Not sure what is going on w/ the rememberme cookie, but as to your hashing/base64 question, that should be covered in the realm page (http://shiro.apache.org/realm.html). If it's cached, you'll need to hit refresh.
Anyway, here's how to enable that (in INI at least): # base64 encoding, not hex in this example: credentialsMatcher.storedCredentialsHexEncoded = false This boolean flag is only evaluated if the credentials returned from the AuthenticationInfo is a char[] or String. Otherwise, it is assumed to be 'byte source compatible' already. (aside: I'm thinking we should make base64 the assumed default - pretty much most of the rest of the framework assumes that already). Since AuthenticationInfo already returns a ByteSource for the salt, there shouldn't be any problems there *unless* you base64-encoded your salt before storing it in the database. If so, you need to base64 decode it before wrapping it in a SimpleByteSource (if you put the base64-encoded string directly in SimpleByteSource, this will only get the string's bytes - not the original salt bytes). Perhaps that is what was causing you problems? The realm page will have more additional useful info. If you feel anything relevant is missing regarding salting/hashing, please let me know and I'll be happy to update it. Cheers, -- Les Hazlewood Founder, Katasoft, Inc. Application Security Products & Professional Apache Shiro Support and Training: http://www.katasoft.com
