Hi Marseld, I'm glad you asked this question after Shiro 1.2 was released :)
Shiro supports this now with its command line hasher: http://shiro.apache.org/command-line-hasher.html For example: > java -jar shiro-tools-hasher-1.2.0-cli.jar -p (the -p option prompts for passwords - remove this option to get full help/instructions). Password to hash: test Password to hash (confirm): test $shiro1$SHA-256$500000$EdGJa5z9XZflLd0m24Xf4g==$JiNltdb7oNOCygJpfAfeaNpvidnLPwMyEQS9ItmoQcs= Take this last line and put it in your shiro.ini [users] section: [users] testUser = $shiro1$SHA-256$500000$EdGJa5z9XZflLd0m24Xf4g==$JiNltdb7oNOCygJpfAfeaNpvidnLPwMyEQS9ItmoQcs= and also configure the implicit iniRealm in [main] to use the new PasswordMatcher: [main] ... passwordMatcher = org.apache.shiro.authc.credential.PasswordMatcher iniRealm.credentialsMatcher = $passwordMatcher ... Shiro's default settings for the password matcher (and its corresponding PasswordService) uses what are currently very secure settings: SHA-256 hash, 500,000 hash iterations, and a randomly generated 16-byte salt Best, -- Les Hazlewood CTO, Katasoft | http://www.katasoft.com | 888.391.5282 twitter: @lhazlewood | http://twitter.com/lhazlewood katasoft blog: http://www.katasoft.com/blogs/lhazlewood personal blog: http://leshazlewood.com On Wed, Jan 25, 2012 at 2:38 AM, Marseld Dedgjonaj <[email protected]> wrote: > Hello all, > I am very newbie in apache shiro and sorry if this is a simple question. > > How can I configure in shiro.ini file to use a hash algorithm for > passwords. I will need to use salt too, if it is possible. > > Best regards, > Marseld
