P.S. the command line hasher will allow you to specify explicit salts as well, but the randomly generated approach used by default is usually the safest approach.
-- Les Hazlewood CTO, Katasoft | http://www.katasoft.com | 888.391.5282 twitter: @lhazlewood | http://twitter.com/lhazlewood katasoft blog: http://www.katasoft.com/blogs/lhazlewood personal blog: http://leshazlewood.com On Wed, Jan 25, 2012 at 1:05 PM, Les Hazlewood <[email protected]> wrote: > Hi Marseld, > > I'm glad you asked this question after Shiro 1.2 was released :) > > Shiro supports this now with its command line hasher: > http://shiro.apache.org/command-line-hasher.html > > For example: > >> java -jar shiro-tools-hasher-1.2.0-cli.jar -p > > (the -p option prompts for passwords - remove this option to get full > help/instructions). > > Password to hash: test > Password to hash (confirm): test > $shiro1$SHA-256$500000$EdGJa5z9XZflLd0m24Xf4g==$JiNltdb7oNOCygJpfAfeaNpvidnLPwMyEQS9ItmoQcs= > > Take this last line and put it in your shiro.ini [users] section: > > [users] > testUser = > $shiro1$SHA-256$500000$EdGJa5z9XZflLd0m24Xf4g==$JiNltdb7oNOCygJpfAfeaNpvidnLPwMyEQS9ItmoQcs= > > and also configure the implicit iniRealm in [main] to use the new > PasswordMatcher: > > [main] > ... > passwordMatcher = org.apache.shiro.authc.credential.PasswordMatcher > iniRealm.credentialsMatcher = $passwordMatcher > ... > > Shiro's default settings for the password matcher (and its > corresponding PasswordService) uses what are currently very secure > settings: SHA-256 hash, 500,000 hash iterations, and a randomly > generated 16-byte salt > > Best, > > -- > Les Hazlewood > CTO, Katasoft | http://www.katasoft.com | 888.391.5282 > twitter: @lhazlewood | http://twitter.com/lhazlewood > katasoft blog: http://www.katasoft.com/blogs/lhazlewood > personal blog: http://leshazlewood.com > > On Wed, Jan 25, 2012 at 2:38 AM, Marseld Dedgjonaj > <[email protected]> wrote: >> Hello all, >> I am very newbie in apache shiro and sorry if this is a simple question. >> >> How can I configure in shiro.ini file to use a hash algorithm for >> passwords. I will need to use salt too, if it is possible. >> >> Best regards, >> Marseld
