Thanks! Can you put this in a github pull request and add test ? (using github isn't required, but it makes chatting about the patch easier)
On Thu, Mar 24, 2016 at 11:52 PM, Andreas Reichel < [email protected]> wrote: > Dear All, > > we would like to adopt Shiro and to use the JDBC Realm. > Our database schema however uses the CRYPT like password hash with no > separate SALT column. We found SaltStyle.CRYPT unimplemented, so please > find a small patch attached. > > > Any issues, please let us know. > Cheers > Andreas > > From 3cbc5b40c095872b80f52323c2585ea46e58067e Mon Sep 17 00:00:00 2001 > From: Andreas Reichel <[email protected]> > Date: Mar 25, 2016 10:48:43 AM > > Implement SaltStyle.CRYPT > > diff --git > a/core/src/main/java/org/apache/shiro/realm/jdbc/JdbcRealm.java > b/core/src/main/java/org/apache/shiro/realm/jdbc/JdbcRealm.java > index 646875c..c34a5fe 100644 > --- a/core/src/main/java/org/apache/shiro/realm/jdbc/JdbcRealm.java > +++ b/core/src/main/java/org/apache/shiro/realm/jdbc/JdbcRealm.java > @@ -38,6 +38,11 @@ > import java.util.Collection; > import java.util.LinkedHashSet; > import java.util.Set; > +import org.apache.shiro.authc.credential.CredentialsMatcher; > +import org.apache.shiro.authc.credential.HashedCredentialsMatcher; > +import org.apache.shiro.crypto.hash.Md5Hash; > +import org.apache.shiro.crypto.hash.Sha256Hash; > +import org.apache.shiro.crypto.hash.Sha512Hash; > > > /** > @@ -221,9 +226,50 @@ > password = getPasswordForUser(conn, username)[0]; > break; > case CRYPT: > - // TODO: separate password and hash from > getPasswordForUser[0] > - throw new ConfigurationException("Not implemented > yet"); > - //break; > + /* > + http://www.slashroot.in/how-are-passwords-stored-linux > -understanding-hashing-shadow-utils > + > + Example: $1$Etg2ExUZ$F9NTP7omafhKIlqaBMqng1 > + > + The above shown encoded hash value can be further > classified into three different fields as below. > + 1. The first field is a numerical number that tell's > you the hashing algorithm that's being used. > + > + $1 = MD5 hashing algorithm. > + $2 =Blowfish Algorithm is in use. > + $2a=eksblowfish Algorithm > + $5 =SHA-256 Algorithm > + $6 =SHA-512 Algorithm > + > + 2. The second field is the salt value > + Salt value is nothing but a random data that's > generated to combine with the original password, inorder to increase > the strength of the hash.. > + > + 3.The last field is the hash value of salt+user > password (we will be discussing this shortly). > + > + */ > + > + String[] crypt=getPasswordForUser(conn, > username)[0].split("\\$"); > + String hashAlgorithm=crypt[0]; > + > + //@todo: set the credential matcher hash algorithm?! > + CredentialsMatcher credentialsMatcher = > getCredentialsMatcher(); > + if (credentialsMatcher instanceof > HashedCredentialsMatcher) { > + HashedCredentialsMatcher > hashedCredentialsMatcher=(HashedCredentialsMatcher) credentialsMatcher; > + if (hashAlgorithm.equals("$6")) > + hashedCredentialsMatcher.setHashAlgorithmName( > Sha512Hash.ALGORITHM_NAME); > + else if (hashAlgorithm.equals("$5")) > + hashedCredentialsMatcher.setHashAlgorithmName( > Sha256Hash.ALGORITHM_NAME); > + else if (hashAlgorithm.equals("$1")) > + hashedCredentialsMatcher.setHashAlgorithmName( > Md5Hash.ALGORITHM_NAME); > + else if (hashAlgorithm.equals("$2")) > + throw new AuthenticationException("Requested > 'Blowfish' algorithm is not supported. Can not validate the token."); > + else if (hashAlgorithm.equals("$2a")) > + throw new AuthenticationException("Requested > 'eksblowfish' algorithm is not supported. Can not validate the > token."); > + } > + > + salt=crypt[1]; > + password=crypt[2]; > + > + break; > case COLUMN: > String[] queryResults = getPasswordForUser(conn, > username); > password = queryResults[0]; > @@ -265,7 +311,6 @@ > boolean returningSeparatedSalt = false; > switch (saltStyle) { > case NO_SALT: > - case CRYPT: > case EXTERNAL: > result = new String[1]; > break;
