Reading salted password with SaltedAuthenticationInfo

classic Classic list List threaded Threaded
4 messages Options
Reply | Threaded
Open this post in threaded view
|

Reading salted password with SaltedAuthenticationInfo

tarka
Hi Shiro Users,

I'm a newbe with Shiro so my apologies if this is a really basic question.  I have been reading through the documentation to try to get Shiro to read a salted password from a database. I've followed the reference at http://shiro.apache.org/realm.html however I'm confused with regards to the 'SaltedAuthenticationInfo'.

Do I need to create a custom realm class that extends JdbcRealm? Presumably if thats the case I would then need to edit my shiro.ini jdbcRealm to reference my custom realm:

from: jdbcRealm = org.apache.shiro.realm.jdbc.JdbcRealm
to: jdbcRealm = my.package.SaltedAuthenticationInfo

Any help would be very welcome.

Thanks in advance.
Reply | Threaded
Open this post in threaded view
|

Re: Reading salted password with SaltedAuthenticationInfo

Les Hazlewood
Administrator
Hi Tarka,

This isn't really necessary anymore if you're using passwords.  You
can use Shiro 1.2's PasswordService:

http://shiro.apache.org/static/current/apidocs/org/apache/shiro/authc/credential/PasswordService.html
and
http://www.stormpath.com/blog/2012/03/12/whats-new-in-apache-shiro-12.html
(see the 'PasswordService' section)

HTH,

Les

On Wed, Apr 11, 2012 at 10:12 AM, tarka <[hidden email]> wrote:

> Hi Shiro Users,
>
> I'm a newbe with Shiro so my apologies if this is a really basic question.
> I have been reading through the documentation to try to get Shiro to read a
> salted password from a database. I've followed the reference at
> http://shiro.apache.org/realm.html however I'm confused with regards to the
> 'SaltedAuthenticationInfo'.
>
> Do I need to create a custom realm class that extends JdbcRealm? Presumably
> if thats the case I would then need to edit my shiro.ini jdbcRealm to
> reference my custom realm:
>
> from: jdbcRealm = org.apache.shiro.realm.jdbc.JdbcRealm
> to: jdbcRealm = my.package.SaltedAuthenticationInfo
>
> Any help would be very welcome.
>
> Thanks in advance.
>
> --
> View this message in context: http://shiro-user.582556.n2.nabble.com/Reading-salted-password-with-SaltedAuthenticationInfo-tp7456785p7456785.html
> Sent from the Shiro User mailing list archive at Nabble.com.
Reply | Threaded
Open this post in threaded view
|

Re: Reading salted password with SaltedAuthenticationInfo

tarka
Thanks Les,

I've implemented the new PasswordService and that works perfectly.

(NOTE: If anybody else finds they are getting a persistence error when they try to write the encrypted password to their db make sure your password field accepts enough characters!).

However for some reason I'm still having problems with PasswordMatcher!

This is my shiro.ini file:



[main]
# JDBC Database connection used for authentication
jdbcRealm = org.apache.shiro.realm.jdbc.JdbcRealm
jdbcRealm.permissionsLookupEnabled = true
jdbcRealm.authenticationQuery = SELECT password FROM users WHERE username = ?
jdbcRealm.userRolesQuery = SELECT role_name FROM user_roles WHERE username = ?
jdbcRealm.permissionsQuery = SELECT role_permission FROM roles_permissions WHERE role_name = ?

ds = com.mysql.jdbc.jdbc2.optional.MysqlConnectionPoolDataSource
ds.url=jdbc:mysql://***********
ds.user = **********
ds.password = **********
jdbcRealm.dataSource=$ds

# Using default form based security filter org.apache.shiro.web.filter.authc.FormAuthenticationFilter
authc.loginUrl = /login.jsf

# redirect to an access denied page if user does not have access rights
roles.unauthorizedUrl = /accessDenied.jsf

# PasswordMatcher
passwordService = org.apache.shiro.authc.credential.DefaultPasswordService
passwordMatcher = org.apache.shiro.authc.credential.PasswordMatcher
passwordMatcher.passwordService = $passwordService
jdbcRealm.credentialsMatcher = $passwordMatcher

[urls]
/admin/** = authc
/login.jsf = ssl[8181],authc



Just for the sake of completeness this is the login bean that I'm using with the jsf page:



    public void login() {

        if (!SecurityUtils.getSubject().isAuthenticated()) {
            try {
                UsernamePasswordToken userToken = new UsernamePasswordToken(name, password);
                userToken.setRememberMe(rememberMe);
                SecurityUtils.getSubject().login(userToken);
            } catch (AuthenticationException ae) {
                TODO
            } catch (Exception ex) {
                TODO
            }
        }
    }



There is a statement in the link you sent me that says:
"Ensure the AuthenticationInfo instance supplied by your Realm returns the encrypted password string from its getCredentials() implementation."

I'm only storing the encrypted password so wouldn't it return the encrypted string by default?

Thanks

Reply | Threaded
Open this post in threaded view
|

Re: Reading salted password with SaltedAuthenticationInfo

Nesher
tarka wrote
I've implemented the new PasswordService and that works perfectly.

[...]
 
However for some reason I'm still having problems with PasswordMatcher!

[...]

There is a statement in the link you sent me that says:
"Ensure the AuthenticationInfo instance supplied by your Realm returns the encrypted password string from its getCredentials() implementation."

I'm only storing the encrypted password so wouldn't it return the encrypted string by default?
Hi Tarka!  I'm also just using Shiro for the first time, and I encountered a similar problem with the PasswordMatcher.  After some investigation in the debugger, I found that the problem was that the PasswordMatcher expects getCredentials() to return either a String or a Hash, but the jdbcRealm (and I think all the default implementations of AuthenticatingRealm) stores the hashed password as a char[].  I believe the intent of the statement you quoted above was to address this point, but it seems rather inconvenient to have to subclass the Realm and the AuthenticationInfo just in order to use the PasswordMatcher.

My solution to this was to override the PasswordMatcher as follows:

public class PasswordMatcherEx extends PasswordMatcher {
	@Override
	protected Object getStoredPassword( AuthenticationInfo storedAccountInfo ) {
		Object stored = super.getStoredPassword( storedAccountInfo );
		
		if ( stored instanceof char[] ) {
			stored = String.valueOf( (char[])stored );
		}
		
		return stored;
	}
}

And I then used my PasswordMatcherEx in the shiro.ini.