use of org.apache.shiro.crypto.SecureRandomNumberGenerator in project shiro by apache.
the class Hasher method getSalt.
private static ByteSource getSalt(String saltString, String saltBytesString, boolean generateSalt, int generatedSaltSize) {
if (saltString != null) {
if (generateSalt || (saltBytesString != null)) {
throw new IllegalArgumentException(SALT_MUTEX_MSG);
}
return ByteSource.Util.bytes(saltString);
}
if (saltBytesString != null) {
if (generateSalt) {
throw new IllegalArgumentException(SALT_MUTEX_MSG);
}
String value = saltBytesString;
boolean base64 = true;
if (saltBytesString.startsWith(HEX_PREFIX)) {
// hex:
base64 = false;
value = value.substring(HEX_PREFIX.length());
}
byte[] bytes;
if (base64) {
bytes = Base64.decode(value);
} else {
bytes = Hex.decode(value);
}
return ByteSource.Util.bytes(bytes);
}
if (generateSalt) {
SecureRandomNumberGenerator generator = new SecureRandomNumberGenerator();
// generatedSaltSize is in *bits* - convert to byte size:
int byteSize = generatedSaltSize / 8;
return generator.nextBytes(byteSize);
}
// no salt used:
return null;
}
use of org.apache.shiro.crypto.SecureRandomNumberGenerator in project ANNIS by korpling.
the class AdminServiceImpl method changePassword.
@POST
@Path("users/{userName}/password")
@Consumes("text/plain")
@Produces("application/xml")
public Response changePassword(String newPassword, @PathParam("userName") String userName) {
Subject requestingUser = SecurityUtils.getSubject();
requestingUser.checkPermission("admin:write:user");
ANNISUserConfigurationManager confManager = getConfManager();
ANNISUserRealm userRealm = getUserRealm();
if (confManager != null && userRealm != null) {
User user = confManager.getUser(userName);
if (user == null) {
return Response.status(Response.Status.NOT_FOUND).build();
}
Shiro1CryptFormat format = new Shiro1CryptFormat();
SecureRandomNumberGenerator generator = new SecureRandomNumberGenerator();
// 128 bit
ByteSource salt = generator.nextBytes(128 / 8);
Sha256Hash hash = new Sha256Hash(newPassword, salt, 1);
user.setPasswordHash(format.format(hash));
if (userRealm.updateUser(user)) {
return Response.ok().entity(user).build();
}
}
return Response.status(Response.Status.INTERNAL_SERVER_ERROR).entity("Could not change password").build();
}
use of org.apache.shiro.crypto.SecureRandomNumberGenerator in project shiro by apache.
the class HashedCredentialsMatcherTest method testSaltedAuthenticationInfo.
/**
* Test new Shiro 1.1 functionality, where the salt is obtained from the stored account information, as it
* should be. See <a href="https://issues.apache.org/jira/browse/SHIRO-186">SHIRO-186</a>
*/
@Test
public void testSaltedAuthenticationInfo() {
// use SHA-1 hashing in this test:
HashedCredentialsMatcher matcher = new HashedCredentialsMatcher(Sha1Hash.ALGORITHM_NAME);
// simulate a user account with a SHA-1 hashed and salted password:
ByteSource salt = new SecureRandomNumberGenerator().nextBytes();
Object hashedPassword = new Sha1Hash("password", salt);
SimpleAuthenticationInfo account = new SimpleAuthenticationInfo("username", hashedPassword, salt, "realmName");
// simulate a username/password (plaintext) token created in response to a login attempt:
AuthenticationToken token = new UsernamePasswordToken("username", "password");
// verify the hashed token matches what is in the account:
assertTrue(matcher.doCredentialsMatch(token, account));
}
Aggregations