You are viewing a plain text version of this content. The canonical link for it is here.
Posted to user@shiro.apache.org by set321go <sw...@hotmail.com> on 2011/06/02 09:23:13 UTC
Default Salt Database structure?
Hello,
I have read the documentation but its lacking a bit when it comes to how to
set up salting. I am just trying to get a basic web app working on glassfish
using shiro. I have done some of the examples in the links that are on the
website but I am still unclear on a few things.
By default I need a users table with username and password if I am not using
salting, is there a default pattern for a database when using salting?
If I am not using the default tables how do I tell shiro what the table and
structure is?
thanks
--
View this message in context: http://shiro-user.582556.n2.nabble.com/Default-Salt-Database-structure-tp6430158p6430158.html
Sent from the Shiro User mailing list archive at Nabble.com.
Re: Default Salt Database structure?
Posted by Kalle Korhonen <ka...@gmail.com>.
Salting can have an impact on the database structure. It's up to you
whether you want to keep salt in a separate field or prepend it to the
password hash (Xnix style).
This is a Tynamo example really (using Shiro), but same difference.
For an example of Hibernate/JPA EntityRealm with per-user-salt, take a
look at:
http://svn.codehaus.org/tynamo/trunk/tynamo-federatedaccounts/src/test/java/org/tynamo/security/federatedaccounts/testapp/entities/User.java
http://svn.codehaus.org/tynamo/trunk/tynamo-federatedaccounts/src/test/java/org/tynamo/security/federatedaccounts/testapp/services/UserRealm.java
(if interested in background info on the module, see
http://tynamo.org/tynamo-federatedaccounts+guide)
Kalle
On Thu, Jun 2, 2011 at 8:25 AM, Phil Steitz <ph...@gmail.com> wrote:
> I am just getting started myself with Shiro, so please take below
> with a grain of salt (pun intended ;)
>
> On 6/2/11 12:23 AM, set321go wrote:
>> Hello,
>>
>> I have read the documentation but its lacking a bit when it comes to how to
>> set up salting. I am just trying to get a basic web app working on glassfish
>> using shiro. I have done some of the examples in the links that are on the
>> website but I am still unclear on a few things.
>
> See Eduard's response as well as the SaltAwareJdbcRealm example in
> /samples/spring in svn. Maybe someone can chime in with some
> guidance on a better way to generate and persist the salt than to
> use the username.
>
>> By default I need a users table with username and password if I am not using
>> salting, is there a default pattern for a database when using salting?
>
> Salting should have no impact on the database structure, just what
> is stored in the database.
>
>> If I am not using the default tables how do I tell shiro what the table and
>> structure is?
>
> Looks to me like the way to do this is to override the default
> queries used by the JdbcRealm via its query setters:
> setAuthenticationQuery, setUserRolesQuery, setPermissionsQuery. See
> the javadoc for JdbcRealm.
>
>
> Phil
>> thanks
>>
>>
>> --
>> View this message in context: http://shiro-user.582556.n2.nabble.com/Default-Salt-Database-structure-tp6430158p6430158.html
>> Sent from the Shiro User mailing list archive at Nabble.com.
>>
>
>
Re: Default Salt Database structure?
Posted by Phil Steitz <ph...@gmail.com>.
I am just getting started myself with Shiro, so please take below
with a grain of salt (pun intended ;)
On 6/2/11 12:23 AM, set321go wrote:
> Hello,
>
> I have read the documentation but its lacking a bit when it comes to how to
> set up salting. I am just trying to get a basic web app working on glassfish
> using shiro. I have done some of the examples in the links that are on the
> website but I am still unclear on a few things.
See Eduard's response as well as the SaltAwareJdbcRealm example in
/samples/spring in svn. Maybe someone can chime in with some
guidance on a better way to generate and persist the salt than to
use the username.
> By default I need a users table with username and password if I am not using
> salting, is there a default pattern for a database when using salting?
Salting should have no impact on the database structure, just what
is stored in the database.
> If I am not using the default tables how do I tell shiro what the table and
> structure is?
Looks to me like the way to do this is to override the default
queries used by the JdbcRealm via its query setters:
setAuthenticationQuery, setUserRolesQuery, setPermissionsQuery. See
the javadoc for JdbcRealm.
Phil
> thanks
>
>
> --
> View this message in context: http://shiro-user.582556.n2.nabble.com/Default-Salt-Database-structure-tp6430158p6430158.html
> Sent from the Shiro User mailing list archive at Nabble.com.
>
Re: Default Salt Database structure?
Posted by Les Hazlewood <lh...@apache.org>.
Hello,
I recently posted a reply to a comment on one of my blog articles that
hopefully will help:
http://www.katasoft.com/blog/2011/04/04/strong-password-hashing-apache-shiro#comment-19
The summary is that it is up to you how you store it - either as a
separate column, prepended to the digest value (ala *nix's crypt
output, as mentioned also by Kalle), or in a separate location
entirely. It is up to you based on how secure you wish this to be
based on your chosen data storage mechanism. The
SaltedAuthenticationInfo return value from your Realm abstracts away
the storage details.
HTH,
--
Les Hazlewood
Founder, Katasoft, Inc.
Application Security Products & Professional Apache Shiro Support and Training:
http://www.katasoft.com
On Thu, Jun 2, 2011 at 12:23 AM, set321go <sw...@hotmail.com> wrote:
> Hello,
>
> I have read the documentation but its lacking a bit when it comes to how to
> set up salting. I am just trying to get a basic web app working on glassfish
> using shiro. I have done some of the examples in the links that are on the
> website but I am still unclear on a few things.
>
> By default I need a users table with username and password if I am not using
> salting, is there a default pattern for a database when using salting?
>
> If I am not using the default tables how do I tell shiro what the table and
> structure is?
>
> thanks
>
>
> --
> View this message in context: http://shiro-user.582556.n2.nabble.com/Default-Salt-Database-structure-tp6430158p6430158.html
> Sent from the Shiro User mailing list archive at Nabble.com.
Re: Default Salt Database structure?
Posted by Eduard Neuwirt <ed...@googlemail.com>.
Hi,
perhaps the following description will help you:
http://eneuwirt.de/2011/05/01/saltawarejdbcrealm/
Regards
Eduard
Am 02.06.2011 09:23, schrieb set321go:
> Hello,
>
> I have read the documentation but its lacking a bit when it comes to how to
> set up salting. I am just trying to get a basic web app working on glassfish
> using shiro. I have done some of the examples in the links that are on the
> website but I am still unclear on a few things.
>
> By default I need a users table with username and password if I am not using
> salting, is there a default pattern for a database when using salting?
>
> If I am not using the default tables how do I tell shiro what the table and
> structure is?
>
> thanks
>
>
> --
> View this message in context: http://shiro-user.582556.n2.nabble.com/Default-Salt-Database-structure-tp6430158p6430158.html
> Sent from the Shiro User mailing list archive at Nabble.com.