问题
I'm using Apache Shiro with a custom JDBC realm to retrieve a user’s salt, password, hash algorithm name and number of hash iterations from the database which are all stored as separate columns.
The problem is I'm unsure how I should handle the salt that has been retrieved from the database when using the PasswordMatcher to verify the user's password matches that stored in the database.
When using the HashedCredentialsMatcher the salt is set using the setCredentialsSalt method, however it seems that this isn't the case when using the PasswordMatcher instead of the HashedCredentialsMatcher.
The code I'm using in the custom JDBC realm is as follows
@Override
protected AuthenticationInfo doGetAuthenticationInfo(AuthenticationToken token) throws AuthenticationException {
//code to retrieve user details from database removed for brevity
SimpleAuthenticationInfo info = new SimpleAuthenticationInfo(username, passwdSalt.password, getName());
info.setCredentialsSalt(new SimpleByteSource(passwdSalt.salt));
DefaultPasswordService passwordService = new DefaultPasswordService();
DefaultHashService hashService = new DefaultHashService();
PasswordMatcher passwordMatcher = new PasswordMatcher();
hashService.setHashAlgorithmName(passwdSalt.hashAlgorithmName);
hashService.setHashIterations(passwdSalt.hashIterations);
passwordService.setHashService(hashService);
passwordMatcher.setPasswordService(passwordService);
setCredentialsMatcher(passwordMatcher);
return info;
}
Having stepped through the code I've confirmed that the problem is definitely due to the salt not being used when hashing the password entered by the user in order to match it against the hashed password in the database. In DefaultPasswordService.java when the method passwordsMatch(Object submittedPlaintext, String saved) is called on line 160 the object named request contains the following
algorithmName=null
iterations=0
salt=null
source=cGFzc3dvcmQ=
The next line of code on line 161 calls computeHash(request)
In DefaultHashService.java when the method computeHash(HashRequest request) is called, on lines 155 and 157 the variables algorithmName and iterations are correctly set to SHA-256 and 1 respectively. On line 159 the method getPublicSalt(request) is called however it retuns null.
Has anyone else used Shiro's PasswordMatcher with a custom realm and if how do you tell Shiro to use the salt?
回答1:
I posted a message on the Shiro mailing list and got a reply saying that the PasswordMatcher by default does not look at anything in the AuthenticationInfo other than authenticationInfo.getCredentials().
For further details, the archived message on the mailing list is available at http://shiro-user.582556.n2.nabble.com/Migrating-from-HashedCredentialMatcher-to-PasswordMatcher-td7577808.html
回答2:
Took me a while to hunt down this url in one of my projects - http://meri-stuff.blogspot.com/2011/04/apache-shiro-part-2-realms-database-and.html
The article links to this file JNDIAndSaltAwareJdbcRealm
I've used that class successfully in my project to use salt in the password hash.
HTH
回答3:
If you store the credentials created by the Shiro Command Line Hasher in Shiro1CryptFormat, then you can use the DefaultPasswordService in your realm:
final PasswordMatcher passwordMatcher = new PasswordMatcher();
passwordMatcher.setPasswordService(new DefaultPasswordService());
realm.setCredentialsMatcher(passwordMatcher);
来源:https://stackoverflow.com/questions/12589837/using-shiros-passwordmatcher-with-a-custom-realm