shiro-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Les Hazlewood <>
Subject Re: Password hashing - getting the salt from AuthenticationInfo
Date Thu, 21 Oct 2010 23:23:07 GMT
Not sure what is going on w/ the rememberme cookie, but as to your
hashing/base64 question, that should be covered in the realm page
(  If it's cached, you'll need to
hit refresh.

Anyway, here's how to enable that (in INI at least):

# base64 encoding, not hex in this example:
credentialsMatcher.storedCredentialsHexEncoded = false

This boolean flag is only evaluated if the credentials returned from
the AuthenticationInfo is a char[] or String.  Otherwise, it is
assumed to be 'byte source compatible' already. (aside:  I'm thinking
we should make base64 the assumed default - pretty much most of the
rest of the framework assumes that already).

Since AuthenticationInfo already returns a ByteSource for the salt,
there shouldn't be any problems there *unless* you base64-encoded your
salt before storing it in the database.  If so, you need to base64
decode it before wrapping it in a SimpleByteSource (if you put the
base64-encoded string directly in SimpleByteSource, this will only get
the string's bytes - not the original salt bytes).

Perhaps that is what was causing you problems?

The realm page will have more additional useful info.  If you feel
anything relevant is missing regarding salting/hashing, please let me
know and I'll be happy to update it.


Les Hazlewood
Founder, Katasoft, Inc.
Application Security Products & Professional Apache Shiro Support and Training:

View raw message