Shiro change password / forgotten password

[Richard Bradley <Ri...@softwire.com>]

Hi,

I'm writing a webapp using Shiro for authentication.


Is there support in Shiro for users changing their password or for a "fogot password" workflow? I can't find one.


If the general pattern is to roll your own, I have some specific questions:

1. How can I hash a plaintext password using Shiro's currently configured hashing settings? The hashing is done in my Shiro Realm object by a HashedCredentialsMatcher, but the "hashProvidedCredentials" method is protected. Am I expected to duplicate all the hashing settings and code in my app if I need to set a password rather than just verify it?

2. How should I update the database? The "JdbcRealm" has built in queries for reading the user's hashed passwords, but none for writing them. Am I expected to duplicate the schema and Jdbc code in my app if I need to set a password rather than just verify it?


Thanks,


Rich


Richard Bradley
Tel : 020 7485 7500 ext 3230 | Fax : 020 7485 7575

softwire
Sunday Times Best Small Companies - UK top 25 five years running
Web : www.softwire.com<http://www.softwire.com/> | Follow us on Twitter : @SoftwireUK<https://twitter.com/SoftwireUK>
Addr : 110 Highgate Studios, 53-79 Highgate Road, London NW5 1TL
Softwire Technology Limited. Registered in England no. 3824658. Registered Office : Gallery Court, 28 Arcadia Avenue, Finchley, London. N3 2FG

Re: Shiro change password / forgotten password

[Lenny Primak <lp...@hope.nyc.ny.us>]

Stormpath has built-in workflows so you don’t have to develop them yourself.
This actually was the primary reason we started using Stormapth and are very happy with it’s other features.

> On Dec 7, 2015, at 8:56 AM, Brian Demers <br...@gmail.com> wrote:
> 
> Answers inline:
> 
> On Mon, Dec 7, 2015 at 5:57 AM, Richard Bradley <Richard.Bradley@softwire.com <ma...@softwire.com>> wrote:
> Hi,
> 
>  
> 
> I’m writing a webapp using Shiro for authentication.
> 
>  
> 
>  
> 
> Is there support in Shiro for users changing their password or for a “fogot password” workflow? I can’t find one.
> 
> 
> 
> Typically, passwords are stored in some user store (database, LDAP/AD, SSO, etc), so when it comes to resetting passwords, that likely falls onto you.   We can point you in the right direction though, what Realm(s) are you using?
>  
> 
>  
> 
>  
> 
> If the general pattern is to roll your own, I have some specific questions:
> 
>  
> 
> 1. How can I hash a plaintext password using Shiro’s currently configured hashing settings?
> 
> 
> Look at PasswordService:
> https://shiro.apache.org/static/1.2.2/apidocs/org/apache/shiro/authc/credential/PasswordService.html <https://shiro.apache.org/static/1.2.2/apidocs/org/apache/shiro/authc/credential/PasswordService.html>
> 
> Or lower level you can look at: org.apache.shiro.cyrpto.hash
> https://github.com/apache/shiro/tree/1.2.x/core/src/main/java/org/apache/shiro/crypto/hash <https://github.com/apache/shiro/tree/1.2.x/core/src/main/java/org/apache/shiro/crypto/hash>
>  
> The hashing is done in my Shiro Realm object by a HashedCredentialsMatcher, but the “hashProvidedCredentials” method is protected. Am I expected to duplicate all the hashing settings and code in my app if I need to set a password rather than just verify it?
> 
>  
> 
> 2. How should I update the database? The “JdbcRealm” has built in queries for reading the user’s hashed passwords, but none for writing them. Am I expected to duplicate the schema and Jdbc code in my app if I need to set a password rather than just verify it?
> 
> 
> This probably answers my question above about which Realm are you using.  Depending on how you have implemented the backing DB table, depends on how you would update it.  Updates are much harder to make generic, and is not really in the scope of Shiro.  (For example, maybe the JDBC realm accesses a view instead of a table)
> 
> 
> I'd like to hear other thoughts on this.
> 
> 
>  
> 
>  
> 
>  
> 
> Thanks,
> 
>  
> 
>  
> 
> Rich
> 
>  
> 
> 
> Richard Bradley 
> Tel : 020 7485 7500 ext 3230 | Fax : 020 7485 7575
> 
> softwire
> Sunday Times Best Small Companies - UK top 25 five years running
> Web : www.softwire.com <http://www.softwire.com/> | Follow us on Twitter : @SoftwireUK <https://twitter.com/SoftwireUK> 
> Addr : 110 Highgate Studios, 53-79 Highgate Road, London NW5 1TL
> Softwire Technology Limited. Registered in England no. 3824658. Registered Office : Gallery Court, 28 Arcadia Avenue, Finchley, London. N3 2FG
> 

