Answers inline: On Mon, Dec 7, 2015 at 5:57 AM, Richard Bradley < [email protected]> wrote:
> Hi, > > > > I’m writing a webapp using Shiro for authentication. > > > > > > Is there support in Shiro for users changing their password or for a > “fogot password” workflow? I can’t find one. > Typically, passwords are stored in some user store (database, LDAP/AD, SSO, etc), so when it comes to resetting passwords, that likely falls onto you. We can point you in the right direction though, what Realm(s) are you using? > > > > > If the general pattern is to roll your own, I have some specific questions: > > > > 1. How can I hash a plaintext password using Shiro’s currently configured > hashing settings? > Look at PasswordService: https://shiro.apache.org/static/1.2.2/apidocs/org/apache/shiro/authc/credential/PasswordService.html Or lower level you can look at: org.apache.shiro.cyrpto.hash https://github.com/apache/shiro/tree/1.2.x/core/src/main/java/org/apache/shiro/crypto/hash > The hashing is done in my Shiro Realm object by a > HashedCredentialsMatcher, but the “hashProvidedCredentials” method is > protected. Am I expected to duplicate all the hashing settings and code in > my app if I need to set a password rather than just verify it? > > > > 2. How should I update the database? The “JdbcRealm” has built in queries > for reading the user’s hashed passwords, but none for writing them. Am I > expected to duplicate the schema and Jdbc code in my app if I need to set a > password rather than just verify it? > This probably answers my question above about which Realm are you using. Depending on how you have implemented the backing DB table, depends on how you would update it. Updates are much harder to make generic, and is not really in the scope of Shiro. (For example, maybe the JDBC realm accesses a view instead of a table) I'd like to hear other thoughts on this. > > > > > Thanks, > > > > > > Rich > > > > Richard Bradley > Tel : 020 7485 7500 ext 3230 | Fax : 020 7485 7575 > > softwire > Sunday Times Best Small Companies - UK top 25 five years running > Web : www.softwire.com | Follow us on Twitter : @SoftwireUK > <https://twitter.com/SoftwireUK> > Addr : 110 Highgate Studios, 53-79 Highgate Road, London NW5 1TL > Softwire Technology Limited. Registered in England no. 3824658. Registered > Office : Gallery Court, 28 Arcadia Avenue, Finchley, London. N3 2FG >
