Andy,
Thanks for the response. I guess what I'm thinking of doing is
something like this pseudo code, but was wondering if anyone had
better ideas:
boolean login(string username, string password, boolean rememberMe) {
UsernamePasswordToken token = new UsernamePasswordToken(name,
password, rememberMe);
try {
SecurityUtils.getSubject().login(token);
return true;
}
catch (IncorrectCredentialsException ice) {
boolean success = myCustomBase64Authenticate(username,password);
if (success) {
User user = dao.getUser(username);
user.setPassword(new Sha256Hash(password).toHex());
dao.save(user);
// Need to run SecurityUtils.getSubject().login() again here!
return true;
}
}
catch (UnknownAccountException uae) {
...
}
...
catch (Exception ex) {
...
}
return false;
}
However, if the IncorrectCredentialsException happens, I'd still need
to run SecurityUtiles.getSubject.login(token) again so that the user
was authenticated by Shiro. I'm reluctant to have another try catch
block within that catch block. It just seems like there should be a
cleaner way of doing this. Maybe by implementing my own
Subject.login(), but it looks like DelegatingSubject.login() defers to
SecurityManager.login(). I'm just not sure how much I want to muck
with overriding shiro classes and am hoping someone has a suggestion
on a simple approach.
Note that we'd tell everyone they have to log into the new system
within the next 7 days, or 30 days, or whatever. And then I'd yank
the customBase64Authenticate code from the app after that time period
is over. So whatever I build is going to be thrown away anyway, so I
want to keep it simple.
> p.s. Do you live in the foothills of Hillsbrad? :)
I'm guessing that is somewhere in WoW? I don't play the game, but
I've been told that my name is the same as some place in it. I must
have made a great impression on the creators of that game. :)
Thanks again,
Tauren
On Tue, Sep 1, 2009 at 10:47 AM, Andy Tripp<[email protected]> wrote:
> I'm doing the same thing. In my case, the current system keeps
> username/password in some database table, and the new system will keep
> it in an LDAP directory. For now, I have my own subclass of JdbcRealm
> which queries the existing database. Then I'll have a "transition
> script" - a shell script which grabs the existing username/password from
> the DB and puts it into the LDAP directory. And then I'll replace my
> subclass of JdbcRealm with some subclass of LDAPRealm.
>
> I hope that answers your question, if not, ask something more specific.
>
> Andy
> p.s. Do you live in the foothills of Hillsbrad? :)
>
>> -----Original Message-----
>> From: [email protected] [mailto:[email protected]] On Behalf Of
> Tauren
>> Mills
>> Sent: Tuesday, September 01, 2009 1:23 PM
>> To: [email protected]
>> Subject: Transferring passwords from old system
>>
>> I'm going to have to import a bunch of users from an old system into a
>> new system based on shiro. These passwords are encrypted in a Base64
>> encoded SHA hash. My hope is that these existing users can start
>> using the new system by logging in using the same username/password
>> they used before. Before I get started, I was wondering if anyone has
>> any pointers or ideas on a good way to go about doing this?
>>
>> Thanks!
>> Tauren
>