RE: Shiro change password / forgotten password

[Richard Bradley <Ri...@softwire.com>]

We can point you in the right direction though, what Realm(s) are you using?

JdbcRealm, with saltStyle COLUMN.

My realm has a Sha256CredentialsMatcher configured, with custom “hashIterations” settings.

Typically, passwords are stored in some user store (database, LDAP/AD, SSO, etc), so when it comes to resetting passwords, that likely falls onto you.   We can point you in the right direction though, what Realm(s) are you using?

OK, sounds fair enough.
I think a few simple extensions / openings would help Shiro users to do this with less code duplication (see below).

1. How can I hash a plaintext password using Shiro’s currently configured hashing settings?

Look at PasswordService:
https://shiro.apache.org/static/1.2.2/apidocs/org/apache/shiro/authc/credential/PasswordService.html

PasswordService doesn’t work for saltStyle COLUMN, only for saltStyle CRYPT.
Also, how would I get a correctly configured PasswordService?

I’d need to duplicate all my salt settings between my CredentialsMatcher which is attached to the Realm and the PasswordService.

I think that the “hashProvidedCredentials” method on CredentialsMatcher should be public, then I could grab the correctly configured CredentialsMatcher from my Realm and use that for hashing, and be assured that the configuration would match between user creation and user authentication.

Is there support in Shiro for users changing their password or for a “fogot password” workflow? I can’t find one.
Are there no example apps like https://github.com/pires/simple-shiro-web-app which have something I can copy for this?
I’m fine to write my own, but if I wanted to write my own auth stuff from scratch I wouldn’t be using Shiro ☺

Best,


Rich



From: Brian Demers [mailto:brian.demers@gmail.com]
Sent: 07 December 2015 14:56
To: user@shiro.apache.org
Subject: Re: Shiro change password / forgotten password

Answers inline:

On Mon, Dec 7, 2015 at 5:57 AM, Richard Bradley <Ri...@softwire.com>> wrote:
Hi,

I’m writing a webapp using Shiro for authentication.


Is there support in Shiro for users changing their password or for a “fogot password” workflow? I can’t find one.


Typically, passwords are stored in some user store (database, LDAP/AD, SSO, etc), so when it comes to resetting passwords, that likely falls onto you.   We can point you in the right direction though, what Realm(s) are you using?



If the general pattern is to roll your own, I have some specific questions:

1. How can I hash a plaintext password using Shiro’s currently configured hashing settings?

Look at PasswordService:
https://shiro.apache.org/static/1.2.2/apidocs/org/apache/shiro/authc/credential/PasswordService.html

Or lower level you can look at: org.apache.shiro.cyrpto.hash
https://github.com/apache/shiro/tree/1.2.x/core/src/main/java/org/apache/shiro/crypto/hash

The hashing is done in my Shiro Realm object by a HashedCredentialsMatcher, but the “hashProvidedCredentials” method is protected. Am I expected to duplicate all the hashing settings and code in my app if I need to set a password rather than just verify it?

2. How should I update the database? The “JdbcRealm” has built in queries for reading the user’s hashed passwords, but none for writing them. Am I expected to duplicate the schema and Jdbc code in my app if I need to set a password rather than just verify it?

