mdgomes opened a new issue, #2421: URL: https://github.com/apache/shiro/issues/2421
### Search before asking - [x] I had searched in the [issues, **including closed issues**](https://github.com/apache/shiro/issues?q=is%3Aissue) and found no similar issues. ### Environment Java 21, shiro-core, plain java ### Shiro version 2.0.6 ### What was the actual outcome? Failure to match password ### What was the expected outcome? Password was matched correctly ### How to reproduce Hi, I'm having issues migrating from Shiro 1 to 2, and before anyone suggests, reseting passwords and asking users to create new ones is not a valid suggestion for my use case, I can't seem to figure out how to actually make Shiro2 work with private salts. Take a Shiro1 hashed password generated with the 1.x version (i.e. 1.13), take the plainText password and use the passwordsMatch(String,String) method to validate the passwords. Example saved password (`String storedPassword`): `$shiro1$SHA-256$500000$qP2nXnatLnmrr+LQeZxnQg==$ABXgt5ZDlgCRRyaxXORR/QFrpZMW77didcJ8P7AYs/M=` Associated plain text (`String plainText`): "admin" Setup: ```Java PasswordService passwordService = new DefaultPasswordService(); DefaultHashService hashService = new DefaultHashService(); hashService.setDefaultAlgorithmName("SHA-256"); passwordService.setHashService(hashService); Shiro1CryptFormat hashFormat = new Shiro1CryptFormat(); passwordService.setHashFormat(hashFormat); // Assert true: passwordService.passwordsMatch(plainText, storedPassword) fails ``` Our saved password was created using a private salt. And previously (i.e. 1.13) the passwordsMatch method was successful because of this the passwordsMatch(plainText, savedHash) did this: ```Java public boolean passwordsMatch(Object plaintext, Hash saved) { ByteSource plaintextBytes = createByteSource(plaintext); if (saved == null || saved.isEmpty()) { return plaintextBytes == null || plaintextBytes.isEmpty(); } else { if (plaintextBytes == null || plaintextBytes.isEmpty()) { return false; } } HashRequest request = buildHashRequest(plaintextBytes, saved); Hash computed = this.hashService.computeHash(request); return constantEquals(saved.toString(), computed.toString()); } ``` Specifically the `computeHash` call, which combines the private and public salts. The current 2.x method flow for the `passwordsMatch(Object plainText, Hash saved)` never calls `computeHash` so the passwords never match. So either I'm missing how Shiro 2.x handles the Shiro 1 format or the way to handle stored passwords is to override the DefaultPasswordService with support for using private salts. Can you help? ### Debug logs _No response_ -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected] --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
