You are viewing a plain text version of this content. The canonical link for it is here.
Posted to user@shiro.apache.org by Les Hazlewood <lh...@apache.org> on 2014/10/01 22:05:14 UTC

Re: Has anyone tried the Shiro 2.0 branch?

I think HMAC would be pretty easy - the constructor just needs to accept a
key.

--
Les Hazlewood | @lhazlewood
CTO, Stormpath | http://stormpath.com | @goStormpath | 888.391.5282

On Sun, Sep 28, 2014 at 11:18 AM, Konrad Zuse <th...@hotmail.com>
wrote:

> From what I've been reading HMACs are preferred, so this does seem
> exciting.  It might take some issues finding the exact ways to do it, but
> there are definitely ways to do everything we need!
>
> I would love to help out of I can, but I'm not sure how much of a help I
> could be with this field of study.
>
> ------------------------------
> Date: Fri, 26 Sep 2014 10:44:54 -0700
>
> Subject: Re: Has anyone tried the Shiro 2.0 branch?
> From: lhazlewood@apache.org
> To: user@shiro.apache.org
>
> BCrypt is definitely going to be supported and maybe SCrypt if we can find
> a Java-based solution for it (however, I suspect it might need JNI or JNA
> to do it 'right').  That being said PBKDF2 is a good alternative and should
> absolutely be included in Shiro.  BCrypt and PBKDF2 are both easy enough to
> support such that I don't see why they shouldn't be included, as well as
> all HMAC algorithms.
>
> Cheers,
>
> --
> Les Hazlewood | @lhazlewood
> CTO, Stormpath | http://stormpath.com | @goStormpath | 888.391.5282
>
> On Wed, Sep 17, 2014 at 11:08 PM, Dominic Farr <do...@gmail.com>
> wrote:
>
> sure....I wasn't being specific to you on paranoia, it was meant as a
> light hearted view on the world of hacking.
>
> Think of it this way. MD5 and SHA 1 are done for security, they still have
> uses, but not for password. SHA 2 is limited for password protection, but
> with a good long random salt, it's still pretty good. If you want to
> protect a new online cat database you could be happy with SHA 2 + salt.
> If you are protecting more sensitive or more prized data then move on to
> bcrypt.
>
> good luck
> -d
>
>
>
> On 18 September 2014 00:04, Konrad Zuse <th...@hotmail.com> wrote:
>
> It's not paranoia more so than what I have been reading, where people say
> that SHA shold never be used for passwords.......  As I said I'm new to
> cryptography, so I'm just trying to get my facts straight is all.
>
> I will most likely go with the defaults for now, but a port for Shiro
> would be nice.
>
> ------------------------------
> Date: Wed, 17 Sep 2014 22:56:38 +0100
> Subject: RE: Has anyone tried the Shiro 2.0 branch?
> From: dominicfarr@gmail.com
> To: user@shiro.apache.org
>
>
> How good is sha 256? How paranoid are you? If not much, it is great, if a
> lot, move to bcrypt. But sha 256 is good enough for most. If financial data
> is involved, or other sensitive data, look to bcrypt
> As for using spring security bcrypt, it was meant as an example of simple
> abstraction. You could use bcrypt directly. Or port it to a Shiro
> abstraction.
> d
> On 17 Sep 2014 22:33, "Konrad Zuse" <th...@hotmail.com> wrote:
>
> I was curious if we will be getting better hashing algorithms?  I'm new to
> Cryptography and such, but I was reading somethng last nigth saying that
> SHA isn't really secure for passing and we should be using either bcrypt,
> scrypt, or PK2BK?
>
> Someone made a post about spring security and bcrpyt, but I rather not mix
> it with Shiro if possible... Would be nice to have these features.  From
> the documentation it's shown to use SHA-256 for passwords and a password
> matcher, but how secure is it?
>
> I would love to help out with improving the library, but I don't know if I
> will be of any help as a semi-noobie :(.
>
> Thanks for everything Lez!
>
> > Date: Wed, 17 Sep 2014 13:14:11 -0700
> > Subject: Re: Has anyone tried the Shiro 2.0 branch?
> > From: lhazlewood@apache.org
> > To: user@shiro.apache.org
> >
> > Hi Paul,
> >
> > I'm not sure if they'll still work or not, as I haven't tested. I'd
> > *like* to ensure that they still work, or better yet, include the JEE
> > interceptor support directly in Shiro. If anyone would like to help
> > with this effort, I'm sure the dev team would appreciate it!
> >
> > Les
> >
> >
> > On Sun, Sep 14, 2014 at 2:42 AM, Paul Holding <pa...@pholding.co.uk>
> wrote:
> > > Hi Les
> > >
> > > Looking through the release notes I didn't see any mention of CDI,
> JSF, or
> > > Jave EE Interceptors so I was wondering whether some of the existing
> > > enhancements that have been created by the community are likely to
> still
> > > work with Shiro 2.0.
> > >
> > > For CDI and JSF I'm using Pax Shiro (
> > > https://github.com/ops4j/org.ops4j.pax.shiro
> > > <https://github.com/ops4j/org.ops4j.pax.shiro> ).
> > >
> > > For Java EE Interceptors I'm using some code from BalusC's blog (
> > >
> http://balusc.blogspot.co.uk/2013/01/apache-shiro-is-it-ready-for-java-ee-6.html#DeclarativeRestrictionInBeanMethods
> > > <
> http://balusc.blogspot.co.uk/2013/01/apache-shiro-is-it-ready-for-java-ee-6.html#DeclarativeRestrictionInBeanMethods
> >
> > > )
> > >
> > > Do you think these are likely to still work in Shiro 2.0?
> > >
> > > Kind Regards
> > >
> > > Paul
> > >
> > >
> > >
> > > --
> > > View this message in context:
> http://shiro-user.582556.n2.nabble.com/Has-anyone-tried-the-Shiro-2-0-branch-tp7580195p7580212.html
> > > Sent from the Shiro User mailing list archive at Nabble.com.
>
>
>
>