主要绕过密码匹配,代码如下
···
@Component
public class MyHashedCredentialsMatcher extends HashedCredentialsMatcher {
@Override
public boolean doCredentialsMatch(AuthenticationToken token, AuthenticationInfo info) {
if (MobileSmsCodeToken.class.isAssignableFrom(token.getClass())) {
return true;
}
return super.doCredentialsMatch(token, info);
}
}
public class MobileRealm extends AuthorizingRealm {
@PostConstruct
public void initCredentialsMatcher(){
MyHashedCredentialsMatcher myHashedCredentialsMatcher = new MyHashedCredentialsMatcher();
myHashedCredentialsMatcher.setHashAlgorithmName(ShiroUtils.hashAlgorithmName);
myHashedCredentialsMatcher.setHashIterations(ShiroUtils.hashIterations);
setCredentialsMatcher(myHashedCredentialsMatcher);
}
...省略
}
public class MobileSmsCodeToken implements AuthenticationToken {
/**
* 手机号
*/
private String mobile;
/**
* 短信验证码
*/
private String smsCode;
}
··· | 
转播
