You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tapestry.apache.org by cablepuff <ca...@gmail.com> on 2010/11/13 17:05:35 UTC
tapestry security with 1.1.0 of shiro --> unable to get sha512
login working.
So this is in my pom.xml
I have 0.2.0 version of tynamo security excluding apache shiro
1.0.0.incubating and instead using 1.1.0 of apache shiro.
my save user looks like this..
// begin save user
RandomNumberGenerator rng = new SecureRandomNumberGenerator();
String byteSource = rng.nextBytes().toBase64();
String hashedPasswordBase64 = new Sha512Hash(password,
byteSource.getBytes(), 1024).toBase64();
RegisterUser user = new RegisterUser(username, email,
hashedPasswordBase64,
byteSource);
return this.userDao.createUser(user);
// end save user.
inside my jdbcSaltedRealm which extends JdbcRealm. it has these code.
// begin code
protected static final String DEFAULT_AUTHENTICATION_QUERY = "select
password, passwordSalt from users where username = ?";
@Override
protected SaltedAuthenticationInfo
doGetAuthenticationInfo(AuthenticationToken token) throws
AuthenticationException {
UsernamePasswordToken upToken = (UsernamePasswordToken) token;
String username = upToken.getUsername();
// Null username is invalid
if (username == null) {
throw new AccountException("Null usernames are not allowed by
this realm.");
}
Connection conn = null;
SaltedAuthenticationInfo info = null;
try {
conn = dataSource.getConnection();
PasswordWithSalt pws = getPasswordForUser(conn, username);
if (pws == null) {
throw new UnknownAccountException("No account found for user
[" + username + "]");
}
info = buildAuthenticationInfo(username, pws.getPassword(),
pws.getSalt());
} catch (SQLException e) {
final String message = "There was a SQL error while
authenticating user [" + username + "]";
if (log.isErrorEnabled()) {
log.error(message, e);
}
// Rethrow any SQL errors as an authentication exception
throw new AuthenticationException(message, e);
} finally {
JdbcUtils.closeConnection(conn);
}
return info;
}
protected SaltedAuthenticationInfo buildAuthenticationInfo(String
username, String password, ByteSource passwordSalt) {
return new SimpleAuthenticationInfo(username, password,
passwordSalt, getName());
}
private PasswordWithSalt getPasswordForUser(Connection conn, String
username) throws SQLException {
PreparedStatement ps = null;
ResultSet rs = null;
String password = null;
ByteSource salt = null;
try {
ps = conn.prepareStatement(authenticationQuery);
ps.setString(1, username);
// Execute query
rs = ps.executeQuery();
// Loop over results - although we are only expecting one
result, since usernames should be unique
boolean foundResult = false;
while (rs.next()) {
// Check to ensure only one row is processed
if (foundResult) {
throw new AuthenticationException("More than one user
row found for user [" + username + "]. Usernames must be unique.");
}
password = rs.getString(1);
String saltString = rs.getString(2);
salt = new SimpleByteSource(Base64.decode(saltString));
foundResult = true;
}
} finally {
JdbcUtils.closeResultSet(rs);
JdbcUtils.closeStatement(ps);
}
return new PasswordWithSalt(password, salt);
}
// my appmodule is like this.
public void contributeWebSecurityManager(Configuration<Realm> configuration)
{
realm = new JdbcSaltedRealm();
realm.setDataSource(dataSource);
realm.setAuthenticationQuery(AUTHENTICATION_QUERY);
realm.setUserRolesQuery(USER_ROLES_QUERY);
realm.setPermissionsQuery(PERMISSION_QUERY);
realm.setPermissionsLookupEnabled(true);
configuration.add(realm);
}
public void contributeApplicationDefaults(MappedConfiguration<String,
String> configuration) {
// 1 MB max file size, 5 MB request upload size.
configuration.add(SecuritySymbols.SHOULD_LOAD_INI_FROM_CONFIG_PATH,
"true");
}
// now my shiro.ini is like this.
[main]
credentialsMatcher=org.apache.shiro.authc.credential.Sha512CredentialsMatcher
# base64 encoding, not hex in this example:
credentialsMatcher.storedCredentialsHexEncoded=false
credentialsMatcher.hashIterations=1024
now whenever i logon i keep getting wrong username and password, is their a
guide or sample on how to get hashing to work with tapestry tynamo security.
i could get it working without hashing, but i rather add hashing to store
salted password.
thanks.
