Glad to help! -- Les Hazlewood CTO, Stormpath | http://stormpath.com | 888.391.5282 twitter: @lhazlewood | http://twitter.com/lhazlewood blog: http://leshazlewood.com stormpath blog: http://www.stormpath.com/blog
On Fri, May 18, 2012 at 12:02 PM, Paulo Pires <[email protected]> wrote: > Les, > > You rock!! It works. I've already pulled and pushed your changes. Thank > you so much. > > PP > > On 18/05/12 18:52, Les Hazlewood wrote: >> Hi Paulo, >> >> I made some adjustments to the project to use hashed passwords >> correctly in the database, but I discovered that there is a bug in the >> PasswordMatcher implementation. I created an issue for this: >> >> https://issues.apache.org/jira/browse/SHIRO-363 >> >> In the meantime, I've created a JdbcRealm subclass in your project to >> work around the issue. I'll commit the fix to Shiro shortly. >> >> The project with my fixes applied: >> https://github.com/lhazlewood/simple-shiro-web-app >> >> I've issued a pull request to you so you can incorporate those changes >> in your project if you like: >> https://github.com/pires/simple-shiro-web-app/pull/1 >> >> HTH! >> >> Best, >> >> -- >> Les Hazlewood >> CTO, Stormpath | http://stormpath.com | 888.391.5282 >> twitter: @lhazlewood | http://twitter.com/lhazlewood >> blog: http://leshazlewood.com >> stormpath blog: http://www.stormpath.com/blog >> >> On Fri, May 18, 2012 at 10:22 AM, Paulo Pires <[email protected]> wrote: >>> Hi Les, >>> >>> Thank you for taking time into helping me. >>> >>> I'll drop the ALTER statements. I use them for redeployments >>> automatically but you're right, they're no good in this project. >>> >>> Now, regarding the hashing, I've done it before. I even cloned your >>> trunk and built the hasher-cli.jar myself. But authentication wasn't >>> working as well, so I got back to cleartext passwords. I got confused >>> with 'salt' and the number of iterations as something I may have to pass >>> in shiro.ini to the passwordMatcher (HashedCredentialsMatcher). Or is it >>> the initial part of the value stored in the database? >>> >>> Isn't PasswordMatcher different from HashedCredentialsMatcher? I have it >>> in my shiro.in but it's commented. >>> >>> Cheers, >>> PP >>> >>> On 18/05/12 18:10, Les Hazlewood wrote: >>>> I just forked the project and tried to set up the DB - the pop_db.sql >>>> script was failing for me because of the alter statements at the top >>>> (there was nothing to alter since it was my first time creating the >>>> DB). >>>> >>>> Then I looked further down the script and noticed that you were >>>> populating the user table with raw (plaintext) password values for the >>>> password column. This is probably why your logins always fail: >>>> >>>> Because you've configured a PasswordService and PasswordMatcher, Shiro >>>> expects the passwords returned from the database to be in a recognized >>>> hash format. Because the column values are plaintext, the credentials >>>> comparison under the current configuration will always fail. >>>> >>>> You can use the Shiro command-line Hasher [1] to hash your test >>>> passwords. Take the output from that command and use that as your >>>> password column value. >>>> >>>> I know this is just a test/sample web app, but in the interest of >>>> clarity for others that might read this in the future, I should >>>> stress, very strongly, to never ever ever store plaintext passwords in >>>> your data store. Ever. :) >>>> >>>> [1] http://shiro.apache.org/command-line-hasher.html >>>> >>>> HTH, >>>> >>>> -- >>>> Les Hazlewood >>>> CTO, Stormpath | http://stormpath.com | 888.391.5282 >>>> twitter: @lhazlewood | http://twitter.com/lhazlewood >>>> blog: http://leshazlewood.com >>>> stormpath blog: http://www.stormpath.com/blog >>>> >>>> On Fri, May 18, 2012 at 10:02 AM, Jared Bunting >>>> <[email protected]> wrote: >>>>> Since those are trace messages from beanutils, and you explicitly set >>>>> org.apache to warn in log4j.properties, I'm still thinking that your >>>>> logging >>>>> configuration isn't getting picked up. You might try Googling for logging >>>>> in glassfish. >>>>> >>>>> On May 18, 2012 10:20 AM, "Paulo Pires" <[email protected]> wrote: >>>>>> Hi all, >>>>>> >>>>>> First of all, thanks to the project contributors for putting such an >>>>>> effort in this project. >>>>>> >>>>>> Now, I'm struggling to get a simple Web application (just JSP 'stolen' >>>>>> from Shiro samples code) to authenticate against a JDBC realm backed by >>>>>> MySQL. Everytime I try to log-in the page just reloads again and doesn't >>>>>> throw any kind of error. >>>>>> >>>>>> I've made the project source-code public, so that anyone can look at it, >>>>>> and eventually it may become the basis for a tutorial on this. You can >>>>>> check it at https://github.com/pires/simple-shiro-web-app >>>>>> >>>>>> I've tried to debug it, but somehow, my log4j configuration is not >>>>>> working properly. I can see a 'shiro.log' file being generated and with >>>>>> some output from commons.beanutils, but nothing about Shiro. I only get >>>>>> error messages in Glassfish 'server.log' when some property in >>>>>> 'shiro.ini' is wrongly configured. >>>>>> >>>>>> Any help will be highly appreciated. >>>>>> >>>>>> Thanks! >>>>>> >>>>>> -- >>>>>> Paulo Pires >>>>>> >>> -- >>> Paulo Pires >>> > > -- > Paulo Pires >
