Les, You rock!! It works. I've already pulled and pushed your changes. Thank you so much.
PP On 18/05/12 18:52, Les Hazlewood wrote: > Hi Paulo, > > I made some adjustments to the project to use hashed passwords > correctly in the database, but I discovered that there is a bug in the > PasswordMatcher implementation. I created an issue for this: > > https://issues.apache.org/jira/browse/SHIRO-363 > > In the meantime, I've created a JdbcRealm subclass in your project to > work around the issue. I'll commit the fix to Shiro shortly. > > The project with my fixes applied: > https://github.com/lhazlewood/simple-shiro-web-app > > I've issued a pull request to you so you can incorporate those changes > in your project if you like: > https://github.com/pires/simple-shiro-web-app/pull/1 > > HTH! > > Best, > > -- > Les Hazlewood > CTO, Stormpath | http://stormpath.com | 888.391.5282 > twitter: @lhazlewood | http://twitter.com/lhazlewood > blog: http://leshazlewood.com > stormpath blog: http://www.stormpath.com/blog > > On Fri, May 18, 2012 at 10:22 AM, Paulo Pires <[email protected]> wrote: >> Hi Les, >> >> Thank you for taking time into helping me. >> >> I'll drop the ALTER statements. I use them for redeployments >> automatically but you're right, they're no good in this project. >> >> Now, regarding the hashing, I've done it before. I even cloned your >> trunk and built the hasher-cli.jar myself. But authentication wasn't >> working as well, so I got back to cleartext passwords. I got confused >> with 'salt' and the number of iterations as something I may have to pass >> in shiro.ini to the passwordMatcher (HashedCredentialsMatcher). Or is it >> the initial part of the value stored in the database? >> >> Isn't PasswordMatcher different from HashedCredentialsMatcher? I have it >> in my shiro.in but it's commented. >> >> Cheers, >> PP >> >> On 18/05/12 18:10, Les Hazlewood wrote: >>> I just forked the project and tried to set up the DB - the pop_db.sql >>> script was failing for me because of the alter statements at the top >>> (there was nothing to alter since it was my first time creating the >>> DB). >>> >>> Then I looked further down the script and noticed that you were >>> populating the user table with raw (plaintext) password values for the >>> password column. This is probably why your logins always fail: >>> >>> Because you've configured a PasswordService and PasswordMatcher, Shiro >>> expects the passwords returned from the database to be in a recognized >>> hash format. Because the column values are plaintext, the credentials >>> comparison under the current configuration will always fail. >>> >>> You can use the Shiro command-line Hasher [1] to hash your test >>> passwords. Take the output from that command and use that as your >>> password column value. >>> >>> I know this is just a test/sample web app, but in the interest of >>> clarity for others that might read this in the future, I should >>> stress, very strongly, to never ever ever store plaintext passwords in >>> your data store. Ever. :) >>> >>> [1] http://shiro.apache.org/command-line-hasher.html >>> >>> HTH, >>> >>> -- >>> Les Hazlewood >>> CTO, Stormpath | http://stormpath.com | 888.391.5282 >>> twitter: @lhazlewood | http://twitter.com/lhazlewood >>> blog: http://leshazlewood.com >>> stormpath blog: http://www.stormpath.com/blog >>> >>> On Fri, May 18, 2012 at 10:02 AM, Jared Bunting >>> <[email protected]> wrote: >>>> Since those are trace messages from beanutils, and you explicitly set >>>> org.apache to warn in log4j.properties, I'm still thinking that your >>>> logging >>>> configuration isn't getting picked up. You might try Googling for logging >>>> in glassfish. >>>> >>>> On May 18, 2012 10:20 AM, "Paulo Pires" <[email protected]> wrote: >>>>> Hi all, >>>>> >>>>> First of all, thanks to the project contributors for putting such an >>>>> effort in this project. >>>>> >>>>> Now, I'm struggling to get a simple Web application (just JSP 'stolen' >>>>> from Shiro samples code) to authenticate against a JDBC realm backed by >>>>> MySQL. Everytime I try to log-in the page just reloads again and doesn't >>>>> throw any kind of error. >>>>> >>>>> I've made the project source-code public, so that anyone can look at it, >>>>> and eventually it may become the basis for a tutorial on this. You can >>>>> check it at https://github.com/pires/simple-shiro-web-app >>>>> >>>>> I've tried to debug it, but somehow, my log4j configuration is not >>>>> working properly. I can see a 'shiro.log' file being generated and with >>>>> some output from commons.beanutils, but nothing about Shiro. I only get >>>>> error messages in Glassfish 'server.log' when some property in >>>>> 'shiro.ini' is wrongly configured. >>>>> >>>>> Any help will be highly appreciated. >>>>> >>>>> Thanks! >>>>> >>>>> -- >>>>> Paulo Pires >>>>> >> -- >> Paulo Pires >> -- Paulo Pires
