I would like to ask if someone could post an example of SHiro configuration
implementing Hashed Passwords Authentication without extending/implementing
any custom Realm or SaltedAuthentificationInfo??
Is this possible? I haven't found any complete example. In my Project i have
a mysql database and i would like to implement authentication using Hashed
Passwords Saved in database.
My shiro.ini is the following:
[main]
ds = com.mysql.cj.jdbc.MysqlDataSource
ds.serverName = 127.0.0.1
ds.port = 3306
ds.user = histopathUser
ds.password = h1s+0p@+h
ds.databaseName = histopath.gr
jdbcRealm = org.apache.shiro.realm.jdbc.JdbcRealm
jdbcRealm.dataSource = $ds
jdbcRealm.authenticationQuery = "SELECT password, salt FROM User WHERE email
= ? AND activated = 0"
jdbcRealm.userRolesQuery = "SELECT roleName FROM UserRole WHERE email = ?"
# jdbcRealm.permissionsQuery = "SELECT permission FROM RolesPermissions
WHERE roleName = ?"
authc.usernameParam = email
authc.passwordParam = password
authc.failureKeyAttribute = shiroLoginFailure
hashService = org.apache.shiro.crypto.hash.DefaultHashService
hashService.hashIterations = 1024
hashService.hashAlgorithmName = SHA-256
hashService.generatePublicSalt = false
passwordService = org.apache.shiro.authc.credential.DefaultPasswordService
passwordService.hashService = $hashService
passwordMatcher = org.apache.shiro.authc.credential.PasswordMatcher
passwordMatcher.passwordService = $passwordService
jdbcRealm.credentialsMatcher = $passwordMatcher
# credentialsMatcher =
org.apache.shiro.authc.credential.Sha256CredentialsMatcher
# credentialsMatcher =
org.apache.shiro.authc.credential.HashedCredentialsMatcher
# credentialsMatcher.hashAlgorithmName = SHA-256
# credentialsMatcher.hashIterations = 1024
# credentialsMatcher.storedCredentialsHexEncoded = false
# jdbcRealm.credentialsMatcher = $credentialsMatcher
jdbcRealm.permissionsLookupEnabled = false
shiro.loginUrl = /authentication/login
cacheManager = org.apache.shiro.cache.MemoryConstrainedCacheManager
securityManager.cacheManager = $cacheManager
sessionManager = org.apache.shiro.web.session.mgt.DefaultWebSessionManager
securityManager.sessionManager = $sessionManager
securityManager.sessionManager.sessionIdCookieEnabled = false
# ssl.enabled = false
securityManager.realms = $jdbcRealm
[users]
[roles]
[urls]
/authentication/login = authc
/authentication/logout = logout
/doctors/* = authc
/users/new = anon
/users/details/* = anon
/users/* = authc
/* = anon
My Authentication Login Function is:
@POST
@Path("login")
@Produces(MediaType.TEXT_PLAIN)
public boolean login(Authentication authData) {
System.out.println("Param email: " + authData.getEmail());
System.out.println("Param password: " + authData.getPassword());
if (!subject.isAuthenticated()) {
UsernamePasswordToken token = new
UsernamePasswordToken(authData.getEmail(), authData.getPassword());
try {
System.out.println("Trying to authenticate with token");
subject.login(token);
System.out.println("User [" +
subject.getPrincipal().toString() + "] logged in successfully.");
return true;
} catch (UnknownAccountException uae) {
log.error("Username Not Found!", uae);
System.out.println("Username Not Found!");
uae.printStackTrace();
} catch (IncorrectCredentialsException ice) {
log.error("Invalid Credentials!", ice);
System.out.println("Invalid Credentials!");
ice.printStackTrace();
} catch (LockedAccountException lae) {
log.error("Your Account is Locked!", lae);
System.out.println("Your Account is Locked!");
lae.printStackTrace();
} catch (AuthenticationException ae) {
log.error("Unexpected Error!", ae);
System.err.println("Unexpected Error!");
ae.printStackTrace();
} catch (Exception ex) {
System.out.println(ex.getMessage());
ex.printStackTrace();
}
} else {
return true;
}
return false;
}
My Registration Function:
@POST
@Path("new")
@Consumes(MediaType.APPLICATION_JSON)
@Produces(MediaType.APPLICATION_JSON)
public String create(User requestBody) {
System.err.println("NEW User");
// System.out.println("WTF ==== " + requestBody.getBirthday());
// System.out.println("lalala: " + requestBody.getPermition());
User user = new User();
user.setFirstName(requestBody.getFirstName());
user.setLastName(requestBody.getLastName());
user.setEmail(requestBody.getEmail());
// user.setPassword(requestBody.getPassword());
// Do Something With Salt Per User Random Generation or
Something like it
//================================================================================================================
RandomNumberGenerator rng = new SecureRandomNumberGenerator();
String salt = rng.nextBytes().toBase64();
String hashedPasswordBase64 = new
Sha256Hash(requestBody.getPassword(), salt, 1024).toBase64();
user.setSalt(salt);
user.setPassword(hashedPasswordBase64);
user.setActivated(false);
boolean result = userDAO.persist(user);
userDAO.closeEntityManager();
if (result) {
return ReturnResults.results(new ArrayList<User>(asList(user)));
}
return "{}";
}
However in login function in subject.login(token) i gets error:
Unexpected Error!
