groovy already exists. Overwrite? [y/n] y
| Created file grails-app/conf/myoa/SecurityFilters.groovy

[b]半路出家的麻烦[/b]
因为系统已经开发了一段时间,已经有一个User对象,当时用的属性名“name/password”;而shrio也会生成一个User对象,用的“username/passwordHash”。

权衡之后,重构原来的User对象动静太大,还是重构shrio生成出来的文件吧,发现倒是不难:
1. login.gsp 不需要修改,因为会有一个token对象介于gsp和User对象之间
2. AuthController 不需要修改,只需要加一句把user对象存入session的,因为我的gsp大多用到了这个对象:SessionTool.loginUser = User.findByName(authToken.username)
3. DbRealm.groovy 修改User部分的引用,其它不用改

[b]小有点成就感[/b]
花了1天时间,基本掌握了shiro框架,控制可以依赖框架,但权限需要自己设计
花了2天时间,可以从系统自动生成所有controller、action的权限表,然后设计了UI界面方便编辑和管理。
[img]http://dl.iteye.com/upload/attachment/0080/0830/10bbfc07-bbae-3e9c-8782-9bc55ebd2915.jpg[/img]


[b]修改密码加密算法[/b]
The default realm basically hashes the password provided in the authentication token using SHA256 and then compares the hash to the password hash stored in the user domain instance.
If the hashes are the same, the user is authenticated. Now, SHA256 has known vulnerabilities, so you may want to use something a little more secure. If that's the case, you need to do two things.

First, when you create a user (such as in BootStrap ) you need to hash the password using the alternative algorithm
[color=blue]new Sha512Hash("password").toHex()[/color]

Second, you need to override the credentialMatcher bean, for example by adding the following to your grails-app/conf/spring/resources.groovy file:
[color=blue]import org.apache.shiro.authc.credential.Sha512CredentialsMatcherbeans = {
credentialMatcher(Sha512CredentialsMatcher) {
storedCredentialsHexEncoded = true
}

}[/color]
评论
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包
实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值