You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@shiro.apache.org by Brian Demers <br...@gmail.com> on 2016/03/25 22:00:06 UTC

Re: Implementation of SaltStyle.CRYPT

Thanks!

Can you put this in a github pull request and add test ?
(using github isn't required, but it makes chatting about the patch easier)

On Thu, Mar 24, 2016 at 11:52 PM, Andreas Reichel <
andreas@manticore-projects.com> wrote:

> Dear All,
>
> we would like to adopt Shiro and to use the JDBC Realm.
> Our database schema however uses the CRYPT like password hash with no
> separate SALT column. We found SaltStyle.CRYPT unimplemented, so please
> find a small patch attached.
>
>
> Any issues, please let us know.
> Cheers
> Andreas
>
> From 3cbc5b40c095872b80f52323c2585ea46e58067e Mon Sep 17 00:00:00 2001
> From: Andreas Reichel <an...@manticore-projects.com>
> Date: Mar 25, 2016 10:48:43 AM
>
> Implement SaltStyle.CRYPT
>
> diff --git
> a/core/src/main/java/org/apache/shiro/realm/jdbc/JdbcRealm.java
> b/core/src/main/java/org/apache/shiro/realm/jdbc/JdbcRealm.java
> index 646875c..c34a5fe 100644
> --- a/core/src/main/java/org/apache/shiro/realm/jdbc/JdbcRealm.java
> +++ b/core/src/main/java/org/apache/shiro/realm/jdbc/JdbcRealm.java
> @@ -38,6 +38,11 @@
>  import java.util.Collection;
>  import java.util.LinkedHashSet;
>  import java.util.Set;
> +import org.apache.shiro.authc.credential.CredentialsMatcher;
> +import org.apache.shiro.authc.credential.HashedCredentialsMatcher;
> +import org.apache.shiro.crypto.hash.Md5Hash;
> +import org.apache.shiro.crypto.hash.Sha256Hash;
> +import org.apache.shiro.crypto.hash.Sha512Hash;
>
>
>  /**
> @@ -221,9 +226,50 @@
>                  password = getPasswordForUser(conn, username)[0];
>                  break;
>              case CRYPT:
> -                // TODO: separate password and hash from
> getPasswordForUser[0]
> -                throw new ConfigurationException("Not implemented
> yet");
> -                //break;
> +                /*
> +                http://www.slashroot.in/how-are-passwords-stored-linux
> -understanding-hashing-shadow-utils
> +
> +                Example: $1$Etg2ExUZ$F9NTP7omafhKIlqaBMqng1
> +
> +                The above shown encoded hash value can be further
> classified into three different fields as below.
> +                1. The first field is a numerical number that tell's
> you the hashing algorithm that's being used.
> +
> +                $1 = MD5 hashing algorithm.
> +                $2 =Blowfish Algorithm is in use.
> +                $2a=eksblowfish Algorithm
> +                $5 =SHA-256 Algorithm
> +                $6 =SHA-512 Algorithm
> +
> +                2. The second field is the salt value
> +                Salt value is nothing but a random data that's
> generated to combine with the original password, inorder to increase
> the strength of the hash..
> +
> +                3.The last field is the hash value of salt+user
> password (we will be discussing this shortly).
> +
> +                */
> +
> +                String[] crypt=getPasswordForUser(conn,
> username)[0].split("\\$");
> +                String hashAlgorithm=crypt[0];
> +
> +                //@todo: set the credential matcher hash algorithm?!
> +                CredentialsMatcher credentialsMatcher =
> getCredentialsMatcher();
> +                if (credentialsMatcher instanceof
> HashedCredentialsMatcher) {
> +                    HashedCredentialsMatcher
> hashedCredentialsMatcher=(HashedCredentialsMatcher) credentialsMatcher;
> +                    if (hashAlgorithm.equals("$6"))
> +                        hashedCredentialsMatcher.setHashAlgorithmName(
> Sha512Hash.ALGORITHM_NAME);
> +                    else if (hashAlgorithm.equals("$5"))
> +                        hashedCredentialsMatcher.setHashAlgorithmName(
> Sha256Hash.ALGORITHM_NAME);
> +                    else if (hashAlgorithm.equals("$1"))
> +                        hashedCredentialsMatcher.setHashAlgorithmName(
> Md5Hash.ALGORITHM_NAME);
> +                    else if (hashAlgorithm.equals("$2"))
> +                        throw new AuthenticationException("Requested
> 'Blowfish' algorithm is not supported. Can not validate the token.");
> +                    else if (hashAlgorithm.equals("$2a"))
> +                        throw new AuthenticationException("Requested
> 'eksblowfish' algorithm is not supported. Can not validate the
> token.");
> +                }
> +
> +                salt=crypt[1];
> +                password=crypt[2];
> +
> +                break;
>              case COLUMN:
>                  String[] queryResults = getPasswordForUser(conn,
> username);
>                  password = queryResults[0];
> @@ -265,7 +311,6 @@
>          boolean returningSeparatedSalt = false;
>          switch (saltStyle) {
>          case NO_SALT:
> -        case CRYPT:
>          case EXTERNAL:
>              result = new String[1];
>              break;