Using bcrypt with Shiro
Yes, I know Shiro is supposed to be just fine for security with SHA256 and multiple iterations, but there's really no good excuse for it not supporting bcrypt. Anyway, I had a legacy app which stored many passwords in bcrypt, which I couldn't (obviously) read or port to SHA, so I really needed bcrypt. Fortunately, it was more or less trivial to plug in my own PasswordMatcher
:
package ca.uhnresearch.pughlab.tracker.security;
import org.apache.shiro.authc.AuthenticationInfo;
import org.apache.shiro.authc.AuthenticationToken;
import org.apache.shiro.authc.UsernamePasswordToken;
import org.apache.shiro.authc.credential.CredentialsMatcher;
import org.mindrot.jbcrypt.BCrypt;
public class BcryptPasswordMatcher implements CredentialsMatcher {
@Override
public boolean doCredentialsMatch(AuthenticationToken token, AuthenticationInfo info) {
UsernamePasswordToken userToken = (UsernamePasswordToken) token;
String password = new String(userToken.getPassword());
char[] credentials = (char[]) info.getCredentials();
String hashed = new String(credentials);
return BCrypt.checkpw(password, hashed);
}
}
This injects fine into the credentialsMatcher
property of, e.g., JdbcRealm
.
Now I can just move over the database with hashes and all existing users remain happy.
Written by Stuart Watt
Related protips
Have a fresh tip? Share with Coderwall community!
Post
Post a tip
Best
#Bcrypt
Authors
dyashkir
59.2K
mrlamroger
2.445K
Sponsored by #native_company# — Learn More
#native_title#
#native_desc#