Whoa, a plain jdbc connection, that's old school :) You are pretty
close - just as a test, you could remove the salt and see if it simply
comparing the hashes works - I believe it should. Now, a couple of
notes:
1) Are you sure you are storing the salt as base64 encoded? Your read
expects that to be so. You could easily compare the salt value only in
getPasswordForUser(...) to see if you are getting back what you
expected.
2) Sha512CredentialsMatcher is deprecated (though it might be the
simplest way of configuring if you use an ini file) Read the whole
javadoc for HashedCredentialsMatcher, it has more than you need but
see this excerpt:
* @deprecated since 1.1 - use the HashedCredentialsMatcher directly and set its
* {...@link
HashedCredentialsMatcher#setHashAlgorithmName(String)
hashAlgorithmName} property.
*/
public class Sha512CredentialsMatcher extends HashedCredentialsMatcher {
3) Are you using T5.1.0.5? If so, use the brand new, yet unannounced
tapestry-security 0.2.1 (that depends on Shiro 1.1.0).
Agree this is important enough to have a decent example for it. I'm
waiting to have T5.2.3 release available before making the
corresponding tapestry-security release and then working out some
examples with the latest Shiro.
Kalle
On Sat, Nov 13, 2010 at 8:05 AM, cablepuff <cablep...@gmail.com> wrote:
>
> So this is in my pom.xml
>
> I have 0.2.0 version of tynamo security excluding apache shiro
> 1.0.0.incubating and instead using 1.1.0 of apache shiro.
>
> my save user looks like this..
>
> // begin save user
> RandomNumberGenerator rng = new SecureRandomNumberGenerator();
> String byteSource = rng.nextBytes().toBase64();
> String hashedPasswordBase64 = new Sha512Hash(password,
> byteSource.getBytes(), 1024).toBase64();
> RegisterUser user = new RegisterUser(username, email,
> hashedPasswordBase64,
> byteSource);
> return this.userDao.createUser(user);
> // end save user.
>
>
> inside my jdbcSaltedRealm which extends JdbcRealm. it has these code.
> // begin code
> protected static final String DEFAULT_AUTHENTICATION_QUERY = "select
> password, passwordSalt from users where username = ?";
>
> �...@override
> protected SaltedAuthenticationInfo
> doGetAuthenticationInfo(AuthenticationToken token) throws
> AuthenticationException {
>
> UsernamePasswordToken upToken = (UsernamePasswordToken) token;
> String username = upToken.getUsername();
>
> // Null username is invalid
> if (username == null) {
> throw new AccountException("Null usernames are not allowed by
> this realm.");
> }
>
> Connection conn = null;
> SaltedAuthenticationInfo info = null;
> try {
> conn = dataSource.getConnection();
>
> PasswordWithSalt pws = getPasswordForUser(conn, username);
>
> if (pws == null) {
> throw new UnknownAccountException("No account found for user
> [" + username + "]");
> }
>
> info = buildAuthenticationInfo(username, pws.getPassword(),
> pws.getSalt());
>
> } catch (SQLException e) {
> final String message = "There was a SQL error while
> authenticating user [" + username + "]";
> if (log.isErrorEnabled()) {
> log.error(message, e);
> }
>
> // Rethrow any SQL errors as an authentication exception
> throw new AuthenticationException(message, e);
> } finally {
> JdbcUtils.closeConnection(conn);
> }
>
> return info;
> }
>
> protected SaltedAuthenticationInfo buildAuthenticationInfo(String
> username, String password, ByteSource passwordSalt) {
> return new SimpleAuthenticationInfo(username, password,
> passwordSalt, getName());
> }
>
>
> private PasswordWithSalt getPasswordForUser(Connection conn, String
> username) throws SQLException {
>
> PreparedStatement ps = null;
> ResultSet rs = null;
> String password = null;
> ByteSource salt = null;
> try {
> ps = conn.prepareStatement(authenticationQuery);
> ps.setString(1, username);
>
> // Execute query
> rs = ps.executeQuery();
>
> // Loop over results - although we are only expecting one
> result, since usernames should be unique
> boolean foundResult = false;
> while (rs.next()) {
>
> // Check to ensure only one row is processed
> if (foundResult) {
> throw new AuthenticationException("More than one user
> row found for user [" + username + "]. Usernames must be unique.");
> }
>
> password = rs.getString(1);
> String saltString = rs.getString(2);
> salt = new SimpleByteSource(Base64.decode(saltString));
>
> foundResult = true;
> }
> } finally {
> JdbcUtils.closeResultSet(rs);
> JdbcUtils.closeStatement(ps);
> }
>
> return new PasswordWithSalt(password, salt);
> }
>
>
> // my appmodule is like this.
> public void contributeWebSecurityManager(Configuration<Realm> configuration)
> {
> realm = new JdbcSaltedRealm();
> realm.setDataSource(dataSource);
> realm.setAuthenticationQuery(AUTHENTICATION_QUERY);
> realm.setUserRolesQuery(USER_ROLES_QUERY);
> realm.setPermissionsQuery(PERMISSION_QUERY);
> realm.setPermissionsLookupEnabled(true);
> configuration.add(realm);
> }
>
> public void contributeApplicationDefaults(MappedConfiguration<String,
> String> configuration) {
> // 1 MB max file size, 5 MB request upload size.
>
> configuration.add(SecuritySymbols.SHOULD_LOAD_INI_FROM_CONFIG_PATH,
> "true");
> }
>
>
> // now my shiro.ini is like this.
> [main]
> credentialsMatcher=org.apache.shiro.authc.credential.Sha512CredentialsMatcher
> # base64 encoding, not hex in this example:
> credentialsMatcher.storedCredentialsHexEncoded=false
> credentialsMatcher.hashIterations=1024
>
>
> now whenever i logon i keep getting wrong username and password, is their a
> guide or sample on how to get hashing to work with tapestry tynamo security.
> i could get it working without hashing, but i rather add hashing to store
> salted password.
>
>
> thanks.
> --
> View this message in context:
> http://tapestry.1045711.n5.nabble.com/tapestry-security-with-1-1-0-of-shiro-unable-to-get-sha512-login-working-tp3263653p3263653.html
> Sent from the Tapestry - User mailing list archive at Nabble.com.
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscr...@tapestry.apache.org
> For additional commands, e-mail: users-h...@tapestry.apache.org
>
>
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tapestry.apache.org
For additional commands, e-mail: users-h...@tapestry.apache.org
