I am using shiro 1.4.0.
My password is MD5, iff I use HashedCredentialsMatcher, then I can login successful:
[main]
shiro.loginUrl = /login.jsp
shiro.successUrl = /home.jsp
passwordMatcher=org.apache.shiro.authc.credential.HashedCredentialsMatcher
passwordMatcher.hashAlgorithmName=MD5
passwordMatcher.storedCredentialsHexEncoded=true
ds = com.mchange.v2.c3p0.ComboPooledDataSource
ds.driverClass = com.mysql.jdbc.Driver
ds.jdbcUrl = jdbc:mysql://localhost:3306/simple_shiro_web_app
ds.user = test
ds.password = 123456
jdbcRealm = org.apache.shiro.realm.jdbc.JdbcRealm
jdbcRealm.permissionsLookupEnabled = true
jdbcRealm.authenticationQuery = SELECT password FROM USERS WHERE username = ?
jdbcRealm.userRolesQuery = SELECT role_name FROM USERS_ROLES WHERE username = ?
jdbcRealm.permissionsQuery = SELECT permission_name FROM ROLES_PERMISSIONS WHERE role_name = ?
jdbcRealm.credentialsMatcher = $passwordMatcher
jdbcRealm.dataSource=$ds
securityManager.realm = $jdbcRealm
But if I use PasswordMatcher(there is no any error message at tomcat startup), then I login failed:
passwordMatcher = org.apache.shiro.authc.credential.PasswordMatcher
passwordService = org.apache.shiro.authc.credential.DefaultPasswordService
passwordService.hashService.hashAlgorithmName=MD5
passwordMatcher.passwordService = $passwordService
It seems that is still use default SHA-256, why?
Also, in 1.4, there are same class as well as same package name(e.g. org.apache.shiro.crypto.hash.DefaultHashService.class) in shiro-core.jar and shiro-crypto-hash.jar, what are the difference and why?
-------------- UPDATED -------------------------
There is one log message :
TRACE ClassUtils.forName - Unable to load class named [e10adc3949ba59abbe56e057f20f] from the current ClassLoader. Trying the system/application ClassLoader...
While e10adc3949ba59abbe56e057f20f is my md5 password.
Any warnings in your logs? If not LdapRealm.doGetAuthenticationInfo() and see if you are getting the password you are expecting.
In 1.4 some of the code has been moved into other modules (though they will resolve the same way as pre 1.4)
Through the debug, I found that DefaultPasswordService use base64 hash format.
After I changed hash format to hex, then it works.
<bean id="hexFormat" class="org.apache.shiro.crypto.hash.format.HexFormat">
</bean>
<bean id="passwordService" class="org.apache.shiro.authc.credential.DefaultPasswordService">
<property name="hashService" ref="hashService" />
<property name="hashFormat" ref="hexFormat" />
</bean>
Related
I upgraded my webapp with the latest shiro release 1.5.1 and suddenly it doesn't work anymore. Here the log error:
GRAVE: Shiro environment initialization failed
java.lang.NoClassDefFoundError: org/apache/shiro/cache/CacheManagerAware
and here's my shiro.ini that seems to be the culprit:
[main]
jdbcRealm = org.apache.shiro.realm.jdbc.JdbcRealm
jdbcRealm.permissionsLookupEnabled = true
ds = com.mysql.cj.jdbc.MysqlDataSource
ps = org.apache.shiro.authc.credential.DefaultPasswordService
pm = org.apache.shiro.authc.credential.PasswordMatcher
jdbcRealmCredentialsMatcher = org.apache.shiro.authc.credential.Sha256CredentialsMatcher
ds.serverName = localhost
ds.serverTimezone=Europe/Berlin
ds.databaseName = ******
ds.user = *******
ds.password = ********
jdbcRealm.credentialsMatcher = $jdbcRealmCredentialsMatcher
jdbcRealm.dataSource = $ds
pm.passwordService = $ps
jdbcRealm.credentialsMatcher = $pm
shiro.loginUrl = /login.jsp
shiro.postOnlyLogout = true
securityManager.realms = $jdbcRealm
securityManager.rememberMeManager.cipherKey = kPH+bIxk5D2deZiIxcaaaA==
When I go back to the shiro-all-1.4.2.jar version everything is working fine again.
I have even tried to add these 2 lines to my shiro.ini main section but they didn't fix the problem
cacheManager = org.apache.shiro.cache.MemoryConstrainedCacheManager
securityManager.cacheManager = $cacheManager
I can confirm the issue, this should be fixed in the next release.
https://issues.apache.org/jira/browse/SHIRO-749
In addition, the "all" module will likely be deprecated in the future, I'd strongly advise against using them but instead using just the modules you need (for example maybe you just need shiro-web.
The temporary fix is:
a.) also add a dependency to shiro-cache
b.) remove the usage of shiro-all by using the module you need (shiro-web, shiro-guice, etc)
Either way, thanks for the report, we well get this fixed soon!
I was able to configure shiro.ini for mariadb. How shall i configure shiro.ini for MongoDB?
I have tried configuring for mariadb, which is working fine.
jdbcRealm = org.apache.shiro.realm.jdbc.JdbcRealm
jdbcRealm.permissionsLookupEnabled = false
jdbcRealm.authenticationQuery = SELECT Password FROM User WHERE Name = ?
ds = org.mariadb.jdbc.MariaDbDataSource
ds.serverName = localhost
ds.user = xxxx
ds.password = xxxx
ds.databaseName = xxxx
jdbcRealm.dataSource = $ds
securityManager.realms = $jdbcRealm
securityManager.sessionManager.globalSessionTimeout = 6000
Unable to get datasource and realm for mongoDB.