org.apache.shiro.authc.AuthenticationException: There was a SQL error while
authenticating user [[email protected]]
at
org.apache.shiro.realm.jdbc.JdbcRealm.doGetAuthenticationInfo(JdbcRealm.java:260)
at
org.apache.shiro.realm.AuthenticatingRealm.getAuthenticationInfo(AuthenticatingRealm.java:571)
at
org.apache.shiro.authc.pam.ModularRealmAuthenticator.doSingleRealmAuthentication(ModularRealmAuthenticator.java:180)
at
org.apache.shiro.authc.pam.ModularRealmAuthenticator.doAuthenticate(ModularRealmAuthenticator.java:267)
at
org.apache.shiro.authc.AbstractAuthenticator.authenticate(AbstractAuthenticator.java:198)
at
org.apache.shiro.mgt.AuthenticatingSecurityManager.authenticate(AuthenticatingSecurityManager.java:106)
at
org.apache.shiro.mgt.DefaultSecurityManager.login(DefaultSecurityManager.java:274)
at
org.apache.shiro.subject.support.DelegatingSubject.login(DelegatingSubject.java:260)
at
gr.histopath.platform.controllers.authentication.AuthenticationController.login(AuthenticationController.java:45)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at
sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
at
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:497)
at
org.glassfish.jersey.server.model.internal.ResourceMethodInvocationHandlerFactory.lambda$static$0(ResourceMethodInvocationHandlerFactory.java:76)
at
org.glassfish.jersey.server.model.internal.AbstractJavaResourceMethodDispatcher$1.run(AbstractJavaResourceMethodDispatcher.java:148)
at
org.glassfish.jersey.server.model.internal.AbstractJavaResourceMethodDispatcher.invoke(AbstractJavaResourceMethodDispatcher.java:191)
at
org.glassfish.jersey.server.model.internal.JavaResourceMethodDispatcherProvider$TypeOutInvoker.doDispatch(JavaResourceMethodDispatcherProvider.java:243)
at
org.glassfish.jersey.server.model.internal.AbstractJavaResourceMethodDispatcher.dispatch(AbstractJavaResourceMethodDispatcher.java:103)
at
org.glassfish.jersey.server.model.ResourceMethodInvoker.invoke(ResourceMethodInvoker.java:493)
at
org.glassfish.jersey.server.model.ResourceMethodInvoker.apply(ResourceMethodInvoker.java:415)
at
org.glassfish.jersey.server.model.ResourceMethodInvoker.apply(ResourceMethodInvoker.java:104)
at
org.glassfish.jersey.server.ServerRuntime$1.run(ServerRuntime.java:277)
at org.glassfish.jersey.internal.Errors$1.call(Errors.java:272)
at org.glassfish.jersey.internal.Errors$1.call(Errors.java:268)
at org.glassfish.jersey.internal.Errors.process(Errors.java:316)
at org.glassfish.jersey.internal.Errors.process(Errors.java:298)
at org.glassfish.jersey.internal.Errors.process(Errors.java:268)
at
org.glassfish.jersey.process.internal.RequestScope.runInScope(RequestScope.java:289)
at
org.glassfish.jersey.server.ServerRuntime.process(ServerRuntime.java:256)
at
org.glassfish.jersey.server.ApplicationHandler.handle(ApplicationHandler.java:703)
at
org.glassfish.jersey.servlet.WebComponent.serviceImpl(WebComponent.java:416)
at
org.glassfish.jersey.servlet.WebComponent.service(WebComponent.java:370)
at
org.glassfish.jersey.servlet.ServletContainer.service(ServletContainer.java:389)
at
org.glassfish.jersey.servlet.ServletContainer.service(ServletContainer.java:342)
at
org.glassfish.jersey.servlet.ServletContainer.service(ServletContainer.java:229)
at
org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:231)
at
org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
at
org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:53)
at
org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
