I am attempting to use the Shiro JdbcRealm and SHA256 hashedcredentialsMatcher. I need to update a legacy database and assign the appropriate salt for each user (via a batch routine).
how do I get/set the salt for a given account using the Shiro framework?
With Shiro 1.2.3 all you need to do is:
Extend JdbcRealm
and set salt style.
public class JdbcSaltRealm extends JdbcRealm {
public JdbcSaltRealm() {
setSaltStyle(SaltStyle.COLUMN);
}
}
Update shiro.ini
to use extended realm and to get salt column from DB
credentialsMatcher = org.apache.shiro.authc.credential.HashedCredentialsMatcher
credentialsMatcher.hashAlgorithmName = SHA-256
jdbcRealm = com.mypackage.JdbcSaltRealm
jdbcRealm.authenticationQuery = SELECT password, salt FROM user WHERE username = ?
jdbcRealm.credentialsMatcher = $credentialsMatcher
Hash & salt current / new user passwords. This should be done for all existing users as well as on new user registrations.
private void saltHashPassword(String password) {
String salt = new BigInteger(250, new SecureRandom()).toString(32);
//TODO: save salt value to "salt" column in user table
Sha256Hash hash = new Sha256Hash(password,
(new SimpleByteSource(salt)).getBytes());
String saltedHashedPassword = hash.toHex();
//TODO: save saltedHashedPassword value to "password" column in user table
}
I hope my answer is clear and understandable.
Maybe a bit late:
Have a look at this tutorial.
Meri, the guy who owns the blog, describes exactly how to create an own salted JDBC Realm.
This is also an acknowledged improvement in the community for version 1.3.0 .
Hope this helpes, have Fun!