How to configure SHA256 password salting in shiro.ini?

[Bauke <ba...@gmail.com>]

I've successfully setup Shiro in a JSF2 web application with the following
INI file:

# ==========================================

[main]
# Setup form based login URL.
authc.loginUrl = /index.xhtml

# Setup JDBC realm.
jdbcRealm = org.apache.shiro.realm.jdbc.JdbcRealm

# Configure JDBC realm datasource.
dataSource = org.h2.jdbcx.JdbcDataSource
dataSource.URL = jdbc:h2:~/********
dataSource.user = ********
dataSource.password = ********
jdbcRealm.dataSource = $dataSource

# Configure JDBC realm SQL queries (role is TBD).
jdbcRealm.authenticationQuery = SELECT password FROM User WHERE email = ?

[urls]
/index.xhtml = authc
/app/** = authc

# ==========================================

Now, I'd like to add SHA256 password salting (with hex encoding). For the
user registration part, this is easy done during using Sha256Hash class.
However, I can't for life figure out how to configure the INI file
accordingly to make use of that. I understand that I have somehow to use
SaltedAuthenticationInfo instead of AuthenticationInfo, but it isn't clear
how to change the "authc" reference in the INI file accordingly to be a 
SaltedAuthenticationInfo. 

The following is as far as I could get (I added the sha256Matcher block and
I edited the SQL query to select salt as well):

# ==========================================

[main]
# Setup form based login URL.
authc.loginUrl = /index.xhtml

# Setup JDBC realm.
jdbcRealm = org.apache.shiro.realm.jdbc.JdbcRealm

# Configure JDBC realm datasource.
dataSource = org.h2.jdbcx.JdbcDataSource
dataSource.URL = jdbc:h2:~/********
dataSource.user = ********
dataSource.password = ********
jdbcRealm.dataSource = $dataSource

# Configure JDBC realm password hashing.
sha256Matcher = org.apache.shiro.authc.credential.Sha256CredentialsMatcher
sha256Matcher.hashIterations = 1024
jdbcRealm.credentialsMatcher = $sha256Matcher

# Configure JDBC realm SQL queries (role is TBD).
jdbcRealm.authenticationQuery = SELECT password, salt FROM User WHERE email
= ?

[urls]
/index.xhtml = authc
/app/** = authc

# ==========================================

It keeps failing with IncorrectCredentialsException on programmatic login by
Subject#login(). The documentation doesn't give any clues on that. 



--
View this message in context: http://shiro-user.582556.n2.nabble.com/How-to-configure-SHA256-password-salting-in-shiro-ini-tp7578145.html
Sent from the Shiro User mailing list archive at Nabble.com.

Re: How to configure SHA256 password salting in shiro.ini?

[Les Hazlewood <lh...@apache.org>]

Hi Bauke,

You'll want to use the new PasswordMatcher and PasswordService
introduced in Shiro 1.2 - this has two benefits:

1.  It is easier to use than worrying about Hash implementations yourself.
2.  Configuration changes are backwards compatible for logins.  For example:

- configure the PasswordService to use SHA-256
- use the PasswordService to hash a password for Account A and save it
in the DB.
- change the PasswordService config to now use SHA-512

A login attempt will still be possible for Account A even though new
passwords are hashed with SHA-512.  The PasswordService knows how to
perform password comparisons for older hashes that may not reflect the
current configuration.  This is important for most applications so you
don't have to force all users to upgrade their passwords in case you
wanted to configure a stronger password policy.

Usage for your app and a shiro.ini realm config example is documented
in the PasswordService JavaDoc:

http://shiro.apache.org/static/1.2.1/apidocs/org/apache/shiro/authc/credential/PasswordService.html

--
Les Hazlewood | @lhazlewood
CTO, Stormpath | http://stormpath.com | @goStormpath | 888.391.5282
Stormpath wins GigaOM Structure Launchpad Award! http://bit.ly/MvZkMk