Example 1 with SecureRandomNumberGenerator
use of org.apache.shiro.crypto.SecureRandomNumberGenerator in project shiro by apache.
the class Hasher method getSalt.
private static ByteSource getSalt(String saltString, String saltBytesString, boolean generateSalt, int generatedSaltSize) {
if (saltString != null) {
if (generateSalt || (saltBytesString != null)) {
throw new IllegalArgumentException(SALT_MUTEX_MSG);
}
return ByteSource.Util.bytes(saltString);
}
if (saltBytesString != null) {
if (generateSalt) {
throw new IllegalArgumentException(SALT_MUTEX_MSG);
}
String value = saltBytesString;
boolean base64 = true;
if (saltBytesString.startsWith(HEX_PREFIX)) {
// hex:
base64 = false;
value = value.substring(HEX_PREFIX.length());
}
byte[] bytes;
if (base64) {
bytes = Base64.decode(value);
} else {
bytes = Hex.decode(value);
}
return ByteSource.Util.bytes(bytes);
}
if (generateSalt) {
SecureRandomNumberGenerator generator = new SecureRandomNumberGenerator();
// generatedSaltSize is in *bits* - convert to byte size:
int byteSize = generatedSaltSize / 8;
return generator.nextBytes(byteSize);
}
// no salt used:
return null;
}
Also used :
SecureRandomNumberGenerator(org.apache.shiro.crypto.SecureRandomNumberGenerator)
Example 2 with SecureRandomNumberGenerator
use of org.apache.shiro.crypto.SecureRandomNumberGenerator in project ANNIS by korpling.
the class AdminServiceImpl method changePassword.
@POST
@Path("users/{userName}/password")
@Consumes("text/plain")
@Produces("application/xml")
public Response changePassword(String newPassword, @PathParam("userName") String userName) {
Subject requestingUser = SecurityUtils.getSubject();
requestingUser.checkPermission("admin:write:user");
ANNISUserConfigurationManager confManager = getConfManager();
ANNISUserRealm userRealm = getUserRealm();
if (confManager != null && userRealm != null) {
User user = confManager.getUser(userName);
if (user == null) {
return Response.status(Response.Status.NOT_FOUND).build();
}
Shiro1CryptFormat format = new Shiro1CryptFormat();
SecureRandomNumberGenerator generator = new SecureRandomNumberGenerator();
// 128 bit
ByteSource salt = generator.nextBytes(128 / 8);
Sha256Hash hash = new Sha256Hash(newPassword, salt, 1);
user.setPasswordHash(format.format(hash));
if (userRealm.updateUser(user)) {
return Response.ok().entity(user).build();
}
}
return Response.status(Response.Status.INTERNAL_SERVER_ERROR).entity("Could not change password").build();
}
Also used :
User(annis.security.User)
SecureRandomNumberGenerator(org.apache.shiro.crypto.SecureRandomNumberGenerator)
Sha256Hash(org.apache.shiro.crypto.hash.Sha256Hash)
ANNISUserConfigurationManager(annis.security.ANNISUserConfigurationManager)
ByteSource(org.apache.shiro.util.ByteSource)
ANNISUserRealm(annis.security.ANNISUserRealm)
Subject(org.apache.shiro.subject.Subject)
Shiro1CryptFormat(org.apache.shiro.crypto.hash.format.Shiro1CryptFormat)
Path(javax.ws.rs.Path)
POST(javax.ws.rs.POST)
Consumes(javax.ws.rs.Consumes)
Produces(javax.ws.rs.Produces)
Example 3 with SecureRandomNumberGenerator
use of org.apache.shiro.crypto.SecureRandomNumberGenerator in project shiro by apache.
the class HashedCredentialsMatcherTest method testSaltedAuthenticationInfo.
/**
* Test new Shiro 1.1 functionality, where the salt is obtained from the stored account information, as it
* should be. See <a href="https://issues.apache.org/jira/browse/SHIRO-186">SHIRO-186</a>
*/
@Test
public void testSaltedAuthenticationInfo() {
// use SHA-1 hashing in this test:
HashedCredentialsMatcher matcher = new HashedCredentialsMatcher(Sha1Hash.ALGORITHM_NAME);
// simulate a user account with a SHA-1 hashed and salted password:
ByteSource salt = new SecureRandomNumberGenerator().nextBytes();
Object hashedPassword = new Sha1Hash("password", salt);
SimpleAuthenticationInfo account = new SimpleAuthenticationInfo("username", hashedPassword, salt, "realmName");
// simulate a username/password (plaintext) token created in response to a login attempt:
AuthenticationToken token = new UsernamePasswordToken("username", "password");
// verify the hashed token matches what is in the account:
assertTrue(matcher.doCredentialsMatch(token, account));
}
Also used :
AuthenticationToken(org.apache.shiro.authc.AuthenticationToken)
SimpleAuthenticationInfo(org.apache.shiro.authc.SimpleAuthenticationInfo)
SecureRandomNumberGenerator(org.apache.shiro.crypto.SecureRandomNumberGenerator)
Sha1Hash(org.apache.shiro.crypto.hash.Sha1Hash)
ByteSource(org.apache.shiro.util.ByteSource)
UsernamePasswordToken(org.apache.shiro.authc.UsernamePasswordToken)
Test(org.junit.Test)
Aggregations
SecureRandomNumberGenerator (org.apache.shiro.crypto.SecureRandomNumberGenerator)3
ByteSource (org.apache.shiro.util.ByteSource)2
ANNISUserConfigurationManager (annis.security.ANNISUserConfigurationManager)1
ANNISUserRealm (annis.security.ANNISUserRealm)1
User (annis.security.User)1
Consumes (javax.ws.rs.Consumes)1
POST (javax.ws.rs.POST)1
Path (javax.ws.rs.Path)1
Produces (javax.ws.rs.Produces)1
AuthenticationToken (org.apache.shiro.authc.AuthenticationToken)1
SimpleAuthenticationInfo (org.apache.shiro.authc.SimpleAuthenticationInfo)1
UsernamePasswordToken (org.apache.shiro.authc.UsernamePasswordToken)1
Sha1Hash (org.apache.shiro.crypto.hash.Sha1Hash)1
Sha256Hash (org.apache.shiro.crypto.hash.Sha256Hash)1
Shiro1CryptFormat (org.apache.shiro.crypto.hash.format.Shiro1CryptFormat)1
Subject (org.apache.shiro.subject.Subject)1
Test (org.junit.Test)1
