Using Shiro's PasswordMatcher with a custom realm

Question

I\'m using Apache Shiro with a custom JDBC realm to retrieve a user’s salt, password, hash algorithm name and number of hash iterations from the database which are all store

Answer 1

Took me a while to hunt down this url in one of my projects - http://meri-stuff.blogspot.com/2011/04/apache-shiro-part-2-realms-database-and.html

The article links to this file JNDIAndSaltAwareJdbcRealm

I've used that class successfully in my project to use salt in the password hash.

HTH

Answer 2

I posted a message on the Shiro mailing list and got a reply saying that the PasswordMatcher by default does not look at anything in the AuthenticationInfo other than authenticationInfo.getCredentials().

For further details, the archived message on the mailing list is available at http://shiro-user.582556.n2.nabble.com/Migrating-from-HashedCredentialMatcher-to-PasswordMatcher-td7577808.html

Answer 3

If you store the credentials created by the Shiro Command Line Hasher in Shiro1CryptFormat, then you can use the DefaultPasswordService in your realm:

        final PasswordMatcher passwordMatcher = new PasswordMatcher();
        passwordMatcher.setPasswordService(new DefaultPasswordService());
        realm.setCredentialsMatcher(passwordMatcher);