I use shiro 1.2.3 in a JSF2+Hibernate project. No luck to get a user authenticated. Can't figure out what i'm doing wrong.
shiro.ini
[main]
cacheManager = org.apache.shiro.cache.ehcache.EhCacheManager
securityManager.cacheManager = $cacheManager
hashService = org.apache.shiro.crypto.hash.DefaultHashService
hashService.hashIterations = 100000
hashService.hashAlgorithmName = SHA-256
hashService.generatePublicSalt = true
passwordService = org.apache.shiro.authc.credential.DefaultPasswordService
passwordService.hashService = $hashService
passwordMatcher = org.apache.shiro.authc.credential.PasswordMatcher
passwordMatcher.passwordService = $passwordService
customSecurityRealm = com.sapienzo.common.CustomSecurityRealm
customSecurityRealm.credentialsMatcher = $passwordMatcher
securityManager.realms = $customSecurityRealm
ShiroUtils class (helper class to create salted hash)
public class ShiroUtils {
private static int HASH_ITERATIONS = 100000;
public static String createSaltedHash(String plainTextPassword) {
DefaultHashService hashService = new DefaultHashService();
hashService.setHashIterations(HASH_ITERATIONS);
hashService.setHashAlgorithmName(Sha256Hash.ALGORITHM_NAME);
hashService.setGeneratePublicSalt(true);
DefaultPasswordService passwordService = new DefaultPasswordService();
passwordService.setHashService(hashService);
String encryptedPassword = passwordService.encryptPassword(plainTextPassword);
return encryptedPassword;
}
}
saving a user to database while registration (getting username and password from form fields)
...
user.setUsername(username);
user.setPassword(ShiroUtils.createSaltedHash(password);
userService.saveUser(user);
...
login (again username and password from form fields)
UsernamePasswordToken token = new UsernamePasswordToken(user.getUsername(), ShiroUtils.createSaltedHash(user.getPassword()));
Subject currentUser = SecurityUtils.getSubject();
currentUser.login(token);
CustomSecurityRealm.java
public class CustomSecurityRealm extends AuthorizingRealm {
public CustomSecurityRealm() {
setName("CustomSecurityRealm");
}
@Override
protected AuthenticationInfo doGetAuthenticationInfo(AuthenticationToken authenticationToken) throws AuthenticationException {
UsernamePasswordToken token = (UsernamePasswordToken) authenticationToken;
if (token.getUsername() == null) {
return null;
}
UserService userService = new UserService();
String saltedHashPassword = userService.getPasswordByUsername(token.getUsername()); //get encrypted password from DB
if( saltedHashPassword != null ) {
SimpleAuthenticationInfo authn = new SimpleAuthenticationInfo(token.getUsername(), saltedHashPassword, getName());
return authn;
} else {
return null;
}
}
@Override
protected AuthorizationInfo doGetAuthorizationInfo(PrincipalCollection principalCollection) {
return null;
}
}
After digging out the code line by line, i noticed that passwordsMatch method which is used for password comparison always returns false regardless of the inputs.
For example:
String plainTextPassword = "foo";
DefaultPasswordService passwordService = new DefaultPasswordService();
String encryptedPassword = passwordService.encryptPassword(plainTextPassword);
boolean result = passwordService.passwordsMatch(plainTextPassword, encryptedPassword);
System.out.println(result);
Output is false. Found this post later. Causing this is a reported bug. If your default locale is different than English shiro gets confused when (un)capitalizing letters. You should set your default locale to Locale.ENGLISH to fix this.