Just in case it helps anyone else in the future, I was able to solve my problem by doing exactly what I suggest below.
Basically, I first try to authenticate via shiro. If that fails, I encrypt the password being used and compare it to the crypted version from the old system. If that matches, then I crypt the password with Shiro and update the database with the new password. If it fails, then the login fails. Tauren On Tue, Sep 1, 2009 at 12:33 PM, Tauren Mills<[email protected]> wrote: > Andy, > > Thanks for the response. I guess what I'm thinking of doing is > something like this pseudo code, but was wondering if anyone had > better ideas: > > boolean login(string username, string password, boolean rememberMe) { > UsernamePasswordToken token = new UsernamePasswordToken(name, > password, rememberMe); > try { > SecurityUtils.getSubject().login(token); > return true; > } > catch (IncorrectCredentialsException ice) { > boolean success = myCustomBase64Authenticate(username,password); > if (success) { > User user = dao.getUser(username); > user.setPassword(new Sha256Hash(password).toHex()); > dao.save(user); > // Need to run SecurityUtils.getSubject().login() again here! > return true; > } > } > catch (UnknownAccountException uae) { > ... > } > ... > catch (Exception ex) { > ... > } > return false; > } > > However, if the IncorrectCredentialsException happens, I'd still need > to run SecurityUtiles.getSubject.login(token) again so that the user > was authenticated by Shiro. I'm reluctant to have another try catch > block within that catch block. It just seems like there should be a > cleaner way of doing this. Maybe by implementing my own > Subject.login(), but it looks like DelegatingSubject.login() defers to > SecurityManager.login(). I'm just not sure how much I want to muck > with overriding shiro classes and am hoping someone has a suggestion > on a simple approach. > > Note that we'd tell everyone they have to log into the new system > within the next 7 days, or 30 days, or whatever. And then I'd yank > the customBase64Authenticate code from the app after that time period > is over. So whatever I build is going to be thrown away anyway, so I > want to keep it simple. > >> p.s. Do you live in the foothills of Hillsbrad? :) > > I'm guessing that is somewhere in WoW? I don't play the game, but > I've been told that my name is the same as some place in it. I must > have made a great impression on the creators of that game. :) > > Thanks again, > Tauren > > > On Tue, Sep 1, 2009 at 10:47 AM, Andy Tripp<[email protected]> wrote: >> I'm doing the same thing. In my case, the current system keeps >> username/password in some database table, and the new system will keep >> it in an LDAP directory. For now, I have my own subclass of JdbcRealm >> which queries the existing database. Then I'll have a "transition >> script" - a shell script which grabs the existing username/password from >> the DB and puts it into the LDAP directory. And then I'll replace my >> subclass of JdbcRealm with some subclass of LDAPRealm. >> >> I hope that answers your question, if not, ask something more specific. >> >> Andy >> p.s. Do you live in the foothills of Hillsbrad? :) >> >>> -----Original Message----- >>> From: [email protected] [mailto:[email protected]] On Behalf Of >> Tauren >>> Mills >>> Sent: Tuesday, September 01, 2009 1:23 PM >>> To: [email protected] >>> Subject: Transferring passwords from old system >>> >>> I'm going to have to import a bunch of users from an old system into a >>> new system based on shiro. These passwords are encrypted in a Base64 >>> encoded SHA hash. My hope is that these existing users can start >>> using the new system by logging in using the same username/password >>> they used before. Before I get started, I was wondering if anyone has >>> any pointers or ideas on a good way to go about doing this? >>> >>> Thanks! >>> Tauren >> >
