🚔 优化密码加盐处理

Author: springboot-plus

src/main/java/io/geekidea/springbootplus/shiro/service/impl/LoginServiceImpl.java

@@ -115,11 +115,11 @@ public LoginSysUserTokenVo login(LoginParam loginParam) throws Exception {
         }
 
         // 实际项目中，前端传过来的密码应先加密
-        // 原始密码：123456
-        // 加密规则：sha256(666666+123456) = 751ade2f90ceb660cb2460f12cc6fe08268e628e4607bdb88a00605b3d66973c
-        String encryptPassword = PasswordUtil.encrypt(loginParam.getPassword());
+        // 原始密码明文：123456
+        // 原始密码前端加密：sha256(123456)
+        // 后台加密规则：sha256(sha256(123456) + salt)
+        String encryptPassword = PasswordUtil.encrypt(loginParam.getPassword(), sysUser.getSalt());
         if (!encryptPassword.equals(sysUser.getPassword())) {
-            log.error("用户名或密码错误");
             throw new AuthenticationException("用户名或密码错误");
         }
 

src/main/java/io/geekidea/springbootplus/system/controller/SysPermissionController.java

@@ -104,8 +104,8 @@ public ApiResult<Paging<SysPermissionQueryVo>> getSysPermissionPageList(@Valid @
      * 获取所有菜单列表
      */
     @PostMapping("/getAllMenuList")
-    @ApiOperation(value = "获取所有菜单列表", notes = "获取所有菜单列表", response = SysPermissionTreeVo.class)
-    public ApiResult<SysPermissionTreeVo> getAllMenuList() throws Exception {
+    @ApiOperation(value = "获取所有菜单列表", notes = "获取所有菜单列表", response = SysPermission.class)
+    public ApiResult<SysPermission> getAllMenuList() throws Exception {
         List<SysPermission> list = sysPermissionService.getAllMenuList();
         return ApiResult.ok(list);
     }
@@ -125,8 +125,8 @@ public ApiResult<SysPermissionTreeVo> getAllMenuTree() throws Exception {
      * 根据用户id获取菜单列表
      */
     @PostMapping("/getMenuListByUserId/{userId}")
-    @ApiOperation(value = "根据用户id获取菜单列表", notes = "根据用户id获取菜单列表", response = SysPermissionTreeVo.class)
-    public ApiResult<SysPermissionTreeVo> getMenuListByUserId(@PathVariable("userId") Long userId) throws Exception {
+    @ApiOperation(value = "根据用户id获取菜单列表", notes = "根据用户id获取菜单列表", response = SysPermission.class)
+    public ApiResult<SysPermission> getMenuListByUserId(@PathVariable("userId") Long userId) throws Exception {
         List<SysPermission> list = sysPermissionService.getMenuListByUserId(userId);
         return ApiResult.ok(list);
     }

src/main/java/io/geekidea/springbootplus/system/service/impl/SysUserServiceImpl.java

@@ -77,11 +77,12 @@ public boolean saveSysUser(SysUser sysUser) throws Exception {
         // 校验部门和角色
         checkDepartmentAndRole(sysUser.getDepartmentId(), sysUser.getRoleId());
         // 生成盐值
-        sysUser.setSalt(SaltUtil.generateSalt());
+        String salt = SaltUtil.generateSalt();
+        sysUser.setSalt(salt);
         sysUser.setId(null);
 
         // 密码加密
-        String newPassword = PasswordUtil.encrypt(sysUser.getPassword());
+        String newPassword = PasswordUtil.encrypt(sysUser.getPassword(), salt);
         sysUser.setPassword(newPassword);
 
         // 保存系统用户
@@ -178,12 +179,13 @@ public boolean updatePassword(UpdatePasswordParam updatePasswordParam) throws Ex
             throw new BusinessException("用户已禁用");
         }
         // 密码加密处理
-        String encryptOldPassword = PasswordUtil.encrypt(oldPassword);
+        String salt = sysUser.getSalt();
+        String encryptOldPassword = PasswordUtil.encrypt(oldPassword, salt);
         if (!sysUser.getPassword().equals(encryptOldPassword)) {
             throw new BusinessException("原密码错误");
         }
         // 新密码加密
-        String encryptNewPassword = PasswordUtil.encrypt(newPassword);
+        String encryptNewPassword = PasswordUtil.encrypt(newPassword, salt);
 
         // 修改密码
         sysUser.setPassword(encryptNewPassword)
@@ -196,6 +198,6 @@ public boolean updateSysUserHead(Long id, String headPath) throws Exception {
         SysUser sysUser = new SysUser()
                 .setId(id)
                 .setHead(headPath);
-         return updateById(sysUser);
+        return updateById(sysUser);
     }
 }

src/main/java/io/geekidea/springbootplus/util/PasswordUtil.java

@@ -28,13 +28,22 @@
  */
 @Slf4j
 public class PasswordUtil {
-    private static final String KEY = "666666";
 
-    public static String encrypt(String pwd) {
+    /**
+     * 密码加盐，再加密
+     *
+     * @param pwd
+     * @param salt
+     * @return
+     */
+    public static String encrypt(String pwd, String salt) {
         if (StringUtils.isBlank(pwd)) {
-            return null;
+            throw new IllegalArgumentException("密码不能为空");
         }
-        return DigestUtils.sha256Hex(KEY + pwd);
+        if (StringUtils.isBlank(salt)) {
+            throw new IllegalArgumentException("盐值不能为空");
+        }
+        return DigestUtils.sha256Hex(pwd + salt);
     }
 
 }

src/test/java/io/geekidea/springbootplus/test/PasswordUtilTest.java

@@ -17,17 +17,21 @@
 package io.geekidea.springbootplus.test;
 
 import io.geekidea.springbootplus.util.PasswordUtil;
+import org.junit.Assert;
 
 /**
  * 密码工具测试类
+ *
  * @author geekidea
  * @date 2019-10-05
  **/
 public class PasswordUtilTest {
     public static void main(String[] args) {
         String password = "123456";
-        String encryptPassword = PasswordUtil.encrypt(password);
+        String salt = "666";
+        String encryptPassword = PasswordUtil.encrypt(password, salt);
         System.out.println(encryptPassword);
         System.out.println(encryptPassword.length());
+        Assert.assertEquals(encryptPassword, "3108d080e3d39b4b8ad567405fa878c7dc9a31768b37a8a2c7ec72f511bb66cb");
     }
 }