I am using Shiro to secure my application, and now the problem is how do i login with hashed password for following scenarios:
1, Automatically login for user after they click on activation email.
2, Login via Facebook, find user by facebookId from database, and try to login in, but all i have is hashed passwrod, do we have any ways to decrypt hashed password.
This is How i encrypt my password stored in database:
new Sha256Hash(password).toHex()
Below is my login code.
Subject currentUser = SecurityUtils.getSubject();
if (!currentUser.isAuthenticated()) {
UsernamePasswordToken token = new UsernamePasswordToken(email, password, rememberMe);
currentUser.login(token);
}
Bear with me if this question is weird, and thanks in advance.
The purpose of the hash function is to be undecryptable. So no, it can not be decrypted. To achieve both goals you can configure additional realms. One for email activation, the other for oauth login.
For email activation you can create temporary account, create some random activation token and send email. Then user clicks activation link and application tries to authenticate user with token provided in http request:
String token = //get from request
subject.authenticate(new ActivationToken(token));
Activation realm checks whether this token is valid. And if valid it removes token from account and authenticates it.
As for facebook realm you can use secret obtained by outh authentication step to get user info and if there is no erros authenticate user.