--
View this message in context: http://tapestry.1045711.n5.nabble.com/tapestry-security-with-1-1-0-of-shiro-unable-to-get-sha512-login-working-tp3263653p3263653.html
Sent from the Tapestry - User mailing list archive at Nabble.com.
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tapestry.apache.org
For additional commands, e-mail: users-help@tapestry.apache.org
Re: tapestry security with 1.1.0 of shiro --> unable to get sha512
login working.
Posted by cablepuff <ca...@gmail.com>.
thanks. how do i test that my configuration is working correctly?
final String username = "username";
final String password = "password";
String hashedPasswordBase64 = new Sha512Hash(password).toBase64();
// ini part.
Ini ini = new Ini();
Ini.Section main = ini.addSection("main");
main.put("credentialsMatcher",
"org.apache.shiro.authc.credential.Sha512CredentialsMatcher");
main.put("iniRealm.credentialsMatcher", "$credentialsMatcher");
main.put("credentialsMatcher.storedCredentialsHexEncoded", "false");
Ini.Section testUsers = ini.addSection(IniRealm.USERS_SECTION_NAME);
testUsers.put(username, hashedPasswordBase64);
IniSecurityManagerFactory factory = new
IniSecurityManagerFactory(ini);
SecurityManager sm = factory.createInstance();
//try to log-in:
Subject subject = new Subject.Builder(sm).buildSubject();
//ensure thread clean-up after the login method returns. Test cases
only:
subject.execute(new Runnable() {
public void run() {
SecurityUtils.getSubject().login(new
UsernamePasswordToken(username, password));
}
});
Assert.assertEquals(subject.getPrincipal(), username);
but i have no idea , how to test salt.
--
View this message in context: http://tapestry.1045711.n5.nabble.com/tapestry-security-with-1-1-0-of-shiro-unable-to-get-sha512-login-working-tp3263653p3264486.html
Sent from the Tapestry - User mailing list archive at Nabble.com.
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tapestry.apache.org
For additional commands, e-mail: users-help@tapestry.apache.org
Re: tapestry security with 1.1.0 of shiro --> unable to get sha512
login working.
Posted by Kalle Korhonen <ka...@gmail.com>.
Whoa, a plain jdbc connection, that's old school :) You are pretty
close - just as a test, you could remove the salt and see if it simply
comparing the hashes works - I believe it should. Now, a couple of
notes:
1) Are you sure you are storing the salt as base64 encoded? Your read
expects that to be so. You could easily compare the salt value only in
getPasswordForUser(...) to see if you are getting back what you
expected.
2) Sha512CredentialsMatcher is deprecated (though it might be the
simplest way of configuring if you use an ini file) Read the whole
javadoc for HashedCredentialsMatcher, it has more than you need but
see this excerpt:
* @deprecated since 1.1 - use the HashedCredentialsMatcher directly and set its
* {@link
HashedCredentialsMatcher#setHashAlgorithmName(String)
hashAlgorithmName} property.
*/
public class Sha512CredentialsMatcher extends HashedCredentialsMatcher {
3) Are you using T5.1.0.5? If so, use the brand new, yet unannounced
tapestry-security 0.2.1 (that depends on Shiro 1.1.0).
Agree this is important enough to have a decent example for it. I'm
waiting to have T5.2.3 release available before making the
corresponding tapestry-security release and then working out some
examples with the latest Shiro.
Kalle
On Sat, Nov 13, 2010 at 8:05 AM, cablepuff <ca...@gmail.com> wrote:
>
> So this is in my pom.xml
>
> I have 0.2.0 version of tynamo security excluding apache shiro
> 1.0.0.incubating and instead using 1.1.0 of apache shiro.
>
> my save user looks like this..
>
> // begin save user
> RandomNumberGenerator rng = new SecureRandomNumberGenerator();
> String byteSource = rng.nextBytes().toBase64();
> String hashedPasswordBase64 = new Sha512Hash(password,
> byteSource.getBytes(), 1024).toBase64();
> RegisterUser user = new RegisterUser(username, email,
> hashedPasswordBase64,
> byteSource);
> return this.userDao.createUser(user);
> // end save user.
>
>
> inside my jdbcSaltedRealm which extends JdbcRealm. it has these code.
