You are viewing a plain text version of this content. The canonical link for it is here.
Posted to user@shiro.apache.org by Jakub Herkel <jh...@gmail.com> on 2023/10/11 09:48:13 UTC
Access to BCryptHash from BCryptProvider (shiro 2 alpha)
Hello,
I would like to ask if there is a way how to decode hash parameters
from a hash string. For example for bcrypt. I know that I can use
BCryptProvider and there is a method fromString that returns a
BCryptHash class. But the BCryphHash isn't public class. Also
BCryptProvider changes a signature of method
Hash fromString(String string);
to
public BCryptHash generate(HashRequest hashRequest)
So it exports non accessible class via public method and for example
this code cannot be compiled :
BCryptProvider fff = new BCryptProvider();
var hash2 = fff.fromString("aaa");
System.out.println(hash2.toString());
Is there any technical reason why the BCryptHash class isn't
accessible from anywhere?
best regards
Jakub Herkel
Re: Access to BCryptHash from BCryptProvider (shiro 2 alpha)
Posted by Jakub Herkel <jh...@gmail.com>.
Hi,
Thanks for response, I understand now. I try to describe what I want to do:
I try to use a new shiro 2.0 but we want to have a possibility that
admin can change a hash algorithm and parameters for this algorithm.
Migration between different algorithms will be done via hashing old
hash from DB with a new hash algorithm and set some migration flag in
DB so that the system will be able tor recognize that this password
needs to be migrated. For example when the user tries to login, the
system checks if the migration flag is set and uses old hash algorithm
a then a new one. If login will be successful we will upgrade hash in
DB and also clear the migration flag.
Now I implemented lot of necessary steps but there is a last step that
needs to be done. I'm not sure how I can set default algorithm and
parameter for PasswordService. So when I call
passwordService.encryptPassword(..) then the password will be
encrypted with hash provider defined in some configuration file. Now
all passwords are hashed via argon algorithm. Is there any way how to
setup default hash provider and parameters for PasswordService?
Or is it something like it was in my first email that I want to use
PasswordService in a "wrong" way?
with best regards
Jakub
On Mon, Oct 16, 2023 at 8:54 PM Benjamin Marwell <bm...@gmail.com> wrote:
>
> Hi Jakub,
>
> they should not be accessible from anywhere. It possibly slipped
> through reviews.
> The new hash dependencies are thought to be runtime dependencies. You
> should never ever need them in your classpath while compiling, only
> while testing and running the actual application.
>
> Does that help?
>
> - Ben
>
> Am Do., 12. Okt. 2023 um 18:57 Uhr schrieb Jakub Herkel <jh...@gmail.com>:
> >
> > One correction, I meant a signature of method fromString was changed from
> > Hash fromString(String string);
> > to
> > public BCryptHash fromString(String string);
> >
> > Jakub
> >
> > On Wed, Oct 11, 2023 at 11:48 AM Jakub Herkel <jh...@gmail.com> wrote:
> > >
> > > Hello,
> > >
> > > I would like to ask if there is a way how to decode hash parameters
> > > from a hash string. For example for bcrypt. I know that I can use
> > > BCryptProvider and there is a method fromString that returns a
> > > BCryptHash class. But the BCryphHash isn't public class. Also
> > > BCryptProvider changes a signature of method
> > > Hash fromString(String string);
> > > to
> > > public BCryptHash generate(HashRequest hashRequest)
> > >
> > > So it exports non accessible class via public method and for example
> > > this code cannot be compiled :
> > > BCryptProvider fff = new BCryptProvider();
> > > var hash2 = fff.fromString("aaa");
> > > System.out.println(hash2.toString());
> > >
> > > Is there any technical reason why the BCryptHash class isn't
> > > accessible from anywhere?
> > >
> > > best regards
> > >
> > > Jakub Herkel
Re: Access to BCryptHash from BCryptProvider (shiro 2 alpha)
Posted by Benjamin Marwell <bm...@gmail.com>.
Hi Jakub,
they should not be accessible from anywhere. It possibly slipped
through reviews.
The new hash dependencies are thought to be runtime dependencies. You
should never ever need them in your classpath while compiling, only
while testing and running the actual application.
Does that help?
- Ben
Am Do., 12. Okt. 2023 um 18:57 Uhr schrieb Jakub Herkel <jh...@gmail.com>:
>
> One correction, I meant a signature of method fromString was changed from
> Hash fromString(String string);
> to
> public BCryptHash fromString(String string);
>
> Jakub
>
> On Wed, Oct 11, 2023 at 11:48 AM Jakub Herkel <jh...@gmail.com> wrote:
> >
> > Hello,
> >
> > I would like to ask if there is a way how to decode hash parameters
> > from a hash string. For example for bcrypt. I know that I can use
> > BCryptProvider and there is a method fromString that returns a
> > BCryptHash class. But the BCryphHash isn't public class. Also
> > BCryptProvider changes a signature of method
> > Hash fromString(String string);
> > to
> > public BCryptHash generate(HashRequest hashRequest)
> >
> > So it exports non accessible class via public method and for example
> > this code cannot be compiled :
> > BCryptProvider fff = new BCryptProvider();
> > var hash2 = fff.fromString("aaa");
> > System.out.println(hash2.toString());
> >
> > Is there any technical reason why the BCryptHash class isn't
> > accessible from anywhere?
> >
> > best regards
> >
> > Jakub Herkel
Re: Access to BCryptHash from BCryptProvider (shiro 2 alpha)
Posted by Jakub Herkel <jh...@gmail.com>.
One correction, I meant a signature of method fromString was changed from
Hash fromString(String string);
to
public BCryptHash fromString(String string);
Jakub
On Wed, Oct 11, 2023 at 11:48 AM Jakub Herkel <jh...@gmail.com> wrote:
>
> Hello,
>
> I would like to ask if there is a way how to decode hash parameters
> from a hash string. For example for bcrypt. I know that I can use
> BCryptProvider and there is a method fromString that returns a
> BCryptHash class. But the BCryphHash isn't public class. Also
> BCryptProvider changes a signature of method
> Hash fromString(String string);
> to
> public BCryptHash generate(HashRequest hashRequest)
>
> So it exports non accessible class via public method and for example
> this code cannot be compiled :
> BCryptProvider fff = new BCryptProvider();
> var hash2 = fff.fromString("aaa");
> System.out.println(hash2.toString());
>
> Is there any technical reason why the BCryptHash class isn't
> accessible from anywhere?
>
> best regards
>
> Jakub Herkel