shiro-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Les Hazlewood <>
Subject Password hashing - getting the salt from AuthenticationInfo
Date Wed, 20 Oct 2010 03:17:15 GMT
Hi folks,

I've committed a good bit of code to trunk that allows for safe
acquisition of a salt from AuthenticationInfo when hashing passwords.
I also created a nice little RandomNumberGenerator abstraction which
can be used for generating random (and secure) salts, initialization
vectors, or any other type of cryptographic seed data.  Shiro
end-users can use this in their own apps for user-account salt
creation.  This is _much_ better and safer than using any
account-related data (e.g. username or something else) as the salt.

Also, existing AuthenticationInfo implementations have been updated to
support this.

I've written a few test cases to verify that the new behavior works
and that I've retained backwards compatibility (although it is highly
recommended to use the new approach since user-submission-derived
salts are dangerous).  See the HashedCredentialsMatcherTest
'testSaltedAuthenticationInfo' test case to see a good/common example
of how the new salt support would work in a typical application.

Anyway, feedback is welcome.  If I don't hear anything, I'll resolve
the issue and consider it finished for 1.1 (issue: Here's the issue:


Les Hazlewood
Founder, Katasoft, Inc.
Application Security Products & Professional Apache Shiro Support and Training:

View raw message