MD5 Salt value Encryption for Spring-shiro implementation of passwords in Java

Read a lot of tutorials on the Internet, have mentioned the configuration of spring Shiro password encryption, and even gave a custom class to implement. Are rarely solved by configuration.

The password Salt value encryption method should be very common, it can be regarded as the basis. The spring Shiro could not have been realized, let the user to realize it.

Read the source to see the various relationships, find out Shiro MD5 salt value encryption way, share (Shiro's Maven warehouse source is always a blank file, GitHub source code and no stable version, to debug very annoyed), Of course the source of reading can be directly to the GitHub, Https://github.com/apache/shiro
On the basis of Shiro use here do not paste configuration, related articles can search their own. First paste the MD5 salt value encryption related configuration:

<bean id= "Jdbcrealm" class= "Org.apache.shiro.realm.jdbc.JdbcRealm" >
<property name= "DataSource" ref= "Tbdatasource"/>
<property name= "Credentialsmatcher" ref= "Passwordmatcher"/>
<property name= "Authenticationquery"
Value= "Select U.user_password,u.salt from Auth_sys_user u where U.user_nick =? and u.status=0 "/>
<property name= "Userrolesquery"
Value= "Select r.role_id from Auth_user_role r where r.user_id = (select u.user_id from Auth_sys_user u where U.user_nick = ? and u.status=0) "/>
<property name= "Permissionsquery"
Value= "Select P.permission_code from Auth_role_permission p WHERE p.role_id =? "/>
<property name= "permissionslookupenabled" value= "true"/>
<property name= "Saltstyle" value= "COLUMN"/>
</bean>
<bean id= "Passwordmatcher" class= "Org.apache.shiro.authc.credential.HashedCredentialsMatcher" >
<property name= "Hashalgorithmname" value= "MD5"/>
<property name= "Hashiterations" value= "2"/>
</bean>

Explain:

The ①credentialsmatcher property is the way the authentication matches, and this property uses the Org.apache.shiro.authc.credential.HashedCredentialsMatcher method. Hashedcredentialsmatcher is a hash authentication matching way, reading source found that this class has 4 attributes HashAlgorithm, hashiterations, hashsalted, Storedcredentialshexencoded.
Where HashAlgorithm represents the hash algorithm name, string type, Common MD2, MD5, SHA1, SHA256, SHA384, SHA512, and so on.

Hashiterations represents the number of hash iterations, the int type, which is the number of encryption, and the default is 1 times.
Hashsalted Indicates whether the hash is salt, Boolean, this attribute has been marked as expired and is not recommended, in fact this attribute is determined in the realm configuration.
Storedcredentialshexencoded Indicates whether the hash password is stored as 16 (HEX), Boolean, default to True, or it will be encoded in base64.
②saltstyle configuration for column indicates that salt is obtained from the database field, when the corresponding authenticationquery query results, the first field is password, and the second is salt. In addition, Saltstyle also has several optional values, namely No_salt, CRYPT, EXTERNAL. Where No_salt represents no salt value; crypt indicates that the salt value exists in a UNIX encrypted file; External indicates that the salt does not exist in the database, but is obtained by invoking the Jdbcrealm.getsaltforuser (username) method. This method is actually to return to username.
Of course, the implementation of the password MD5 salt value encryption, when inserting users, modify user password, it is necessary to use the same algorithm to deal with the password, including the production of salt storage.
For an encrypted password to be generated in your program, you can refer to the following code:

Md5hash hash = new Md5hash (password,salt,2);
return hash.tostring ();

Of course, you can also use Simplehash to specify the cryptographic algorithm name (as configured in Credentialsmatcher) by using the first parameter:
Simplehash hash = new Simplehash ("MD5", password,salt,2);
return hash.tostring ();
for generating random salt, you can use the securerandomnumbergenerator generated by Shiro, as follows:
Private String Generatesalt () {
         securerandomnumbergenerator securerandom = new Securerandomnumbergenerator ();
        String hex = securerandom.nextbytes (3). Tohex ();//One byte for two bytes, The 3 bytes generated here, the string length is 6
        return hex;
}