Hi Fady,
you done : info = buildAuthenticationInfo(username, dbPassword.toCharArray(), salt); Try with : info = buildAuthenticationInfo(username, Base64.decode( dbPassword).toCharArray(), Base64.decode(salt)); regard, Thibault 2012/1/12 Fady Matar <[email protected]> > I have built my custom realm which gets the authentication and the > authorization from a nosql database and storing plain password and > authenticating against them works fine. **** > > ** ** > > I'm adding salts and hashed passwords and looked at other realms > implementation but I'm still having a failure.**** > > ** ** > > For instance my user object has a hashedPassword field and a salt field to > store the data, and I'm storing them using the shiro classes as follows:** > ** > > ** ** > > User user = new User("jdoe", "a$eCuRep@SsWd"); //Set the username and the > plain password to be hashed**** > > user.hash();**** > > ** ** > > public void hash() {**** > > RandomNumberGenerator generator = new SecureRandomNumberGenerator();*** > * > > ByteSource nextBytes = generator.nextBytes();**** > > setPasswordSalt(nextBytes.toBase64());**** > > setPassword(new Sha512Hash(getPassword(), passwordSalt, > 2048).toBase64());**** > > }**** > > ** ** > > Now here's the part of my code that performs the authorization**** > > ** ** > > protected SaltedAuthenticationInfo > doGetAuthenticationInfo(AuthenticationToken token) throws > AuthenticationException {**** > > UsernamePasswordToken upToken = (UsernamePasswordToken) token;**** > > String username = upToken.getUsername();**** > > String password = String.valueOf(upToken.getPassword());**** > > if (username == null)**** > > throw new AccountException("Null usernames are not allowed by > this realm.");**** > > SaltedAuthenticationInfo info = null;**** > > try {**** > > User user = getUserData(username);**** > > String dbPassword = user.getPassword(); //Retrieves the > password from db**** > > String dbSalt = user.getPasswordSalt(); //retrieves the salt > from the db**** > > ByteSource salt = new Sha512Hash(dbSalt);**** > > if (password == null) {**** > > throw new UnknownAccountException("No account found for > user [" + username + "]");**** > > }**** > > info = buildAuthenticationInfo(username, > dbPassword.toCharArray(), salt);**** > > } catch (Exception e) {**** > > final String message = "There was a database error while > authenticating user [" + username + "]";**** > > if (log.isErrorEnabled())**** > > log.error(message, e);**** > > throw new AuthenticationException(message, e);**** > > }**** > > return info;**** > > }**** > > ** ** > > protected SaltedAuthenticationInfo buildAuthenticationInfo(String > username, char[] password, ByteSource salt) {**** > > return new SimpleAuthenticationInfo(username, password, salt, > getName());**** > > }**** > > ** ** > > My shiro configuration loaded through web.xml has the following > configuration:**** > > ** ** > > <filter>**** > > <filter-name>ShiroFilter</filter-name>**** > > > <filter-class>org.apache.shiro.web.servlet.IniShiroFilter</filter-class>** > ** > > <init-param>**** > > <param-name>config</param-name>**** > > <param-value>**** > > [main]**** > > customRealm = org.platform.shiro.CustomRealm**** > > credentialsMatcher = > org.apache.shiro.authc.credential.Sha512CredentialsMatcher**** > > credentialsMatcher.storedCredentialsHexEncoded = false** > ** > > credentialsMatcher.hashIterations = 2048**** > > customRealm.credentialsMatcher = $credentialsMatcher**** > > authc.loginUrl = /login.html**** > > [urls]**** > > /services/** = rest**** > > </param-value>**** > > </init-param>**** > > </filter>**** > > <filter-mapping>**** > > <filter-name>ShiroFilter</filter-name>**** > > <url-pattern>/*</url-pattern>**** > > </filter-mapping>**** > > ** ** > > Can someone assist why this approach is failing? I debugged the code and > it turns out that the comparison of hashes is always failing. Any hints?** > ** > > ** ** > > Cheers,**** > > --fady**** > > ** ** > > ** ** >
