shiro-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "martin.pring" <>
Subject Password doesn't match hashed and encrypted password
Date Sun, 20 Sep 2015 19:49:30 GMT

I try to write a simple but yet secure login for a webportal but I'm stuck
because I can't get Shiro to match a password stored in database with the
password posted in the login form.

I store the user with the following code

private void saveUser(final User user, final String password) {

      final DefaultHashService hashService = new DefaultHashService();

      final DefaultPasswordService passwordService = new

      final String encryptedPassword =

      // Save password to user and store user i database

Then when I try to login, this is my custom jdbcRealm

protected AuthenticationInfo doGetAuthenticationInfo(final
AuthenticationToken token) throws AuthenticationException {

    final UsernamePasswordToken upToken = (UsernamePasswordToken) token;
    final String username = upToken.getUsername();

    Connection conn = null;
    PreparedStatement statement = null;
    ResultSet resultSet = null;
    try {
        conn = dataSource.getConnection();
        statement = conn.prepareStatement(authenticationQuery);
        statement.setString(1, username);
        resultSet = statement.executeQuery();

        final String encryptedPassword = resultSet.getString(1);

        final SimpleAuthenticationInfo info = new
SimpleAuthenticationInfo(username, encryptedPassword, getName());

        return info;
    } catch (final SQLException e) {
        throw new AuthenticationException("SQL error! : ", e);
    } finally {
        // Close Connection, PreparedStatement och ResultSet

This is the part of shiro.ini that has to do with the passwordMatcher, hash-
and passwordService

hashService = org.apache.shiro.crypto.hash.DefaultHashService
hashService.hashIterations = 500000
hashService.hashAlgorithmName = SHA-256
hashService.generatePublicSalt = true
# privateSalt needs to be base64-encoded in shiro.ini but not in the Java
hashService.privateSalt = base64EncodedSalt  (the same string as in the code

passwordMatcher = org.apache.shiro.authc.credential.PasswordMatcher
passwordService = org.apache.shiro.authc.credential.DefaultPasswordService
passwordService.hashService = $hashService
passwordMatcher.passwordService = $passwordService

jdbcRealm = se.motoronline.login.server.realm.LoginJdbcRealm
jdbcRealm.authenticationQuery = SELECT password FROM Users WHERE username =
jdbcRealm.credentialsMatcher = $passwordMatcher

What am I doing wrong? The thing is, if I comment out the
hashService.generatePublicSalt and hashService.privateSalt in shiro.ini
everything works as it should and login succeeds, so it has to be something
with the salts? Please explain what I'm doing wrong.

View this message in context:
Sent from the Shiro Developer mailing list archive at

View raw message