All geek questions in one place

Having problems with apache shiro saltedauthentication.hashProvidedCredentials, not expected hash

This is the second time I use apache shiro in a project, but for the first time am salting password. At this time, I am using apache shiro 1.2.0 . I use siro in a web application using jsp, spring, JPA (spring -data-jpa) and using SHA256 for encryption, then base64 before saving to the database. I have SaltedJPARealm , a Sha256CredentialMatcher that implements HashedCredentialMatcher. this is how i do

create user in my controller

 RandomNumberGenerator rng = new SecureRandomNumberGenerator(); ByteSource salt = rng.nextBytes(10); String hashedPasswordBase64 = new Sha256Hash(signupForm.getPassword(),salt).toBase64(); userService.createUser(signupForm.getFullName(), signupForm.getEmail(), hashedPasswordBase64, salt.toBase64());

so my password is password1234 and the generated salt is /ZFfGOcSxYhy+g== , so in my database I have a password: whb+0AihIGJ4n8QwULj1tR6qSwCrA+1BUvnoe4q4Cy4= salt in the salt field in the database same.

In my configuration in spring there is:

 <!--....--> <bean id="saltedJPARealm" class="bla.bla.webapp.security.SaltedJPARealm"> <constructor-arg ref="credMatcher"/> </bean> <bean id="credMatcher" class="bla.bla.webapp.security.Sha256CredentialMatcher"> <property name="storedCredentialsHexEncoded" value="false" /> <property name="hashAlgorithmName" value="SHA-256" /> <!--<property name="hashIterations" value="1024" />--> </bean> <bean id="securityManager" class="org.apache.shiro.web.mgt.DefaultWebSecurityManager" depends-on="userRepository"> <property name="realm" ref="saltedJPARealm" /> </bean> <!--....-->

login user

  Subject currentUser = SecurityUtils.getSubject(); if (!currentUser.isAuthenticated()) { UsernamePasswordToken token = new UsernamePasswordToken(loginForm.getEmail(), loginForm.getPassword(), loginForm.isRememberMe()); SecurityUtils.getSubject().login(token); }

SaltedJPARealm doGetAuthenticationInfo(AuthenticationToken at) returns SaltedAuthenticationInfo after receiving the user from the database:

 ByteSource salt = ByteSource.Util.bytes(user.getSalt()); return new SimpleAuthenticationInfo(user, user.getPassword().toCharArray(),salt,this.getName());

doCredentialsMatch Sha256CredentialMatcher looks like this:

  Object tokenfromSubmition = hashProvidedCredentials(token.getCredentials(),((SaltedAuthenticationInfo)info).getCredentialsSalt(),0); Object passwordFromStorage =this.getCredentials(info); Boolean match = equals(tokenfromSubmition, passwordFromStorage); return match;

full code is available here on pastie , authentication fails with this. but when I change the code so as not to salt the password (when creating the account) and return AuthenticationInfo, not SaltedAuthenticationInfo. he works with the same class. I wonder what exactly am I doing wrong?

0
source share
1 answer

PasswordService is a POJO (with nested properties), and its nested properties can also be configured using Spring:

 <bean id="passwordService" class="org.apache.shiro.authc.credential.DefaultPasswordService"> <property name="hashService.hashAlgorithmName" value="SHA-512"/> <property name="hashService.hashIterations" value="500000"/> </bean> <bean id="myRealm" class="..."> <property name="credentialsMatcher"> <bean class="org.apache.shiro.authc.credential.PasswordMatcher"> <property name="passwordService" ref="passwordService"/> </bean> </property> </bean>

This allows an instance of myRealm use PasswordService to verify credentials during a login attempt.

To use PasswordService to encrypt passwords when the end user sets his password (i.e., during account registration or password reset), you can enter the PasswordService bean and then use it:

 String encryptedPassword = passwordService.encryptPassword(signupForm.getPassword()); userService.createUser(signupForm.getFullName(), signupForm.getEmail(), encryptedPassword);

I think you will find more convenient / more efficient use of Spring and code usage than lower-level random number generators and HashService + Hash APIs.

NTN!

+1
source

Source: https://habr.com/ru/post/925044/

More articles:


All Articles