I have built my custom realm which gets the authentication and the
authorization from a nosql database and storing plain password and
authenticating against them works fine.
I'm adding salts and hashed passwords and looked at other realms
implementation but I'm still having a failure.
For instance my user object has a hashedPassword field and a salt field to
store the data, and I'm storing them using the shiro classes as follows:
User user = new User("jdoe", "a$eCuRep@SsWd"); //Set the username and the
plain password to be hashed
user.hash();
public void hash() {
RandomNumberGenerator generator = new SecureRandomNumberGenerator();
ByteSource nextBytes = generator.nextBytes();
setPasswordSalt(nextBytes.toBase64());
setPassword(new Sha512Hash(getPassword(), passwordSalt,
2048).toBase64());
}
Now here's the part of my code that performs the authorization
protected SaltedAuthenticationInfo
doGetAuthenticationInfo(AuthenticationToken token) throws
AuthenticationException {
UsernamePasswordToken upToken = (UsernamePasswordToken) token;
String username = upToken.getUsername();
String password = String.valueOf(upToken.getPassword());
if (username == null)
throw new AccountException("Null usernames are not allowed by
this realm.");
SaltedAuthenticationInfo info = null;
try {
User user = getUserData(username);
String dbPassword = user.getPassword(); //Retrieves the password
from db
String dbSalt = user.getPasswordSalt(); //retrieves the salt
from the db
ByteSource salt = new Sha512Hash(dbSalt);
if (password == null) {
throw new UnknownAccountException("No account found for
user [" + username + "]");
}
info = buildAuthenticationInfo(username,
dbPassword.toCharArray(), salt);
} catch (Exception e) {
final String message = "There was a database error while
authenticating user [" + username + "]";
if (log.isErrorEnabled())
log.error(message, e);
throw new AuthenticationException(message, e);
}
return info;
}
protected SaltedAuthenticationInfo buildAuthenticationInfo(String username,
char[] password, ByteSource salt) {
return new SimpleAuthenticationInfo(username, password, salt,
getName());
}
My shiro configuration loaded through web.xml has the following
configuration:
<filter>
<filter-name>ShiroFilter</filter-name>
<filter-class>org.apache.shiro.web.servlet.IniShiroFilter</filter-class>
<init-param>
<param-name>config</param-name>
<param-value>
[main]
customRealm = org.platform.shiro.CustomRealm
credentialsMatcher =
org.apache.shiro.authc.credential.Sha512CredentialsMatcher
credentialsMatcher.storedCredentialsHexEncoded = false
credentialsMatcher.hashIterations = 2048
customRealm.credentialsMatcher = $credentialsMatcher
authc.loginUrl = /login.html
[urls]
/services/** = rest
</param-value>
</init-param>
</filter>
<filter-mapping>
<filter-name>ShiroFilter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
Can someone assist why this approach is failing? I debugged the code and it
turns out that the comparison of hashes is always failing. Any hints?
Cheers,
--fady
