use of org.apache.shiro.crypto.hash.format.Shiro1CryptFormat in project ANNIS by korpling.
the class AdminServiceImpl method changePassword.
@POST
@Path("users/{userName}/password")
@Consumes("text/plain")
@Produces("application/xml")
public Response changePassword(String newPassword, @PathParam("userName") String userName) {
Subject requestingUser = SecurityUtils.getSubject();
requestingUser.checkPermission("admin:write:user");
ANNISUserConfigurationManager confManager = getConfManager();
ANNISUserRealm userRealm = getUserRealm();
if (confManager != null && userRealm != null) {
User user = confManager.getUser(userName);
if (user == null) {
return Response.status(Response.Status.NOT_FOUND).build();
}
Shiro1CryptFormat format = new Shiro1CryptFormat();
SecureRandomNumberGenerator generator = new SecureRandomNumberGenerator();
// 128 bit
ByteSource salt = generator.nextBytes(128 / 8);
Sha256Hash hash = new Sha256Hash(newPassword, salt, 1);
user.setPasswordHash(format.format(hash));
if (userRealm.updateUser(user)) {
return Response.ok().entity(user).build();
}
}
return Response.status(Response.Status.INTERNAL_SERVER_ERROR).entity("Could not change password").build();
}
use of org.apache.shiro.crypto.hash.format.Shiro1CryptFormat in project ANNIS by korpling.
the class ANNISUserRealm method doGetAuthenticationInfo.
@Override
protected AuthenticationInfo doGetAuthenticationInfo(AuthenticationToken token) throws AuthenticationException {
Validate.isInstanceOf(String.class, token.getPrincipal());
String userName = (String) token.getPrincipal();
if (userName.equals(anonymousUser)) {
// for anonymous users the user name equals the Password, so hash the user name
Sha256Hash hash = new Sha256Hash(userName);
return new SimpleAuthenticationInfo(userName, hash.getBytes(), ANNISUserRealm.class.getName());
}
User user = confManager.getUser(userName);
if (user != null) {
String passwordHash = user.getPasswordHash();
if (passwordHash != null) {
if (passwordHash.startsWith("$")) {
Shiro1CryptFormat fmt = new Shiro1CryptFormat();
Hash hashCredentials = fmt.parse(passwordHash);
if (hashCredentials instanceof SimpleHash) {
SimpleHash simpleHash = (SimpleHash) hashCredentials;
Validate.isTrue(simpleHash.getIterations() == 1, "Hash iteration count must be 1 for every password hash!");
// actually set the information from the user file
SimpleAuthenticationInfo info = new SimpleAuthenticationInfo(userName, simpleHash.getBytes(), ANNISUserRealm.class.getName());
info.setCredentialsSalt(new SerializableByteSource(simpleHash.getSalt()));
return info;
}
} else {
// fallback unsalted hex hash
SimpleAuthenticationInfo info = new SimpleAuthenticationInfo(token.getPrincipal(), passwordHash, ANNISUserRealm.class.getName());
return info;
}
}
}
return null;
}
Aggregations