You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@shiro.apache.org by "martin.pring" <ma...@martinpring.com> on 2015/09/20 21:49:30 UTC

Password doesn't match hashed and encrypted password

Hi!

I try to write a simple but yet secure login for a webportal but I'm stuck
because I can't get Shiro to match a password stored in database with the
password posted in the login form.

I store the user with the following code

private void saveUser(final User user, final String password) {

      final DefaultHashService hashService = new DefaultHashService();
      hashService.setHashIterations(500000);
      hashService.setHashAlgorithmName("SHA-256");
      hashService.setGeneratePublicSalt(true);
      hashService.setPrivateSalt(new
SimpleByteSource("base64EncodedString"));

      final DefaultPasswordService passwordService = new
DefaultPasswordService();
      passwordService.setHashService(hashService);

      final String encryptedPassword =
passwordService.encryptPassword(password);

      // Save password to user and store user i database
}

Then when I try to login, this is my custom jdbcRealm

@Override
protected AuthenticationInfo doGetAuthenticationInfo(final
AuthenticationToken token) throws AuthenticationException {

    final UsernamePasswordToken upToken = (UsernamePasswordToken) token;
    final String username = upToken.getUsername();

    Connection conn = null;
    PreparedStatement statement = null;
    ResultSet resultSet = null;
    try {
        conn = dataSource.getConnection();
        statement = conn.prepareStatement(authenticationQuery);
        statement.setString(1, username);
        resultSet = statement.executeQuery();

        final String encryptedPassword = resultSet.getString(1);

        final SimpleAuthenticationInfo info = new
SimpleAuthenticationInfo(username, encryptedPassword, getName());

        return info;
    } catch (final SQLException e) {
        throw new AuthenticationException("SQL error! : ", e);
    } finally {
        // Close Connection, PreparedStatement och ResultSet
    }
}

This is the part of shiro.ini that has to do with the passwordMatcher, hash-
and passwordService

hashService = org.apache.shiro.crypto.hash.DefaultHashService
hashService.hashIterations = 500000
hashService.hashAlgorithmName = SHA-256
hashService.generatePublicSalt = true
# privateSalt needs to be base64-encoded in shiro.ini but not in the Java
code
hashService.privateSalt = base64EncodedSalt  (the same string as in the code
above)

passwordMatcher = org.apache.shiro.authc.credential.PasswordMatcher
passwordService = org.apache.shiro.authc.credential.DefaultPasswordService
passwordService.hashService = $hashService
passwordMatcher.passwordService = $passwordService

jdbcRealm = se.motoronline.login.server.realm.LoginJdbcRealm
jdbcRealm.authenticationQuery = SELECT password FROM Users WHERE username =
?
jdbcRealm.credentialsMatcher = $passwordMatcher

What am I doing wrong? The thing is, if I comment out the
hashService.generatePublicSalt and hashService.privateSalt in shiro.ini
everything works as it should and login succeeds, so it has to be something
with the salts? Please explain what I'm doing wrong.



--
View this message in context: http://shiro-developer.582600.n2.nabble.com/Password-doesn-t-match-hashed-and-encrypted-password-tp7578768.html
Sent from the Shiro Developer mailing list archive at Nabble.com.

Re: Password doesn't match hashed and encrypted password

Posted by Jim Manico <ji...@owasp.org>.

Using anything other than bcrypt, scrypt or PBKDF2 for password storage is usually a poor choice. This advice from cryptographers is years old as well, this is not new advice.

New password advice says to avoid common password topologies... 

So Shiros current password system hangs on advice that was bad even 5 years ago or so.

--
Jim Manico
Global Board Member
OWASP Foundation
https://www.owasp.org
Join me at AppSecUSA 2015!

> On Sep 20, 2015, at 12:49 PM, martin.pring <ma...@martinpring.com> wrote:
> 
> Hi!
> 
> I try to write a simple but yet secure login for a webportal but I'm stuck
> because I can't get Shiro to match a password stored in database with the
> password posted in the login form.
> 
> I store the user with the following code
> 
> private void saveUser(final User user, final String password) {
> 
>      final DefaultHashService hashService = new DefaultHashService();
>      hashService.setHashIterations(500000);
>      hashService.setHashAlgorithmName("SHA-256");
>      hashService.setGeneratePublicSalt(true);
>      hashService.setPrivateSalt(new
> SimpleByteSource("base64EncodedString"));
> 
>      final DefaultPasswordService passwordService = new
> DefaultPasswordService();
>      passwordService.setHashService(hashService);
> 
>      final String encryptedPassword =
> passwordService.encryptPassword(password);
> 
>      // Save password to user and store user i database
> }
> 
> Then when I try to login, this is my custom jdbcRealm
> 
> @Override
> protected AuthenticationInfo doGetAuthenticationInfo(final
> AuthenticationToken token) throws AuthenticationException {
> 
>    final UsernamePasswordToken upToken = (UsernamePasswordToken) token;
>    final String username = upToken.getUsername();
> 
>    Connection conn = null;
>    PreparedStatement statement = null;
>    ResultSet resultSet = null;
>    try {
>        conn = dataSource.getConnection();
>        statement = conn.prepareStatement(authenticationQuery);
>        statement.setString(1, username);
>        resultSet = statement.executeQuery();
> 
>        final String encryptedPassword = resultSet.getString(1);
> 
>        final SimpleAuthenticationInfo info = new
> SimpleAuthenticationInfo(username, encryptedPassword, getName());
> 
>        return info;
>    } catch (final SQLException e) {
>        throw new AuthenticationException("SQL error! : ", e);
>    } finally {
>        // Close Connection, PreparedStatement och ResultSet
>    }
> }
> 
> This is the part of shiro.ini that has to do with the passwordMatcher, hash-
> and passwordService
> 
> hashService = org.apache.shiro.crypto.hash.DefaultHashService
> hashService.hashIterations = 500000
> hashService.hashAlgorithmName = SHA-256
> hashService.generatePublicSalt = true
> # privateSalt needs to be base64-encoded in shiro.ini but not in the Java
> code
> hashService.privateSalt = base64EncodedSalt  (the same string as in the code
> above)
> 
> passwordMatcher = org.apache.shiro.authc.credential.PasswordMatcher
> passwordService = org.apache.shiro.authc.credential.DefaultPasswordService
> passwordService.hashService = $hashService
> passwordMatcher.passwordService = $passwordService
> 
> jdbcRealm = se.motoronline.login.server.realm.LoginJdbcRealm
> jdbcRealm.authenticationQuery = SELECT password FROM Users WHERE username =
> ?
> jdbcRealm.credentialsMatcher = $passwordMatcher
> 
> What am I doing wrong? The thing is, if I comment out the
> hashService.generatePublicSalt and hashService.privateSalt in shiro.ini
> everything works as it should and login succeeds, so it has to be something
> with the salts? Please explain what I'm doing wrong.
> 
> 
> 
> --
> View this message in context: http://shiro-developer.582600.n2.nabble.com/Password-doesn-t-match-hashed-and-encrypted-password-tp7578768.html
> Sent from the Shiro Developer mailing list archive at Nabble.com.