Hi!
I try to write a simple but yet secure login for a webportal but I'm stuck
because I can't get Shiro to match a password stored in database with the
password posted in the login form.
I store the user with the following code
private void saveUser(final User user, final String password) {
final DefaultHashService hashService = new DefaultHashService();
hashService.setHashIterations(500000);
hashService.setHashAlgorithmName("SHA-256");
hashService.setGeneratePublicSalt(true);
hashService.setPrivateSalt(new
SimpleByteSource("base64EncodedString"));
final DefaultPasswordService passwordService = new
DefaultPasswordService();
passwordService.setHashService(hashService);
final String encryptedPassword =
passwordService.encryptPassword(password);
// Save password to user and store user i database
}
Then when I try to login, this is my custom jdbcRealm
@Override
protected AuthenticationInfo doGetAuthenticationInfo(final
AuthenticationToken token) throws AuthenticationException {
final UsernamePasswordToken upToken = (UsernamePasswordToken) token;
final String username = upToken.getUsername();
Connection conn = null;
PreparedStatement statement = null;
ResultSet resultSet = null;
try {
conn = dataSource.getConnection();
statement = conn.prepareStatement(authenticationQuery);
statement.setString(1, username);
resultSet = statement.executeQuery();
final String encryptedPassword = resultSet.getString(1);
final SimpleAuthenticationInfo info = new
SimpleAuthenticationInfo(username, encryptedPassword, getName());
return info;
} catch (final SQLException e) {
throw new AuthenticationException("SQL error! : ", e);
} finally {
// Close Connection, PreparedStatement och ResultSet
}
}
This is the part of shiro.ini that has to do with the passwordMatcher, hash-
and passwordService
hashService = org.apache.shiro.crypto.hash.DefaultHashService
hashService.hashIterations = 500000
hashService.hashAlgorithmName = SHA-256
hashService.generatePublicSalt = true
# privateSalt needs to be base64-encoded in shiro.ini but not in the Java
code
hashService.privateSalt = base64EncodedSalt (the same string as in the code
above)
passwordMatcher = org.apache.shiro.authc.credential.PasswordMatcher
passwordService = org.apache.shiro.authc.credential.DefaultPasswordService
passwordService.hashService = $hashService
passwordMatcher.passwordService = $passwordService
jdbcRealm = se.motoronline.login.server.realm.LoginJdbcRealm
jdbcRealm.authenticationQuery = SELECT password FROM Users WHERE username =
?
jdbcRealm.credentialsMatcher = $passwordMatcher
What am I doing wrong? The thing is, if I comment out the
hashService.generatePublicSalt and hashService.privateSalt in shiro.ini
everything works as it should and login succeeds, so it has to be something
with the salts? Please explain what I'm doing wrong.
--
View this message in context:
http://shiro-developer.582600.n2.nabble.com/Password-doesn-t-match-hashed-and-encrypted-password-tp7578768.html
Sent from the Shiro Developer mailing list archive at Nabble.com.