> // begin code
> protected static final String DEFAULT_AUTHENTICATION_QUERY = "select
> password, passwordSalt from users where username = ?";
>
> @Override
> protected SaltedAuthenticationInfo
> doGetAuthenticationInfo(AuthenticationToken token) throws
> AuthenticationException {
>
> UsernamePasswordToken upToken = (UsernamePasswordToken) token;
> String username = upToken.getUsername();
>
> // Null username is invalid
> if (username == null) {
> throw new AccountException("Null usernames are not allowed by
> this realm.");
> }
>
> Connection conn = null;
> SaltedAuthenticationInfo info = null;
> try {
> conn = dataSource.getConnection();
>
> PasswordWithSalt pws = getPasswordForUser(conn, username);
>
> if (pws == null) {
> throw new UnknownAccountException("No account found for user
> [" + username + "]");
> }
>
> info = buildAuthenticationInfo(username, pws.getPassword(),
> pws.getSalt());
>
> } catch (SQLException e) {
> final String message = "There was a SQL error while
> authenticating user [" + username + "]";
> if (log.isErrorEnabled()) {
> log.error(message, e);
> }
>
> // Rethrow any SQL errors as an authentication exception
> throw new AuthenticationException(message, e);
> } finally {
> JdbcUtils.closeConnection(conn);
> }
>
> return info;
> }
>
> protected SaltedAuthenticationInfo buildAuthenticationInfo(String
> username, String password, ByteSource passwordSalt) {
> return new SimpleAuthenticationInfo(username, password,
> passwordSalt, getName());
> }
>
>
> private PasswordWithSalt getPasswordForUser(Connection conn, String
> username) throws SQLException {
>
> PreparedStatement ps = null;
> ResultSet rs = null;
> String password = null;
> ByteSource salt = null;
> try {
> ps = conn.prepareStatement(authenticationQuery);
> ps.setString(1, username);
>
> // Execute query
> rs = ps.executeQuery();
>
> // Loop over results - although we are only expecting one
> result, since usernames should be unique
> boolean foundResult = false;
> while (rs.next()) {
>
> // Check to ensure only one row is processed
> if (foundResult) {
> throw new AuthenticationException("More than one user
> row found for user [" + username + "]. Usernames must be unique.");
> }
>
> password = rs.getString(1);
> String saltString = rs.getString(2);
> salt = new SimpleByteSource(Base64.decode(saltString));
>
> foundResult = true;
> }
> } finally {
> JdbcUtils.closeResultSet(rs);
> JdbcUtils.closeStatement(ps);
> }
>
> return new PasswordWithSalt(password, salt);
> }
>
>
> // my appmodule is like this.
> public void contributeWebSecurityManager(Configuration<Realm> configuration)
> {
> realm = new JdbcSaltedRealm();
> realm.setDataSource(dataSource);
> realm.setAuthenticationQuery(AUTHENTICATION_QUERY);
> realm.setUserRolesQuery(USER_ROLES_QUERY);
> realm.setPermissionsQuery(PERMISSION_QUERY);
> realm.setPermissionsLookupEnabled(true);
> configuration.add(realm);
> }
>
> public void contributeApplicationDefaults(MappedConfiguration<String,
> String> configuration) {
> // 1 MB max file size, 5 MB request upload size.
> configuration.add(SecuritySymbols.SHOULD_LOAD_INI_FROM_CONFIG_PATH,
> "true");
> }
>
>
> // now my shiro.ini is like this.
> [main]
> credentialsMatcher=org.apache.shiro.authc.credential.Sha512CredentialsMatcher
> # base64 encoding, not hex in this example:
> credentialsMatcher.storedCredentialsHexEncoded=false
> credentialsMatcher.hashIterations=1024
>
>
> now whenever i logon i keep getting wrong username and password, is their a
> guide or sample on how to get hashing to work with tapestry tynamo security.
> i could get it working without hashing, but i rather add hashing to store
> salted password.
>
>
> thanks.
> --
> View this message in context: http://tapestry.1045711.n5.nabble.com/tapestry-security-with-1-1-0-of-shiro-unable-to-get-sha512-login-working-tp3263653p3263653.html
> Sent from the Tapestry - User mailing list archive at Nabble.com.
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tapestry.apache.org
> For additional commands, e-mail: users-help@tapestry.apache.org
>
>
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tapestry.apache.org
For additional commands, e-mail: users-help@tapestry.apache.org