We can point you in the right direction though, what Realm(s) are you using?
JdbcRealm, with saltStyle COLUMN. My realm has a Sha256CredentialsMatcher configured, with custom “hashIterations” settings. Typically, passwords are stored in some user store (database, LDAP/AD, SSO, etc), so when it comes to resetting passwords, that likely falls onto you. We can point you in the right direction though, what Realm(s) are you using? OK, sounds fair enough. I think a few simple extensions / openings would help Shiro users to do this with less code duplication (see below). 1. How can I hash a plaintext password using Shiro’s currently configured hashing settings? Look at PasswordService: https://shiro.apache.org/static/1.2.2/apidocs/org/apache/shiro/authc/credential/PasswordService.html PasswordService doesn’t work for saltStyle COLUMN, only for saltStyle CRYPT. Also, how would I get a correctly configured PasswordService? I’d need to duplicate all my salt settings between my CredentialsMatcher which is attached to the Realm and the PasswordService. I think that the “hashProvidedCredentials” method on CredentialsMatcher should be public, then I could grab the correctly configured CredentialsMatcher from my Realm and use that for hashing, and be assured that the configuration would match between user creation and user authentication. Is there support in Shiro for users changing their password or for a “fogot password” workflow? I can’t find one. Are there no example apps like https://github.com/pires/simple-shiro-web-app which have something I can copy for this? I’m fine to write my own, but if I wanted to write my own auth stuff from scratch I wouldn’t be using Shiro ☺ Best, Rich From: Brian Demers [mailto:[email protected]] Sent: 07 December 2015 14:56 To: [email protected] Subject: Re: Shiro change password / forgotten password Answers inline: On Mon, Dec 7, 2015 at 5:57 AM, Richard Bradley <[email protected]<mailto:[email protected]>> wrote: Hi, I’m writing a webapp using Shiro for authentication. Is there support in Shiro for users changing their password or for a “fogot password” workflow? I can’t find one. Typically, passwords are stored in some user store (database, LDAP/AD, SSO, etc), so when it comes to resetting passwords, that likely falls onto you. We can point you in the right direction though, what Realm(s) are you using? If the general pattern is to roll your own, I have some specific questions: 1. How can I hash a plaintext password using Shiro’s currently configured hashing settings? Look at PasswordService: https://shiro.apache.org/static/1.2.2/apidocs/org/apache/shiro/authc/credential/PasswordService.html Or lower level you can look at: org.apache.shiro.cyrpto.hash https://github.com/apache/shiro/tree/1.2.x/core/src/main/java/org/apache/shiro/crypto/hash The hashing is done in my Shiro Realm object by a HashedCredentialsMatcher, but the “hashProvidedCredentials” method is protected. Am I expected to duplicate all the hashing settings and code in my app if I need to set a password rather than just verify it? 2. How should I update the database? The “JdbcRealm” has built in queries for reading the user’s hashed passwords, but none for writing them. Am I expected to duplicate the schema and Jdbc code in my app if I need to set a password rather than just verify it? This probably answers my question above about which Realm are you using. Depending on how you have implemented the backing DB table, depends on how you would update it. Updates are much harder to make generic, and is not really in the scope of Shiro. (For example, maybe the JDBC realm accesses a view instead of a table) I'd like to hear other thoughts on this. Thanks, Rich Richard Bradley Tel : 020 7485 7500 ext 3230 | Fax : 020 7485 7575 softwire Sunday Times Best Small Companies - UK top 25 five years running Web : www.softwire.com<http://www.softwire.com/> | Follow us on Twitter : @SoftwireUK<https://twitter.com/SoftwireUK> Addr : 110 Highgate Studios, 53-79 Highgate Road, London NW5 1TL Softwire Technology Limited. Registered in England no. 3824658. Registered Office : Gallery Court, 28 Arcadia Avenue, Finchley, London. N3 2FG Richard Bradley Tel : 020 7485 7500 ext 3230 | Fax : 020 7485 7575 softwire Sunday Times Best Small Companies - UK top 25 five years running Web : www.softwire.com<http://www.softwire.com/> | Follow us on Twitter : @SoftwireUK<https://twitter.com/SoftwireUK> Addr : 110 Highgate Studios, 53-79 Highgate Road, London NW5 1TL Softwire Technology Limited. Registered in England no. 3824658. Registered Office : Gallery Court, 28 Arcadia Avenue, Finchley, London. N3 2FG