You would either need to use a Mongo JDBC lib, or create a custom realm with a Mongo client. There are also a few Shiro Mongo Realms in the community.
I'm using Zeppelin in my Hortonworks Data Platform 2.5 cluster.
Since I set zeppelin.anonymous.allowed=false I'm not able to enter my interpreter settings anymore - The interpreter screen is empty, see this screenshot:
My shiro_ini_content contains the following [users], [roles] and [urls] settings:
[users]
admin = passw0rd, administrator
[main]
shiro.loginUrl = /api/login
[roles]
administrator = *
[urls]
/api/version = anon
#/** = anon
/** = authc
/api/interpreter/** = authc, roles[administrator]
/api/configurations/** = authc, roles[administrator]
/api/credential/** = authc, roles[administrator]
I made the settings based on the following manual: https://shiro.apache.org/configuration.html#Configuration-%5Croles%5C
Why am I still unable to access the Interpreter settings?
It need also sessionManager settings in your [main] section like below.
[main]
shiro.loginUrl = /api/login
sessionManager = org.apache.shiro.web.session.mgt.DefaultWebSessionManager
securityManager.sessionManager = $sessionManager
# 86,400,000 milliseconds = 24 hour
securityManager.sessionManager.globalSessionTimeout = 86400000
Could you try?
I've created an application and been using Shiro for the authentication.
I've followed most of the guides and also some of the posted questions here regarding shiro and Jdbc Realm.
Here is my shiro.ini file:
[main]
authc.loginUrl=/jsp/loginForm.jsp
authc.successUrl=/test/successUrl.jsp
authc.rememberMeParam = login-remember-me
logout.redirectUrl=/index.jsp
hashService = org.apache.shiro.crypto.hash.DefaultHashService
hashService.hashIterations = 500000
hashService.hashAlgorithmName = SHA-256
hashService.generatePublicSalt = true
hashService.privateSalt = someBase64EncodedSaltValue
realm = org.apache.shiro.realm.jdbc.JdbcRealm
realm.permissionsLookupEnabled = false
realm.authenticationQuery = SELECT password FROM userTable WHERE username = ?
ps = org.apache.shiro.authc.credential.DefaultPasswordService
ps.hashService = $hashService
pm = org.apache.shiro.authc.credential.PasswordMatcher
pm.passwordService = $ps
jof = org.apache.shiro.jndi.JndiObjectFactory
jof.resourceName = java:comp/env/jdbc/theResourceName
jof.requiredType = javax.sql.DataSource
jof.resourceRef = true
realm.dataSource = $jof
realm.credentialsMatcher = $pm
securityManager.realms = $realm
and i'm using the following code in Java to save the password in the database:
DefaultHashService hashService = new DefaultHashService();
hashService.setHashIterations(500000);
hashService.setHashAlgorithmName(Sha256Hash.ALGORITHM_NAME);
hashService.setPrivateSalt(new SimpleByteSource(
"someBase64EncodedSaltValue")); // Same salt as in shiro.ini, but NOT
// base64-encoded.
hashService.setGeneratePublicSalt(true);
DefaultPasswordService pwService = new DefaultPasswordService();
pwService.setHashService(hashService);
this.password = pwService.encryptPassword(password);
Everything looks good and is saving as expected but the problem is when I am logging in. I've traced the execution to JdbcRealm.class and I've seen that the value compared is the "raw string password" and the encrypted password from the database.
Did I miss any step configuring?
To use Salted its better to have seperate salt for every user. So store that salt in database. SEE
Now,
Extend org.apache.shiro.realm.jdbc.JdbcRealm like:
package common.shiro;
import org.apache.shiro.realm.jdbc.JdbcRealm;
public class JDBCSaltedRealm extends JdbcRealm {
public JDBCSaltedRealm() {
setSaltStyle(SaltStyle.COLUMN);
}
}
In shiro.ini:
credentialsMatcher = org.apache.shiro.authc.credential.HashedCredentialsMatcher
credentialsMatcher.hashAlgorithmName=SHA-256
credentialsMatcher.storedCredentialsHexEncoded = false
credentialsMatcher.hashIterations = 500000
credentialsMatcher.hashSalted = true
realm = common.shiro.JDBCSaltedRealm
realm .permissionsLookupEnabled = true
realm .authenticationQuery = SELECT password,salt FROM userTable WHERE username = ?
realm .dataSource = $jof
realm .credentialsMatcher = $credentialsMatcher
securityManager.realm = $realm
I'd like to configure a Pylons app, so that I get email on unhandled exceptions.
So far I can't find the way to pass username and password for SMTP connection.
production.ini file:
..
[DEFAULT]
email_to = my_email#gmail.com
smtp_server = smtp.webfaction.com
error_email_from = info#mydomain.com # this'd be a working email on webfaction
..
Please help.
If you want to access them in pylons.config then you want to put them in the [app:main] section of the configuration.
I've used turbomail, and then you can put them in [DEFAULT]. This is what my config looked like.
[DEFAULT]
mail.on = true
email_to = toaddress#domain.com
mail.manager = immediate
mail.transport = smtp
mail.provider = smtp
mail.smtp.server = smtp.domain.com
mail.smtp.username = username#domain.com
mail.smtp.password = passwordhere
error_email_from = paste#localhost