Search in sources :

Example 1 with Shiro1CryptFormat

use of org.apache.shiro.crypto.hash.format.Shiro1CryptFormat in project ANNIS by korpling.

the class AdminServiceImpl method changePassword.

@POST
@Path("users/{userName}/password")
@Consumes("text/plain")
@Produces("application/xml")
public Response changePassword(String newPassword, @PathParam("userName") String userName) {
    Subject requestingUser = SecurityUtils.getSubject();
    requestingUser.checkPermission("admin:write:user");
    ANNISUserConfigurationManager confManager = getConfManager();
    ANNISUserRealm userRealm = getUserRealm();
    if (confManager != null && userRealm != null) {
        User user = confManager.getUser(userName);
        if (user == null) {
            return Response.status(Response.Status.NOT_FOUND).build();
        }
        Shiro1CryptFormat format = new Shiro1CryptFormat();
        SecureRandomNumberGenerator generator = new SecureRandomNumberGenerator();
        // 128 bit
        ByteSource salt = generator.nextBytes(128 / 8);
        Sha256Hash hash = new Sha256Hash(newPassword, salt, 1);
        user.setPasswordHash(format.format(hash));
        if (userRealm.updateUser(user)) {
            return Response.ok().entity(user).build();
        }
    }
    return Response.status(Response.Status.INTERNAL_SERVER_ERROR).entity("Could not change password").build();
}
Also used : User(annis.security.User) SecureRandomNumberGenerator(org.apache.shiro.crypto.SecureRandomNumberGenerator) Sha256Hash(org.apache.shiro.crypto.hash.Sha256Hash) ANNISUserConfigurationManager(annis.security.ANNISUserConfigurationManager) ByteSource(org.apache.shiro.util.ByteSource) ANNISUserRealm(annis.security.ANNISUserRealm) Subject(org.apache.shiro.subject.Subject) Shiro1CryptFormat(org.apache.shiro.crypto.hash.format.Shiro1CryptFormat) Path(javax.ws.rs.Path) POST(javax.ws.rs.POST) Consumes(javax.ws.rs.Consumes) Produces(javax.ws.rs.Produces)

Example 2 with Shiro1CryptFormat

use of org.apache.shiro.crypto.hash.format.Shiro1CryptFormat in project ANNIS by korpling.

the class ANNISUserRealm method doGetAuthenticationInfo.

@Override
protected AuthenticationInfo doGetAuthenticationInfo(AuthenticationToken token) throws AuthenticationException {
    Validate.isInstanceOf(String.class, token.getPrincipal());
    String userName = (String) token.getPrincipal();
    if (userName.equals(anonymousUser)) {
        // for anonymous users the user name equals the Password, so hash the user name
        Sha256Hash hash = new Sha256Hash(userName);
        return new SimpleAuthenticationInfo(userName, hash.getBytes(), ANNISUserRealm.class.getName());
    }
    User user = confManager.getUser(userName);
    if (user != null) {
        String passwordHash = user.getPasswordHash();
        if (passwordHash != null) {
            if (passwordHash.startsWith("$")) {
                Shiro1CryptFormat fmt = new Shiro1CryptFormat();
                Hash hashCredentials = fmt.parse(passwordHash);
                if (hashCredentials instanceof SimpleHash) {
                    SimpleHash simpleHash = (SimpleHash) hashCredentials;
                    Validate.isTrue(simpleHash.getIterations() == 1, "Hash iteration count must be 1 for every password hash!");
                    // actually set the information from the user file
                    SimpleAuthenticationInfo info = new SimpleAuthenticationInfo(userName, simpleHash.getBytes(), ANNISUserRealm.class.getName());
                    info.setCredentialsSalt(new SerializableByteSource(simpleHash.getSalt()));
                    return info;
                }
            } else {
                // fallback unsalted hex hash
                SimpleAuthenticationInfo info = new SimpleAuthenticationInfo(token.getPrincipal(), passwordHash, ANNISUserRealm.class.getName());
                return info;
            }
        }
    }
    return null;
}
Also used : SimpleAuthenticationInfo(org.apache.shiro.authc.SimpleAuthenticationInfo) Sha256Hash(org.apache.shiro.crypto.hash.Sha256Hash) SimpleHash(org.apache.shiro.crypto.hash.SimpleHash) Sha256Hash(org.apache.shiro.crypto.hash.Sha256Hash) Hash(org.apache.shiro.crypto.hash.Hash) SimpleHash(org.apache.shiro.crypto.hash.SimpleHash) Shiro1CryptFormat(org.apache.shiro.crypto.hash.format.Shiro1CryptFormat)

Aggregations

Sha256Hash (org.apache.shiro.crypto.hash.Sha256Hash)2 Shiro1CryptFormat (org.apache.shiro.crypto.hash.format.Shiro1CryptFormat)2 ANNISUserConfigurationManager (annis.security.ANNISUserConfigurationManager)1 ANNISUserRealm (annis.security.ANNISUserRealm)1 User (annis.security.User)1 Consumes (javax.ws.rs.Consumes)1 POST (javax.ws.rs.POST)1 Path (javax.ws.rs.Path)1 Produces (javax.ws.rs.Produces)1 SimpleAuthenticationInfo (org.apache.shiro.authc.SimpleAuthenticationInfo)1 SecureRandomNumberGenerator (org.apache.shiro.crypto.SecureRandomNumberGenerator)1 Hash (org.apache.shiro.crypto.hash.Hash)1 SimpleHash (org.apache.shiro.crypto.hash.SimpleHash)1 Subject (org.apache.shiro.subject.Subject)1 ByteSource (org.apache.shiro.util.ByteSource)1