Shiro 1.2新功能DefaultPasswordService解惑

最开始学习shiro的时候需要自己保存User的salt, 最近系统升级，使用了Shiro1.3发现在1.2的时候Shiro提供了新的DefaultPasswordService来简化Password encode/match工作。很好奇为啥不在需要自己保存User的salt，查看了defaultpasswordservice的源代码，发现了其中的奥秘，具体看Shiro的代码(关注*部分)，主要是重新构建Hash，然后从Hash中获取salt来做提交密码的hash，比较计算出来的hash和存储hash是否一致。

      public boolean More ...passwordsMatch(Object submittedPlaintext, String saved) {
          ByteSource plaintextBytes = createByteSource(submittedPlaintext);

          if (saved == null || saved.length() == 0) {
              return plaintextBytes == null || plaintextBytes.isEmpty();
          } else {
              if (plaintextBytes == null || plaintextBytes.isEmpty()) {
                  return false;
              }
          }

          //First check to see if we can ***reconstitute the original hash*** - this allows us to
          //perform password hash comparisons even for previously saved passwords that don‘t
          //match the current HashService configuration values.  This is a very nice feature
          //for password comparisons because it ensures backwards compatibility even after
          //configuration changes.
          ***HashFormat discoveredFormat = this.hashFormatFactory.getInstance(saved);***

          <strong>if (discoveredFormat != null && discoveredFormat instanceof ParsableHashFormat) {

              ParsableHashFormat parsableHashFormat = (ParsableHashFormat)discoveredFormat;
              **Hash savedHash = parsableHashFormat.parse(saved);**

              return ***passwordsMatch(submittedPlaintext, savedHash)***;
          }</strong>

          //If we‘re at this point in the method‘s execution, We couldn‘t reconstitute the original hash.
          //So, we need to ***hash the submittedPlaintext using current HashService configuration and then
          //compare the formatted output with the saved string.  This will correctly compare passwords***,
          //***but does not allow changing the HashService configuration without breaking previously saved
          //passwords***:

          //The saved text value can‘t be reconstituted into a Hash instance.  We need to format the
          //submittedPlaintext and then compare this formatted value with the saved value:
          HashRequest request = createHashRequest(plaintextBytes);
          Hash computed = this.hashService.computeHash(request);
          String formatted = this.hashFormat.format(computed);

          return saved.equals(formatted);
      }
public boolean passwordsMatch(Object plaintext, Hash saved) { 
        ByteSource plaintextBytes = createByteSource(plaintext); 

        if (saved == null || saved.isEmpty()) { 
            return plaintextBytes == null || plaintextBytes.isEmpty(); 
        } else { 
            if (plaintextBytes == null || plaintextBytes.isEmpty()) { 
                return false; 
            } 
        } 

        HashRequest request = ***buildHashRequest(plaintextBytes, saved);*** 

        Hash computed = this.hashService.computeHash(request); 

        return saved.equals(computed); 
    }
    protected HashRequest buildHashRequest(ByteSource plaintext, Hash saved) { 
        //keep everything from the saved hash except for the source: 
        return new HashRequest.Builder().setSource(plaintext) 
                //now use the existing saved data: 
                .setAlgorithmName(saved.getAlgorithmName()) 
                .***setSalt(saved.getSalt())*** 
                .setIterations(saved.getIterations()) 
                .build(); 
    } 

要使用defaultpasswordService非常简单就是简单的spring bean，当然你可以通过注入改变迭代次数和加密算法。

<bean name="passwordService" class="org.apache.shiro.authc.credential.DefaultPasswordService" />