Hi, Someone had a problem upgrading from version 1.0.1 of the Grails plugin to 1.1.3 (see below). This is basically an upgrade from Shiro 1.0 to 1.1. Any idea what refactoring may have changed the behaviour of SimpleAccount with salted passwords? I ask because I may need to update the plugin and/or add a warning to the release notes.
Thanks, Peter ---------- Forwarded message ---------- From: Goran Ehrsson <[email protected]> Date: 9 February 2011 21:14 Subject: Re: [grails-user] Upgraded shiro plugin from 1.0.1 to 1.1.3 -> login failed - salt issue To: [email protected] I did not change encryption algorithm, I have used Sha512 all the time. Both with shiro 1.0.1 plugin and now with 1.1.3. credentialMatcher(org.apache.shiro.authc.credential.Sha512CredentialsMatcher) { storedCredentialsHexEncoded = true hashSalted = true hashIterations = n } /Göran Scott Ryan wrote 2011-02-09 22:02: > > They changed the encryption algorithm between versions did you rehash all > your passwords? > > Scott Ryan > On Feb 9, 2011, at 1:07 PM, Goran Ehrsson wrote: > >> Hi, >> >> I upgraded my shiro plugin from 1.0.1 to 1.1.3 today. >> I changed package names for SavedRequest and WebUtils as documented in >> http://grails.org/Shiro+Release+Notes >> Started the application and tried to login... Invalid password! >> I reverted back to 1.0.1 and could login successfully again. >> So I started to investigate (AuthController, Realm, Filters, >> resources.groovy, etc.) but could not find any unusual differences. >> Then just by change I changed the constructor for SimpleAccount in my >> DbRealm to include the salt since my password was salted. And voila! I could >> login. >> >> I'm happy but confused... >> >> My working 1.0.1 ShiroDbRealm.groovy: >> def account = new SimpleAccount(username, user.passwordHash, "ShiroDbRealm") >> >> My working 1.1.3 ShiroDbRealm.groovy: >> def account = new SimpleAccount(username, user.passwordHash, new >> org.apache.shiro.util.SimpleByteSource(salt.bytes), "ShiroDbRealm") >> if (!credentialMatcher.doCredentialsMatch(authToken, account)) { >> throw new IncorrectCredentialsException("Invalid password for user >> '${username}'") >> } >> >> What have changed that caused this? I'm curious. >> >> /Göran Ehrsson --------------------------------------------------------------------- To unsubscribe from this list, please visit: http://xircles.codehaus.org/manage_email -- Peter Ledbrook Grails Advocate SpringSource - A Division of VMware