at
org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
at
org.apache.shiro.web.servlet.ProxiedFilterChain.doFilter(ProxiedFilterChain.java:61)
at
org.apache.shiro.web.servlet.AdviceFilter.executeChain(AdviceFilter.java:108)
at
org.apache.shiro.web.servlet.AdviceFilter.doFilterInternal(AdviceFilter.java:137)
at
org.apache.shiro.web.servlet.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:125)
at
org.apache.shiro.web.servlet.ProxiedFilterChain.doFilter(ProxiedFilterChain.java:66)
at
org.apache.shiro.web.servlet.AbstractShiroFilter.executeChain(AbstractShiroFilter.java:449)
at
org.apache.shiro.web.servlet.AbstractShiroFilter$1.call(AbstractShiroFilter.java:365)
at
org.apache.shiro.subject.support.SubjectCallable.doCall(SubjectCallable.java:90)
at
org.apache.shiro.subject.support.SubjectCallable.call(SubjectCallable.java:83)
at
org.apache.shiro.subject.support.DelegatingSubject.execute(DelegatingSubject.java:387)
at
org.apache.shiro.web.servlet.AbstractShiroFilter.doFilterInternal(AbstractShiroFilter.java:362)
at
org.apache.shiro.web.servlet.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:125)
at
org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
at
org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
at
org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:199)
at
org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:96)
at
org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:491)
at
org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:139)
at
org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:92)
at
org.apache.catalina.valves.AbstractAccessLogValve.invoke(AbstractAccessLogValve.java:668)
at
org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:87)
at
org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:343)
at
org.apache.coyote.http11.Http11Processor.service(Http11Processor.java:408)
at
org.apache.coyote.AbstractProcessorLight.process(AbstractProcessorLight.java:66)
at
org.apache.coyote.AbstractProtocol$ConnectionHandler.process(AbstractProtocol.java:764)
at
org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1388)
at
org.apache.tomcat.util.net.SocketProcessorBase.run(SocketProcessorBase.java:49)
at
java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
at
java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
at
org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
at java.lang.Thread.run(Thread.java:745)
Caused by: java.sql.SQLException: Parameter index out of range (1 > number
of parameters, which is 0).
at
com.mysql.cj.jdbc.exceptions.SQLError.createSQLException(SQLError.java:545)
at
com.mysql.cj.jdbc.exceptions.SQLError.createSQLException(SQLError.java:513)
at
com.mysql.cj.jdbc.exceptions.SQLError.createSQLException(SQLError.java:505)
at
com.mysql.cj.jdbc.exceptions.SQLError.createSQLException(SQLError.java:479)
at
com.mysql.cj.jdbc.PreparedStatement.checkBounds(PreparedStatement.java:3246)
at
com.mysql.cj.jdbc.PreparedStatement.setInternal(PreparedStatement.java:3230)
at
com.mysql.cj.jdbc.PreparedStatement.setString(PreparedStatement.java:4025)
at
org.apache.shiro.realm.jdbc.JdbcRealm.getPasswordForUser(JdbcRealm.java:287)
at
org.apache.shiro.realm.jdbc.JdbcRealm.doGetAuthenticationInfo(JdbcRealm.java:227)
... 70 more
What am i doing wrong??? Please Help
Is it possible to setup hashed passwords authentication in shiro without
implementing custom classes of Realm and SaltedAuthentificationInfo??
--
Sent from: http://shiro-user.582556.n2.nabble.com/