This probably answers my question above about which Realm are you using.  Depending on how you have implemented the backing DB table, depends on how you would update it.  Updates are much harder to make generic, and is not really in the scope of Shiro.  (For example, maybe the JDBC realm accesses a view instead of a table)


I'd like to hear other thoughts on this.





Thanks,


Rich

Richard Bradley
Tel : 020 7485 7500 ext 3230 | Fax : 020 7485 7575
softwire
Sunday Times Best Small Companies - UK top 25 five years running
Web : www.softwire.com<http://www.softwire.com/> | Follow us on Twitter : @SoftwireUK<https://twitter.com/SoftwireUK>
Addr : 110 Highgate Studios, 53-79 Highgate Road, London NW5 1TL
Softwire Technology Limited. Registered in England no. 3824658. Registered Office : Gallery Court, 28 Arcadia Avenue, Finchley, London. N3 2FG


Richard Bradley
Tel : 020 7485 7500 ext 3230 | Fax : 020 7485 7575

softwire
Sunday Times Best Small Companies - UK top 25 five years running
Web : www.softwire.com<http://www.softwire.com/> | Follow us on Twitter : @SoftwireUK<https://twitter.com/SoftwireUK>
Addr : 110 Highgate Studios, 53-79 Highgate Road, London NW5 1TL
Softwire Technology Limited. Registered in England no. 3824658. Registered Office : Gallery Court, 28 Arcadia Avenue, Finchley, London. N3 2FG

Re: Shiro change password / forgotten password

[Brian Demers <br...@gmail.com>]

Answers inline:

On Mon, Dec 7, 2015 at 5:57 AM, Richard Bradley <
Richard.Bradley@softwire.com> wrote:

> Hi,
>
>
>
> I’m writing a webapp using Shiro for authentication.
>
>
>
>
>
> Is there support in Shiro for users changing their password or for a
> “fogot password” workflow? I can’t find one.
>


Typically, passwords are stored in some user store (database, LDAP/AD, SSO,
etc), so when it comes to resetting passwords, that likely falls onto you.
  We can point you in the right direction though, what Realm(s) are you
using?


>
>
>
>
> If the general pattern is to roll your own, I have some specific questions:
>
>
>
> 1. How can I hash a plaintext password using Shiro’s currently configured
> hashing settings?
>

Look at PasswordService:
https://shiro.apache.org/static/1.2.2/apidocs/org/apache/shiro/authc/credential/PasswordService.html

Or lower level you can look at: org.apache.shiro.cyrpto.hash
https://github.com/apache/shiro/tree/1.2.x/core/src/main/java/org/apache/shiro/crypto/hash


> The hashing is done in my Shiro Realm object by a
> HashedCredentialsMatcher, but the “hashProvidedCredentials” method is
> protected. Am I expected to duplicate all the hashing settings and code in
> my app if I need to set a password rather than just verify it?
>
>
>
> 2. How should I update the database? The “JdbcRealm” has built in queries
> for reading the user’s hashed passwords, but none for writing them. Am I
> expected to duplicate the schema and Jdbc code in my app if I need to set a
> password rather than just verify it?
>

This probably answers my question above about which Realm are you using.
Depending on how you have implemented the backing DB table, depends on how
you would update it.  Updates are much harder to make generic, and is not
really in the scope of Shiro.  (For example, maybe the JDBC realm accesses
a view instead of a table)


I'd like to hear other thoughts on this.




>
>
>
>
> Thanks,
>
>
>
>
>
> Rich
>
>
>
> Richard Bradley
> Tel : 020 7485 7500 ext 3230 | Fax : 020 7485 7575
>
> softwire
> Sunday Times Best Small Companies - UK top 25 five years running
> Web : www.softwire.com | Follow us on Twitter : @SoftwireUK
> <https://twitter.com/SoftwireUK>
> Addr : 110 Highgate Studios, 53-79 Highgate Road, London NW5 1TL
> Softwire Technology Limited. Registered in England no. 3824658. Registered
> Office : Gallery Court, 28 Arcadia Avenue, Finchley, London. N3 2FG
>