Is password hashing enough?

[shoshobober <es...@msn.com>]

I'm new to Shiro and have been working through the tutorials and
documentation but I'm left with a question.

I'd like to use ini configuration for my application and I see information
about configuring password hashing:

[main]
...
sha256Matcher = org.apache.shiro.authc.credential.Sha256CredentialsMatcher
...
iniRealm.credentialsMatcher = $sha256Matcher
...

[users]
# user1 = sha256-hashed-hex-encoded password, role1, role2, ...
user1 = 2bb80d537b1da3e38bd30361aa855686bde0eacd7162fef6a25fe97bf527a25b,
role1, role2, ...



I must be missing something, how can this be secure? Can't users simply edit
the ini file and add roles to their account, thus giving them unauthorized
access?



--
View this message in context: http://shiro-user.582556.n2.nabble.com/Is-password-hashing-enough-tp7577522.html
Sent from the Shiro User mailing list archive at Nabble.com.

Re: Is password hashing enough?

[Jared Bunting <ja...@peachjean.com>]

drmike01 is correct, the passwordService should be favored over the 
hashedCredentialsMatcher as of shiro 1.2.

However, you also allude to a more fundamental question: "Can't users 
simply edit the ini file and add roles to their account, thus giving 
them unauthorized access?"

The answer to this, of course, "yes".  If they have access to the ini 
file.  But to be honest, if your users have access to edit the security 
configuration, whether or not they can change their roles is the least 
of your concerns.  They can change way that authentication is done, 
change passwords, etc.  In general, you have other protections that 
will protect your security configuration (no access to your server, 
filesystem permissions, etc).

Hope that helps,
Jared

On Tue 19 Jun 2012 07:29:08 PM CDT, drmike01 wrote:
> I think that section is a bit dated (for Shiro 1.1, I would guess).  Shiro
> 1.2 has a PasswordMatcher service that is much simpler to use.  The relevant
> bits from shiro.ini would look something like:
>
> passwordService = org.apache.shiro.authc.credential.DefaultPasswordService
> # configure the passwordService to use the settings you desire
> passwordMatcher = org.apache.shiro.authc.credential.PasswordMatcher
> passwordMatcher.passwordService = $passwordService
> # Finally, set the matcher on a realm that requires password matching for
> account authentication:
> myRealm.credentialsMatcher = $passwordMatcher
>
> By default, this uses a random salt, multiple iterations, and SHA-256, so
> it's much more robust than what you found, and much simpler to use.
>
> --
> View this message in context: http://shiro-user.582556.n2.nabble.com/Is-password-hashing-enough-tp7577522p7577523.html
> Sent from the Shiro User mailing list archive at Nabble.com.

Re: Is password hashing enough?

[drmike01 <ms...@gmail.com>]

I think that section is a bit dated (for Shiro 1.1, I would guess).  Shiro
1.2 has a PasswordMatcher service that is much simpler to use.  The relevant
bits from shiro.ini would look something like:

passwordService = org.apache.shiro.authc.credential.DefaultPasswordService
# configure the passwordService to use the settings you desire
passwordMatcher = org.apache.shiro.authc.credential.PasswordMatcher
passwordMatcher.passwordService = $passwordService
# Finally, set the matcher on a realm that requires password matching for
account authentication:
myRealm.credentialsMatcher = $passwordMatcher

By default, this uses a random salt, multiple iterations, and SHA-256, so
it's much more robust than what you found, and much simpler to use.

--
View this message in context: http://shiro-user.582556.n2.nabble.com/Is-password-hashing-enough-tp7577522p7577523.html
Sent from the Shiro User mailing list archive at Nabble.com.

Re: Is password hashing enough?

[drmike01 <ms...@gmail.com>]

To do it that way, you'd need to store the user database in something else
other than the .ini file (like LDAP or a database). In my .ini, I have
nothing in the users/roles section, and everything is managed in an attached
database. Doing that is admittedly a bit more work because then you're using
Realms, and Shiro doesn't come with an Identity and Access Mgmt system so
you'd have to build it yourself (or use something like Stormpath). Someone
could still probably put something in the .ini and have that work (not sure,
though), but like Lez said, that's bad for a lot of other reasons and you'd
have larger problems.

--
View this message in context: http://shiro-user.582556.n2.nabble.com/Is-password-hashing-enough-tp7577522p7577529.html
Sent from the Shiro User mailing list archive at Nabble.com.

Re: Is password hashing enough?

[shoshobober <es...@msn.com>]

Thanks for your helpful responses. I see how protecting the file is critical.
I'd like the program itself to have a user management feature where users
with the admin role could create other users and assign roles. From what
you're saying it looks like I'm on my own to save the information in a
secure way.

--
View this message in context: http://shiro-user.582556.n2.nabble.com/Is-password-hashing-enough-tp7577522p7577525.html
Sent from the Shiro User mailing list archive at Nabble.com.