I've successfully setup Shiro in a JSF2 web application with the following INI file:
# ========================================== [main] # Setup form based login URL. authc.loginUrl = /index.xhtml # Setup JDBC realm. jdbcRealm = org.apache.shiro.realm.jdbc.JdbcRealm # Configure JDBC realm datasource. dataSource = org.h2.jdbcx.JdbcDataSource dataSource.URL = jdbc:h2:~/******** dataSource.user = ******** dataSource.password = ******** jdbcRealm.dataSource = $dataSource # Configure JDBC realm SQL queries (role is TBD). jdbcRealm.authenticationQuery = SELECT password FROM User WHERE email = ? [urls] /index.xhtml = authc /app/** = authc # ========================================== Now, I'd like to add SHA256 password salting (with hex encoding). For the user registration part, this is easy done during using Sha256Hash class. However, I can't for life figure out how to configure the INI file accordingly to make use of that. I understand that I have somehow to use SaltedAuthenticationInfo instead of AuthenticationInfo, but it isn't clear how to change the "authc" reference in the INI file accordingly to be a SaltedAuthenticationInfo. The following is as far as I could get (I added the sha256Matcher block and I edited the SQL query to select salt as well): # ========================================== [main] # Setup form based login URL. authc.loginUrl = /index.xhtml # Setup JDBC realm. jdbcRealm = org.apache.shiro.realm.jdbc.JdbcRealm # Configure JDBC realm datasource. dataSource = org.h2.jdbcx.JdbcDataSource dataSource.URL = jdbc:h2:~/******** dataSource.user = ******** dataSource.password = ******** jdbcRealm.dataSource = $dataSource # Configure JDBC realm password hashing. sha256Matcher = org.apache.shiro.authc.credential.Sha256CredentialsMatcher sha256Matcher.hashIterations = 1024 jdbcRealm.credentialsMatcher = $sha256Matcher # Configure JDBC realm SQL queries (role is TBD). jdbcRealm.authenticationQuery = SELECT password, salt FROM User WHERE email = ? [urls] /index.xhtml = authc /app/** = authc # ========================================== It keeps failing with IncorrectCredentialsException on programmatic login by Subject#login(). The documentation doesn't give any clues on that. -- View this message in context: http://shiro-user.582556.n2.nabble.com/How-to-configure-SHA256-password-salting-in-shiro-ini-tp7578145.html Sent from the Shiro User mailing list archive at Nabble.com.
