Examples with Shiro1CryptFormat org.apache.shiro.crypto.hash.format.Shiro1CryptFormat used on opensource projects

Example 1 with Shiro1CryptFormat

use of org.apache.shiro.crypto.hash.format.Shiro1CryptFormat in project ANNIS by korpling.

the class AdminServiceImpl method changePassword.

@POST
@Path("users/{userName}/password")
@Consumes("text/plain")
@Produces("application/xml")
public Response changePassword(String newPassword, @PathParam("userName") String userName) {
    Subject requestingUser = SecurityUtils.getSubject();
    requestingUser.checkPermission("admin:write:user");
    ANNISUserConfigurationManager confManager = getConfManager();
    ANNISUserRealm userRealm = getUserRealm();
    if (confManager != null && userRealm != null) {
        User user = confManager.getUser(userName);
        if (user == null) {
            return Response.status(Response.Status.NOT_FOUND).build();
        }
        Shiro1CryptFormat format = new Shiro1CryptFormat();
        SecureRandomNumberGenerator generator = new SecureRandomNumberGenerator();
        // 128 bit
        ByteSource salt = generator.nextBytes(128 / 8);
        Sha256Hash hash = new Sha256Hash(newPassword, salt, 1);
        user.setPasswordHash(format.format(hash));
        if (userRealm.updateUser(user)) {
            return Response.ok().entity(user).build();
        }
    }
    return Response.status(Response.Status.INTERNAL_SERVER_ERROR).entity("Could not change password").build();
}

Example 2 with Shiro1CryptFormat

use of org.apache.shiro.crypto.hash.format.Shiro1CryptFormat in project ANNIS by korpling.

the class ANNISUserRealm method doGetAuthenticationInfo.

@Override
protected AuthenticationInfo doGetAuthenticationInfo(AuthenticationToken token) throws AuthenticationException {
    Validate.isInstanceOf(String.class, token.getPrincipal());
    String userName = (String) token.getPrincipal();
    if (userName.equals(anonymousUser)) {
        // for anonymous users the user name equals the Password, so hash the user name
        Sha256Hash hash = new Sha256Hash(userName);
        return new SimpleAuthenticationInfo(userName, hash.getBytes(), ANNISUserRealm.class.getName());
    }
    User user = confManager.getUser(userName);
    if (user != null) {
        String passwordHash = user.getPasswordHash();
        if (passwordHash != null) {
            if (passwordHash.startsWith("$")) {
                Shiro1CryptFormat fmt = new Shiro1CryptFormat();
                Hash hashCredentials = fmt.parse(passwordHash);
                if (hashCredentials instanceof SimpleHash) {
                    SimpleHash simpleHash = (SimpleHash) hashCredentials;
                    Validate.isTrue(simpleHash.getIterations() == 1, "Hash iteration count must be 1 for every password hash!");
                    // actually set the information from the user file
                    SimpleAuthenticationInfo info = new SimpleAuthenticationInfo(userName, simpleHash.getBytes(), ANNISUserRealm.class.getName());
                    info.setCredentialsSalt(new SerializableByteSource(simpleHash.getSalt()));
                    return info;
                }
            } else {
                // fallback unsalted hex hash
                SimpleAuthenticationInfo info = new SimpleAuthenticationInfo(token.getPrincipal(), passwordHash, ANNISUserRealm.class.getName());
                return info;
            }
        }
    }
    return null;
}