Re: Reading salted password with SaltedAuthenticationInfo

Thu, 12 Apr 2012 04:32:12 -0700 

Thanks Les,

I've implemented the new PasswordService and that works perfectly.

(NOTE: If anybody else finds they are getting a persistence error when they
try to write the encrypted password to their db make sure your password
field accepts enough characters!).

However for some reason I'm still having problems with PasswordMatcher!

This is my shiro.ini file:



[main]
# JDBC Database connection used for authentication
jdbcRealm = org.apache.shiro.realm.jdbc.JdbcRealm
jdbcRealm.permissionsLookupEnabled = true
jdbcRealm.authenticationQuery = SELECT password FROM users WHERE username =
?
jdbcRealm.userRolesQuery = SELECT role_name FROM user_roles WHERE username =
?
jdbcRealm.permissionsQuery = SELECT role_permission FROM roles_permissions
WHERE role_name = ?

ds = com.mysql.jdbc.jdbc2.optional.MysqlConnectionPoolDataSource
ds.url=jdbc:mysql://***********
ds.user = **********
ds.password = **********
jdbcRealm.dataSource=$ds

# Using default form based security filter
org.apache.shiro.web.filter.authc.FormAuthenticationFilter
authc.loginUrl = /login.jsf

# redirect to an access denied page if user does not have access rights
roles.unauthorizedUrl = /accessDenied.jsf

# PasswordMatcher
passwordService = org.apache.shiro.authc.credential.DefaultPasswordService
passwordMatcher = org.apache.shiro.authc.credential.PasswordMatcher
passwordMatcher.passwordService = $passwordService
jdbcRealm.credentialsMatcher = $passwordMatcher

[urls]
/admin/** = authc
/login.jsf = ssl[8181],authc



Just for the sake of completeness this is the login bean that I'm using with
the jsf page:



    public void login() {

        if (!SecurityUtils.getSubject().isAuthenticated()) {
            try {
                UsernamePasswordToken userToken = new
UsernamePasswordToken(name, password);
                userToken.setRememberMe(rememberMe);
                SecurityUtils.getSubject().login(userToken);
            } catch (AuthenticationException ae) {
                TODO
            } catch (Exception ex) {
                TODO
            }
        }
    }



There is a statement in the link you sent me that says:
"Ensure the AuthenticationInfo instance supplied by your Realm returns the
encrypted password string from its getCredentials() implementation."

I'm only storing the encrypted password so wouldn't it return the encrypted
string by default?

Thanks



--
View this message in context: 
http://shiro-user.582556.n2.nabble.com/Reading-salted-password-with-SaltedAuthenticationInfo-tp7456785p7459095.html
Sent from the Shiro User mailing list archive at Nabble.com.

Reply via email to