I have a custom JDBC realm that is used to retrieve the user’s salt,
password, hash algorithm name and number of hash iterations from the
database which are all stored as separate columns.
I have this working correctly with the HashedCredentialMatcher but I would
like to now use the PasswordMatcher instead. The problem is when using the
PasswordMatcher, the passwords no longer match. Having stepped through the
code a few times I think the problem is the salt isn’t being used to hash
the password entered by the user, but I’m not 100% sure.
The following code uses the HashedCredentialMatcher and works correctly.
@Override
protected AuthenticationInfo doGetAuthenticationInfo(AuthenticationToken
token) throws AuthenticationException {
...
SimpleAuthenticationInfo info = new SimpleAuthenticationInfo(username,
passwdSalt.password, getName());
info.setCredentialsSalt(new SimpleByteSource(passwdSalt.salt));
HashedCredentialsMatcher hcm = new HashedCredentialsMatcher();
hcm.setHashAlgorithmName(passwdSalt.hashAlgorithmName);
hcm.setHashIterations(passwdSalt.hashIterations);
hcm.setStoredCredentialsHexEncoded(false);
setCredentialsMatcher(hcm);
return info;
}
The following code uses the PasswordMatcher and is what I intend to replace
the above code with however it doesn’t work
@Override
protected AuthenticationInfo doGetAuthenticationInfo(AuthenticationToken
token) throws AuthenticationException {
...
SimpleAuthenticationInfo info = new SimpleAuthenticationInfo(username,
passwdSalt.password, getName());
info.setCredentialsSalt(new SimpleByteSource(passwdSalt.salt));
DefaultPasswordService passwordService = new DefaultPasswordService();
DefaultHashService hashService = new DefaultHashService();
PasswordMatcher passwordMatcher = new PasswordMatcher();
hashService.setHashAlgorithmName(passwdSalt.hashAlgorithmName);
hashService.setHashIterations(passwdSalt.hashIterations);
passwordService.setHashService(hashService);
passwordMatcher.setPasswordService(passwordService);
setCredentialsMatcher(passwordMatcher);
return info;
}
I seem to recall reading somewhere that info.setCredentialsSalt is only used
with the HashedCredentialsMatcher but I’m unsure if this is true and if so
what should be used as a replacement when using the PasswordMatcher.
Any help on this would be much appreciated.
--
View this message in context:
http://shiro-user.582556.n2.nabble.com/Migrating-from-HashedCredentialMatcher-to-PasswordMatcher-tp7577808.html
Sent from the Shiro User mailing list archive at Nabble.com.
