Hi Paulo, I made some adjustments to the project to use hashed passwords correctly in the database, but I discovered that there is a bug in the PasswordMatcher implementation. I created an issue for this:
https://issues.apache.org/jira/browse/SHIRO-363 In the meantime, I've created a JdbcRealm subclass in your project to work around the issue. I'll commit the fix to Shiro shortly. The project with my fixes applied: https://github.com/lhazlewood/simple-shiro-web-app I've issued a pull request to you so you can incorporate those changes in your project if you like: https://github.com/pires/simple-shiro-web-app/pull/1 HTH! Best, -- Les Hazlewood CTO, Stormpath | http://stormpath.com | 888.391.5282 twitter: @lhazlewood | http://twitter.com/lhazlewood blog: http://leshazlewood.com stormpath blog: http://www.stormpath.com/blog On Fri, May 18, 2012 at 10:22 AM, Paulo Pires <[email protected]> wrote: > Hi Les, > > Thank you for taking time into helping me. > > I'll drop the ALTER statements. I use them for redeployments > automatically but you're right, they're no good in this project. > > Now, regarding the hashing, I've done it before. I even cloned your > trunk and built the hasher-cli.jar myself. But authentication wasn't > working as well, so I got back to cleartext passwords. I got confused > with 'salt' and the number of iterations as something I may have to pass > in shiro.ini to the passwordMatcher (HashedCredentialsMatcher). Or is it > the initial part of the value stored in the database? > > Isn't PasswordMatcher different from HashedCredentialsMatcher? I have it > in my shiro.in but it's commented. > > Cheers, > PP > > On 18/05/12 18:10, Les Hazlewood wrote: >> I just forked the project and tried to set up the DB - the pop_db.sql >> script was failing for me because of the alter statements at the top >> (there was nothing to alter since it was my first time creating the >> DB). >> >> Then I looked further down the script and noticed that you were >> populating the user table with raw (plaintext) password values for the >> password column. This is probably why your logins always fail: >> >> Because you've configured a PasswordService and PasswordMatcher, Shiro >> expects the passwords returned from the database to be in a recognized >> hash format. Because the column values are plaintext, the credentials >> comparison under the current configuration will always fail. >> >> You can use the Shiro command-line Hasher [1] to hash your test >> passwords. Take the output from that command and use that as your >> password column value. >> >> I know this is just a test/sample web app, but in the interest of >> clarity for others that might read this in the future, I should >> stress, very strongly, to never ever ever store plaintext passwords in >> your data store. Ever. :) >> >> [1] http://shiro.apache.org/command-line-hasher.html >> >> HTH, >> >> -- >> Les Hazlewood >> CTO, Stormpath | http://stormpath.com | 888.391.5282 >> twitter: @lhazlewood | http://twitter.com/lhazlewood >> blog: http://leshazlewood.com >> stormpath blog: http://www.stormpath.com/blog >> >> On Fri, May 18, 2012 at 10:02 AM, Jared Bunting >> <[email protected]> wrote: >>> Since those are trace messages from beanutils, and you explicitly set >>> org.apache to warn in log4j.properties, I'm still thinking that your logging >>> configuration isn't getting picked up. You might try Googling for logging >>> in glassfish. >>> >>> On May 18, 2012 10:20 AM, "Paulo Pires" <[email protected]> wrote: >>>> Hi all, >>>> >>>> First of all, thanks to the project contributors for putting such an >>>> effort in this project. >>>> >>>> Now, I'm struggling to get a simple Web application (just JSP 'stolen' >>>> from Shiro samples code) to authenticate against a JDBC realm backed by >>>> MySQL. Everytime I try to log-in the page just reloads again and doesn't >>>> throw any kind of error. >>>> >>>> I've made the project source-code public, so that anyone can look at it, >>>> and eventually it may become the basis for a tutorial on this. You can >>>> check it at https://github.com/pires/simple-shiro-web-app >>>> >>>> I've tried to debug it, but somehow, my log4j configuration is not >>>> working properly. I can see a 'shiro.log' file being generated and with >>>> some output from commons.beanutils, but nothing about Shiro. I only get >>>> error messages in Glassfish 'server.log' when some property in >>>> 'shiro.ini' is wrongly configured. >>>> >>>> Any help will be highly appreciated. >>>> >>>> Thanks! >>>> >>>> -- >>>> Paulo Pires >>>> > > -- > Paulo Pires >
