Hi Les, Thank you for taking time into helping me.
I'll drop the ALTER statements. I use them for redeployments automatically but you're right, they're no good in this project. Now, regarding the hashing, I've done it before. I even cloned your trunk and built the hasher-cli.jar myself. But authentication wasn't working as well, so I got back to cleartext passwords. I got confused with 'salt' and the number of iterations as something I may have to pass in shiro.ini to the passwordMatcher (HashedCredentialsMatcher). Or is it the initial part of the value stored in the database? Isn't PasswordMatcher different from HashedCredentialsMatcher? I have it in my shiro.in but it's commented. Cheers, PP On 18/05/12 18:10, Les Hazlewood wrote: > I just forked the project and tried to set up the DB - the pop_db.sql > script was failing for me because of the alter statements at the top > (there was nothing to alter since it was my first time creating the > DB). > > Then I looked further down the script and noticed that you were > populating the user table with raw (plaintext) password values for the > password column. This is probably why your logins always fail: > > Because you've configured a PasswordService and PasswordMatcher, Shiro > expects the passwords returned from the database to be in a recognized > hash format. Because the column values are plaintext, the credentials > comparison under the current configuration will always fail. > > You can use the Shiro command-line Hasher [1] to hash your test > passwords. Take the output from that command and use that as your > password column value. > > I know this is just a test/sample web app, but in the interest of > clarity for others that might read this in the future, I should > stress, very strongly, to never ever ever store plaintext passwords in > your data store. Ever. :) > > [1] http://shiro.apache.org/command-line-hasher.html > > HTH, > > -- > Les Hazlewood > CTO, Stormpath | http://stormpath.com | 888.391.5282 > twitter: @lhazlewood | http://twitter.com/lhazlewood > blog: http://leshazlewood.com > stormpath blog: http://www.stormpath.com/blog > > On Fri, May 18, 2012 at 10:02 AM, Jared Bunting > <[email protected]> wrote: >> Since those are trace messages from beanutils, and you explicitly set >> org.apache to warn in log4j.properties, I'm still thinking that your logging >> configuration isn't getting picked up. You might try Googling for logging >> in glassfish. >> >> On May 18, 2012 10:20 AM, "Paulo Pires" <[email protected]> wrote: >>> Hi all, >>> >>> First of all, thanks to the project contributors for putting such an >>> effort in this project. >>> >>> Now, I'm struggling to get a simple Web application (just JSP 'stolen' >>> from Shiro samples code) to authenticate against a JDBC realm backed by >>> MySQL. Everytime I try to log-in the page just reloads again and doesn't >>> throw any kind of error. >>> >>> I've made the project source-code public, so that anyone can look at it, >>> and eventually it may become the basis for a tutorial on this. You can >>> check it at https://github.com/pires/simple-shiro-web-app >>> >>> I've tried to debug it, but somehow, my log4j configuration is not >>> working properly. I can see a 'shiro.log' file being generated and with >>> some output from commons.beanutils, but nothing about Shiro. I only get >>> error messages in Glassfish 'server.log' when some property in >>> 'shiro.ini' is wrongly configured. >>> >>> Any help will be highly appreciated. >>> >>> Thanks! >>> >>> -- >>> Paulo Pires >>> -- Paulo Pires
