I've done some further investigation and have stepped through the code several times and I'm sure the problem is due to the salt not being used when hashing the password entered by the user.
Whilst stepping through the code I've spotted the following..... In DefaultPasswordService.java when the method passwordsMatch(Object submittedPlaintext, String saved) is called on line 160 the object named request contains the following algorithmName=null iterations=0 salt=null source=cGFzc3dvcmQ= The next line of code on line 161 calls computeHash(request) In DefaultHashService.java when the method computeHash(HashRequest request) is called, on lines 155 and 157 the variables algorithmName and iterations are correctly set to "SHA-256" and 1 respectively. On line 159 the method getPublicSalt(request) is called however it retuns null. What I still don't understand is whether the object named request should already contain the algorithmName, iterations and salt and if so, when/where they should be set. Could someone please help by pointing me in the right direction or suggest how the salt should be set. -- View this message in context: http://shiro-user.582556.n2.nabble.com/Migrating-from-HashedCredentialMatcher-to-PasswordMatcher-tp7577808p7577809.html Sent from the Shiro User mailing list archive at Nabble.com.
