You are viewing a plain text version of this content. The canonical link for it is here.
Posted to user@shiro.apache.org by benjamin0258 <de...@gmail.com> on 2013/02/10 04:20:32 UTC
Shiro Spring integration PasswordService
Hi Shiro team and User,
Ive been a month we decide to change our security framework for Apache
Shiro.
I am the integrator of new framework and facing some problem to configure
Shiro Spring Ingegration Module. Everything its working perfectly except
when i try to change encryption level by implementing DefaultPasswordService
in the applicationContext.xml. Did i miss something ? I am search everywhere
in google and every kind of forum but i can't found nothing similar to my
problem
Here my configuration
ApplicationContact.xml
<code>
<bean id="securityManager"
class="org.apache.shiro.web.mgt.DefaultWebSecurityManager">
<property name="sessionMode" value="native" />
<property name="realm" ref="jdbcRealm" />
<property name="cacheManager" ref="cacheManager"/>
</bean>
<bean id="passwordService"
class="org.apache.shiro.authc.credential.DefaultPasswordService">
</bean>
<bean id="cacheManager"
class="org.apache.shiro.cache.ehcache.EhCacheManager">
<property name="cacheManager" ref="ehCacheManager" />
</bean>
<bean id="ehCacheManager"
class="org.springframework.cache.ehcache.EhCacheManagerFactoryBean"
/>
<bean id="sessionDAO"
class="org.apache.shiro.session.mgt.eis.EnterpriseCacheSessionDAO"
/>
<bean id="sessionManager"
class="org.apache.shiro.web.session.mgt.DefaultWebSessionManager">
<property name="sessionDAO" ref="sessionDAO" />
</bean>
<bean id="jdbcRealm" class="org.apache.shiro.realm.jdbc.JdbcRealm">
<property name="credentialsMatcher">
<bean class="org.apache.shiro.authc.credential.PasswordMatcher">
<property name="passwordService" ref="passwordService"/>
</bean>
</property>
<property name="name" value="jdbcRealm" />
<property name="dataSource" ref="dataSource" />
<property name="authenticationQuery"
value="SELECT password FROM Credentials WHERE username=?" />
</bean>
<bean id="lifecycleBeanPostProcessor"
class="org.apache.shiro.spring.LifecycleBeanPostProcessor" />
<bean id="annotationProxy"
class="org.springframework.aop.framework.autoproxy.DefaultAdvisorAutoProxyCreator"
depends-on="lifecycleBeanPostProcessor" />
<bean
class="org.apache.shiro.spring.security.interceptor.AuthorizationAttributeSourceAdvisor">
<property name="securityManager" ref="securityManager" />
</bean>
<bean id="shiroFilter"
class="org.apache.shiro.spring.web.ShiroFilterFactoryBean">
<property name="securityManager" ref="securityManager"/>
</bean>
</code>
<code>
private String encrypt(String password)
{
return new Sha256Hash(password).toString();
}
private void login()
{
String username = "benji";
String password = "benji";
DefaultPasswordService passwordService = new DefaultPasswordService();
UsernamePasswordToken token = new UsernamePasswordToken( username,
passwordService.encryptPassword(password) );
System.out.println("encrypt: "+encrypt(password));
token.setRememberMe(true);
System.out.println("token username: "+token.getUsername());
System.out.println("token password:"+token.getPassword());
//With most of Shiro, you'll always want to make sure you're working with
the currently executing user, referred to as the subject
Subject currentUser = SecurityUtils.getSubject();
System.out.println("login");
//Authenticate the subject by passing the user name and password token
into the login method
currentUser.login(token);
try {
currentUser.login(token);
} catch ( UnknownAccountException uae ) {
System.out.println(uae);
} catch ( IncorrectCredentialsException ice ) {
System.out.println(ice);
} catch ( LockedAccountException lae ) {
System.out.println(lae);
} catch ( ExcessiveAttemptsException eae ) {
System.out.println(eae);
} catch ( AuthenticationException ae ) {
System.out.println(ae);
}
System.out.println("finish");
}
</code>
Everytime, i try to login, i am getting this error
" Caused by: org.apache.shiro.authc.IncorrectCredentialsException: Submitted
credentials for token [org.apache.shiro.authc.UsernamePasswordToken - burak,
rememberMe=true] did not match the expected credentials. "
My password column type its varchar but i try with binary and char array
none of them working. Did i miss something.
Thank You very much
Ben
--
View this message in context: http://shiro-user.582556.n2.nabble.com/Shiro-Spring-integration-PasswordService-tp7578244.html
Sent from the Shiro User mailing list archive at Nabble.com.
