我正在使用 JBCrypt 对密码“密码”进行哈希处理
public User addUser(User newUser) {
String passwordHash = BCrypt.hashpw(newUser.getPassword(), BCrypt.gensalt());
newUser.setPassword(passwordHash);
Object<User> user = new ObjectImpl<User>();
return user.addObject(User.class, newUser);
}
在上面,newUser是通过 JAX-RS Restful Web 服务交付的。
在ContextRequestFilter我正在尝试对用户进行身份验证,如下所示:
public class AuthenticationFilter implements ContainerRequestFilter {
private static final String AUTHORIZATION_HEADER = "Authorization";
private static final String AUTHENTICATION_SCHEME = "Basic ";
@Override
public void filter(ContainerRequestContext requestContext) throws IOException {
List<String> authorizationHeader = requestContext.getHeaders().get(AUTHORIZATION_HEADER);
if (authorizationHeader != null) {
String authorizationToken = authorizationHeader.get(0);
authorizationToken = authorizationToken.replaceFirst(AUTHENTICATION_SCHEME, "");
String decodedString = Base64.decodeAsString(authorizationToken);
StringTokenizer tokenizer = new StringTokenizer(decodedString, ":");
try {
String username = tokenizer.nextToken();
String password = tokenizer.nextToken();
Object<User> userObject = new ObjectImpl<User>();
User user = userObject.getObjectByNamedQuery("User.byEmail", username);
String hashedPassword = user.getPassword();
if (BCrypt.checkpw(password, hashedPassword)) {
return;
}
} catch (NoSuchElementException e) {
abortRequest(requestContext);
} catch (NullPointerException e) {
abortRequest(requestContext);
}
}
abortRequest(requestContext);
}
在这里,当我将密码作为“密码”发送时,该abortRequest方法仍然会触发。我看到它BCrypt.checkpw(password, hashedPassword)正在返回false。