Search in sources :

Example 1 with SecureRandomNumberGenerator

use of org.apache.shiro.crypto.SecureRandomNumberGenerator in project shiro by apache.

the class Hasher method getSalt.

private static ByteSource getSalt(String saltString, String saltBytesString, boolean generateSalt, int generatedSaltSize) {
    if (saltString != null) {
        if (generateSalt || (saltBytesString != null)) {
            throw new IllegalArgumentException(SALT_MUTEX_MSG);
        }
        return ByteSource.Util.bytes(saltString);
    }
    if (saltBytesString != null) {
        if (generateSalt) {
            throw new IllegalArgumentException(SALT_MUTEX_MSG);
        }
        String value = saltBytesString;
        boolean base64 = true;
        if (saltBytesString.startsWith(HEX_PREFIX)) {
            // hex:
            base64 = false;
            value = value.substring(HEX_PREFIX.length());
        }
        byte[] bytes;
        if (base64) {
            bytes = Base64.decode(value);
        } else {
            bytes = Hex.decode(value);
        }
        return ByteSource.Util.bytes(bytes);
    }
    if (generateSalt) {
        SecureRandomNumberGenerator generator = new SecureRandomNumberGenerator();
        // generatedSaltSize is in *bits* - convert to byte size:
        int byteSize = generatedSaltSize / 8;
        return generator.nextBytes(byteSize);
    }
    // no salt used:
    return null;
}
Also used : SecureRandomNumberGenerator(org.apache.shiro.crypto.SecureRandomNumberGenerator)

Example 2 with SecureRandomNumberGenerator

use of org.apache.shiro.crypto.SecureRandomNumberGenerator in project ANNIS by korpling.

the class AdminServiceImpl method changePassword.

@POST
@Path("users/{userName}/password")
@Consumes("text/plain")
@Produces("application/xml")
public Response changePassword(String newPassword, @PathParam("userName") String userName) {
    Subject requestingUser = SecurityUtils.getSubject();
    requestingUser.checkPermission("admin:write:user");
    ANNISUserConfigurationManager confManager = getConfManager();
    ANNISUserRealm userRealm = getUserRealm();
    if (confManager != null && userRealm != null) {
        User user = confManager.getUser(userName);
        if (user == null) {
            return Response.status(Response.Status.NOT_FOUND).build();
        }
        Shiro1CryptFormat format = new Shiro1CryptFormat();
        SecureRandomNumberGenerator generator = new SecureRandomNumberGenerator();
        // 128 bit
        ByteSource salt = generator.nextBytes(128 / 8);
        Sha256Hash hash = new Sha256Hash(newPassword, salt, 1);
        user.setPasswordHash(format.format(hash));
        if (userRealm.updateUser(user)) {
            return Response.ok().entity(user).build();
        }
    }
    return Response.status(Response.Status.INTERNAL_SERVER_ERROR).entity("Could not change password").build();
}
Also used : User(annis.security.User) SecureRandomNumberGenerator(org.apache.shiro.crypto.SecureRandomNumberGenerator) Sha256Hash(org.apache.shiro.crypto.hash.Sha256Hash) ANNISUserConfigurationManager(annis.security.ANNISUserConfigurationManager) ByteSource(org.apache.shiro.util.ByteSource) ANNISUserRealm(annis.security.ANNISUserRealm) Subject(org.apache.shiro.subject.Subject) Shiro1CryptFormat(org.apache.shiro.crypto.hash.format.Shiro1CryptFormat) Path(javax.ws.rs.Path) POST(javax.ws.rs.POST) Consumes(javax.ws.rs.Consumes) Produces(javax.ws.rs.Produces)

Example 3 with SecureRandomNumberGenerator

use of org.apache.shiro.crypto.SecureRandomNumberGenerator in project shiro by apache.

the class HashedCredentialsMatcherTest method testSaltedAuthenticationInfo.

/**
 * Test new Shiro 1.1 functionality, where the salt is obtained from the stored account information, as it
 * should be.  See <a href="https://issues.apache.org/jira/browse/SHIRO-186">SHIRO-186</a>
 */
@Test
public void testSaltedAuthenticationInfo() {
    // use SHA-1 hashing in this test:
    HashedCredentialsMatcher matcher = new HashedCredentialsMatcher(Sha1Hash.ALGORITHM_NAME);
    // simulate a user account with a SHA-1 hashed and salted password:
    ByteSource salt = new SecureRandomNumberGenerator().nextBytes();
    Object hashedPassword = new Sha1Hash("password", salt);
    SimpleAuthenticationInfo account = new SimpleAuthenticationInfo("username", hashedPassword, salt, "realmName");
    // simulate a username/password (plaintext) token created in response to a login attempt:
    AuthenticationToken token = new UsernamePasswordToken("username", "password");
    // verify the hashed token matches what is in the account:
    assertTrue(matcher.doCredentialsMatch(token, account));
}
Also used : AuthenticationToken(org.apache.shiro.authc.AuthenticationToken) SimpleAuthenticationInfo(org.apache.shiro.authc.SimpleAuthenticationInfo) SecureRandomNumberGenerator(org.apache.shiro.crypto.SecureRandomNumberGenerator) Sha1Hash(org.apache.shiro.crypto.hash.Sha1Hash) ByteSource(org.apache.shiro.util.ByteSource) UsernamePasswordToken(org.apache.shiro.authc.UsernamePasswordToken) Test(org.junit.Test)

Aggregations

SecureRandomNumberGenerator (org.apache.shiro.crypto.SecureRandomNumberGenerator)3 ByteSource (org.apache.shiro.util.ByteSource)2 ANNISUserConfigurationManager (annis.security.ANNISUserConfigurationManager)1 ANNISUserRealm (annis.security.ANNISUserRealm)1 User (annis.security.User)1 Consumes (javax.ws.rs.Consumes)1 POST (javax.ws.rs.POST)1 Path (javax.ws.rs.Path)1 Produces (javax.ws.rs.Produces)1 AuthenticationToken (org.apache.shiro.authc.AuthenticationToken)1 SimpleAuthenticationInfo (org.apache.shiro.authc.SimpleAuthenticationInfo)1 UsernamePasswordToken (org.apache.shiro.authc.UsernamePasswordToken)1 Sha1Hash (org.apache.shiro.crypto.hash.Sha1Hash)1 Sha256Hash (org.apache.shiro.crypto.hash.Sha256Hash)1 Shiro1CryptFormat (org.apache.shiro.crypto.hash.format.Shiro1CryptFormat)1 Subject (org.apache.shiro.subject.Subject)1 Test (org.junit.Test)1