You are viewing a plain text version of this content. The canonical link for it is here.

Posted to user@shiro.apache.org by set321go <sw...@hotmail.com> on 2011/06/18 18:16:04 UTC

Suggested way of adding new user?

Hello,

Thankyou for the input to my last question about salting.

I am building a web based system and I would like to add a new user. Once i
have the users login credentials how should i use shiro populate the data
source? I did notice a buildAuthenticationInfo method in the jdbc realm. I
was reading this thread
http://shiro-user.582556.n2.nabble.com/Password-Salting-one-salt-per-password-td5490030.html#none
but it didnt answer my question about adding users.

thanks for the help
Alex

--
View this message in context: http://shiro-user.582556.n2.nabble.com/Suggested-way-of-adding-new-user-tp6491105p6491105.html
Sent from the Shiro User mailing list archive at Nabble.com.

Re: Suggested way of adding new user?

Posted by Les Hazlewood <lh...@apache.org>.

You won't use Shiro to populate the data source - you can write the
data into your data source (RDBMS, NoSQL system, whatever) however you
like.

How you store the credentials in your data source is entirely up to
you, but you should never ever store the password as plain text.

You can store the credentials hash as a single column and store the
salt as a separate column, or store them in one column, or even break
it up into multiple data sources for higher security.

These two articles explain this a bit more in detail:

http://www.katasoft.com/blog/2011/04/04/strong-password-hashing-apache-shiro
http://www.katasoft.com/blog/2011/06/07/strong-password-hashing-part-2

Also, the Realm documentation's "Credentials Matching" section
provides an example of how this might be done in an application:

http://shiro.apache.org/realm.html

This demonstrates one example, but there are a few ways to store this
information.  However you store it, the most important point is to
return a SaltedAuthenticationInfo back to Shiro in your Realm
implementation's getAuthenticationInfo method (see the
'SaltedAuthenticationInfo' section in the Realm documentation).

HTH,

-- 
Les Hazlewood
CTO, Katasoft | http://www.katasoft.com | 888.391.5282
twitter: http://twitter.com/lhazlewood
katasoft blog: http://www.katasoft.com/blogs/lhazlewood
personal blog: http://leshazlewood.com