Hi,
I hope this is a very straightforward question to answer. I am using the
following code to create and store my users' passwords:
ByteSource salt = new SecureRandomNumberGenerator().nextBytes();
SimpleHash hashedSaltedPassword = new SimpleHash("SHA-256",
password, salt);
Properties props = new Properties();
mRealm.addAccount(mUsername, hashedSaltedPassword.toString(),
"user");
props.setProperty("user."+username, hashedSaltedPassword
+","+salt+","+roles);
//write out the properties file....
I am then using a subclass of PropertyRealm to read these
username/password/salt/roles lines in using the following code:
String[] passwordSaltAndRolesArray = StringUtils.split(value);
final String hashedSaltedPassword =
passwordSaltAndRolesArray[0];
final String salt = passwordSaltAndRolesArray[1];
final ByteSource saltSrc = new
SimpleByteSource(salt.getBytes());
add(new SimpleAccount(username, hashedSaltedPassword, saltSrc,
getName()));
My Realm has a HashCredentialsMatcher("SHA-256") injected into it, but I
cannot authenticate any users, what am I doing wrong here?
In the realm, should I just use a SimpleCredentialsMatcher and create
Sha256Hash instances for the credentials for it to match?...However, my
understanding is that the Sha256CredentialsMatcher will encode and add the
user's salt to any offered up UsernamePasswordToken?
Is part of my problem that I'm not storing the salted hashed passwords or
salts as base64/hex?
Many thanks,
-James
--
View this message in context:
http://shiro-user.582556.n2.nabble.com/hashed-salted-passwords-and-realm-authentication-tp7050618p7050618.html
Sent from the Shiro User mailing list archive at Nabble.com.
