Use JDBC realm to authenticate Shiro

I'm trying to use Shiro to verify the servlet running in Tomcat 6

I have the following Shiro INI file:

[main]
ps = org.apache.shiro.authc.credential.DefaultPasswordService
pm = org.apache.shiro.authc.credential.PasswordMatcher
pm.passwordService = $ps

aa = org.apache.shiro.authc.credential.AllowAllCredentialsMatcher
sm = org.apache.shiro.authc.credential.SimpleCredentialsMatcher

jof = org.apache.shiro.jndi.JndiobjectFactory
jof.resourceName = jdbc/UserDB
jof.requiredType = javax.sql.DataSource
jof.resourceRef = true

realm = org.apache.shiro.realm.jdbc.JdbcRealm
realm.permissionsLookupEnabled = true
realm.credentialsMatcher = $pm
; Note factories are automatically invoked via getInstance(),;   see org.apache.shiro.authc.config.ReflectionBuilder::resolveReference
realm.dataSource = $jof

securityManager.realms = $realm

[urls]
/rest/** = authcBasic
/prot/** = authcBasic

The following are in my database:

MysqL> select * from users;
+----------+------------------+----------+----------------------------------------------+--------------------------+
| username | email            | verified | password                                     | password_salt            |
+----------+------------------+----------+----------------------------------------------+--------------------------+
| admin    | a.muys@********* |        1 | ojSiTecNwRF0MunGRvz3DRSgP7sMF9EAR77Ol/2IAY8= | eHp9XedrIUa5sECfOb+KOA== |
+----------+------------------+----------+----------------------------------------------+--------------------------+
1 row in set (0.00 sec)

If I use simplecredentialsmanager, it will authenticate the plaintext password in the users table Trying to use passwordmatcher is very frustrating

Password and password_ Salt is obtained through the Shiro tools hasher utility

When I tried to authenticate using the basic HelloWorld servlet I used for testing (path = rest / Hello, context = / WS), I got the following in the log:

15:35:38.667 [http-8080-2] TRACE org.apache.shiro.util.ClassUtils - Unable to load clazz named [ojSiTecNwRF0MunGRvz3DRSgP7sMF9EAR77Ol/2IAY8=] from class loader [WebappClassLoader
  context: /ws
  delegate: false
  repositories:
    /WEB-INF/classes/
----------> Parent Classloader:
org.apache.catalina.loader.StandardClassLoader@79ddd026
]

(full log) https://gist.github.com/recurse/5915693 )

It seems to be trying to load my hash password as a class name Is this a bug or a configuration error? If this is a bug, how can I solve it? If this is a configuration error, what am I missing?

resolvent

Solution

First of all, thank you for providing a lot of information about this question, which makes it easy to provide a very simple answer

By viewing the list of rows in your sample database, the output required by passwordservice will not appear when performing hash password comparison For example:

$java -jar ~/.m2/repository/org/apache/shiro/tools/shiro-tools-hasher/1.2.2/shiro-tools-hasher-1.2.2-cli.jar -p
Password to hash:
Password to hash (confirm):
$shiro1$SHA-256$500000$uxaA2ngfdxdXpvSWzpuFdg==$hOJZc+3+bFYYRgVn5wkbQL+m/FseeqDtoM5mOiwAR3E=

The string beginning with $shiro1 $is the password column you will save to the database There is no need for a separate salt column because all the information Shiro needs is in $shiro1 $... String

Defaultpasswordservice uses the same default configuration parameters (sha-256500000 iterations, etc.), so if you use the hasher cli tool (as shown above) (no additional hash algorithm configuration), you do not need to customize the defaultpasswordservice POJO However, if you change the hash parameters on the CLI, you need to ensure that the same parameters are configured on the defaultpasswordservice bean (and / or its internal hashingservice)

If you are still testing and can change your database schema, I recommend using a password field to store the $shiro1 $... String now Then, you use passwordservice as follows:

http://shiro.apache.org/static/current/apidocs/org/apache/shiro/authc/credential/PasswordService.html

The above is all the content collected and sorted out by the programming home for you to authenticate Shiro with JDBC real. I hope this article can help you solve the program development problems encountered in authenticating Shiro with JDBC real.

If you think the content of the programming home website is good, you are welcome to recommend the programming home website to programmers and friends.