Re: Shiro Spring integration PasswordService
Posted by Les Hazlewood <lh...@apache.org>.
PasswordService usage is documented in the JavaDoc:
http://shiro.apache.org/static/1.2.1/apidocs/org/apache/shiro/authc/credential/PasswordService.html
You _should_ use Shiro's PasswordService when creating user accounts
or setting their passwords initially. This is covered in the above
JavaDoc in the "Account Creation or Password Reset" section.
Shiro will use the same PasswordService instance during a login
attempt for password comparison (covered in the "Login Password
Comparison" section).
In other words, the PasswordService is used twice: once by you when
you set your user's password, e.g. to store in a database column, and
once (later) by Shiro during a login attempt.
If these concepts were unclear in the PasswordService JavaDoc, please
let me know and I'll be happy to update it to clear any confusion
others might have (seriously, if it was confusing to you, it might be
others as well).
Thanks,
--
Les Hazlewood | @lhazlewood
CTO, Stormpath | http://stormpath.com | @goStormpath | 888.391.5282
Stormpath wins GigaOM Structure Launchpad Award! http://bit.ly/MvZkMk
On Thu, Feb 14, 2013 at 3:39 PM, benjamin0258 <de...@gmail.com> wrote:
>
> Hi,
>
> I insert manualy some username and password to test. I am using online tools
> to encrypt password before to insert. The password column type is varchar.
>
> Thank
>
> Ben
>
>
>
> -----
> Benji
> --
> View this message in context: http://shiro-user.582556.n2.nabble.com/Shiro-Spring-integration-PasswordService-tp7578244p7578257.html
> Sent from the Shiro User mailing list archive at Nabble.com.
Re: Shiro Spring integration PasswordService
Posted by benjamin0258 <de...@gmail.com>.
Hi,
I insert manualy some username and password to test. I am using online tools
to encrypt password before to insert. The password column type is varchar.
Thank
Ben
-----
Benji
--
View this message in context: http://shiro-user.582556.n2.nabble.com/Shiro-Spring-integration-PasswordService-tp7578244p7578257.html
Sent from the Shiro User mailing list archive at Nabble.com.
Re: Shiro Spring integration PasswordService
Posted by Jared Bunting <ja...@peachjean.com>.
How are you putting the password into the db initially?
On Feb 12, 2013 6:09 PM, "benjamin0258" <de...@gmail.com> wrote:
> Hi Harald,
>
> Thank you for answering to my question. Actually, its a new project and
> everything its new, we are not using spring security. In the JavaDoc, the
> DefaultPasswordService default encryption its sha-256. Even i try
> UsernamePasswordToken token = new UsernamePasswordToken( "benji", "benji" )
> still not working.
> My password column its varchar type and i am using Mysql the latest version
> I believe something missing in my configuration. I am reading the doc again
> but still nothing about this problem. Can someone share with me a working
> configuration xml file and compare with mine.
>
> Any Help ?
>
> Thank You everybody
>
> Ben
>
>
>
> -----
> Benji
> --
> View this message in context:
> http://shiro-user.582556.n2.nabble.com/Shiro-Spring-integration-PasswordService-tp7578244p7578249.html
> Sent from the Shiro User mailing list archive at Nabble.com.
>
Re: Shiro Spring integration PasswordService
Posted by benjamin0258 <de...@gmail.com>.
Hi Harald,
Thank you for answering to my question. Actually, its a new project and
everything its new, we are not using spring security. In the JavaDoc, the
DefaultPasswordService default encryption its sha-256. Even i try
UsernamePasswordToken token = new UsernamePasswordToken( "benji", "benji" )
still not working.
My password column its varchar type and i am using Mysql the latest version
I believe something missing in my configuration. I am reading the doc again
but still nothing about this problem. Can someone share with me a working
configuration xml file and compare with mine.
Any Help ?
Thank You everybody
Ben
-----
Benji
--
View this message in context: http://shiro-user.582556.n2.nabble.com/Shiro-Spring-integration-PasswordService-tp7578244p7578249.html
Sent from the Shiro User mailing list archive at Nabble.com.
Re: Shiro Spring integration PasswordService
Posted by Harald Wellmann <hw...@gmail.com>.
I believe you shouldn't call
passwordService.encryptPassword(password)
in your application code. This is done internally in the login() method
AFAIK.
Also, assuming that your Credentials table was filled with hashed
passwords by Spring Security, you will have to make sure that Shiro uses
exactly the same hash algorithm as Spring Security, which will require a
custom CredentialsMatcher.
Best regards,
Harald