shiro-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "martin.pring" <mar...@martinpring.com>
Subject Password doesn't match hashed and encrypted password
Date Sun, 20 Sep 2015 19:49:30 GMT
Hi!

I try to write a simple but yet secure login for a webportal but I'm stuck
because I can't get Shiro to match a password stored in database with the
password posted in the login form.

I store the user with the following code

private void saveUser(final User user, final String password) {

      final DefaultHashService hashService = new DefaultHashService();
      hashService.setHashIterations(500000);
      hashService.setHashAlgorithmName("SHA-256");
      hashService.setGeneratePublicSalt(true);
      hashService.setPrivateSalt(new
SimpleByteSource("base64EncodedString"));

      final DefaultPasswordService passwordService = new
DefaultPasswordService();
      passwordService.setHashService(hashService);

      final String encryptedPassword =
passwordService.encryptPassword(password);

      // Save password to user and store user i database
}

Then when I try to login, this is my custom jdbcRealm

@Override
protected AuthenticationInfo doGetAuthenticationInfo(final
AuthenticationToken token) throws AuthenticationException {

    final UsernamePasswordToken upToken = (UsernamePasswordToken) token;
    final String username = upToken.getUsername();

    Connection conn = null;
    PreparedStatement statement = null;
    ResultSet resultSet = null;
    try {
        conn = dataSource.getConnection();
        statement = conn.prepareStatement(authenticationQuery);
        statement.setString(1, username);
        resultSet = statement.executeQuery();

        final String encryptedPassword = resultSet.getString(1);

        final SimpleAuthenticationInfo info = new
SimpleAuthenticationInfo(username, encryptedPassword, getName());

        return info;
    } catch (final SQLException e) {
        throw new AuthenticationException("SQL error! : ", e);
    } finally {
        // Close Connection, PreparedStatement och ResultSet
    }
}

This is the part of shiro.ini that has to do with the passwordMatcher, hash-
and passwordService

hashService = org.apache.shiro.crypto.hash.DefaultHashService
hashService.hashIterations = 500000
hashService.hashAlgorithmName = SHA-256
hashService.generatePublicSalt = true
# privateSalt needs to be base64-encoded in shiro.ini but not in the Java
code
hashService.privateSalt = base64EncodedSalt  (the same string as in the code
above)

passwordMatcher = org.apache.shiro.authc.credential.PasswordMatcher
passwordService = org.apache.shiro.authc.credential.DefaultPasswordService
passwordService.hashService = $hashService
passwordMatcher.passwordService = $passwordService

jdbcRealm = se.motoronline.login.server.realm.LoginJdbcRealm
jdbcRealm.authenticationQuery = SELECT password FROM Users WHERE username =
?
jdbcRealm.credentialsMatcher = $passwordMatcher

What am I doing wrong? The thing is, if I comment out the
hashService.generatePublicSalt and hashService.privateSalt in shiro.ini
everything works as it should and login succeeds, so it has to be something
with the salts? Please explain what I'm doing wrong.



--
View this message in context: http://shiro-developer.582600.n2.nabble.com/Password-doesn-t-match-hashed-and-encrypted-password-tp7578768.html
Sent from the Shiro Developer mailing list archive at Nabble.com.

Mime
View raw message