I am using shiro, and I use hashing credential as my credential.
here is my shiro.ini configuration:
credentialsMatcher = org.apache.shiro.authc.credential.Sha256CredentialsMatcher
credentialsMatcher.storedCredentialsHexEncoded = false
credentialsMatcher.hashIterations = 1024
realmA.credentialsMatcher = $credentialsMatcher
securityManager.realms = $realmA
below is how I generate the salt and hashed password:
RandomNumberGenerator rng = new SecureRandomNumberGenerator();
ByteSource salt = rng.nextBytes();
String passwordsalt=salt.toBase64();
String hashedPasswordBase64 = new Sha256Hash(user.getPassword(),
salt, 1024).toBase64();
user.setPassword(hashedPasswordBase64);
user.setByteTabSalt(passwordsalt);
dao.createUser(user);
this is the Realm I extended:
protected AuthenticationInfo doGetAuthenticationInfo(
AuthenticationToken authToken) throws AuthenticationException {
UsernamePasswordToken token = (UsernamePasswordToken) authToken;
User user = dao.getForUsername(token.getUsername());
if (user != null) {
SimpleAuthenticationInfo info = new SimpleAuthenticationInfo(
user.getEmail_account(), user.getPassword(), getName());
ByteSource salt = new SimpleByteSource(Base64.decode(user
.getByteTabSalt()));
info.setCredentialsSalt(salt);
return info;
} else {
return null;
}
}
but when I use my new generated account to login, I never success. the debug result is I got the user object correctly. any idea?
Thank you so much.
The HashedCredentialsMatcher is an older Shiro concept. Instead, I highly recommend using the PasswordService and it's corresponding PasswordMatcher as documented here:
https://shiro.apache.org/static/1.2.2/apidocs/org/apache/shiro/authc/credential/PasswordService.html