Authenticating plain text passwords against md5 hash in DB using Apache Shiro

591 views Asked by At

Here is the my shiro.ini.

[main]

ds = org.apache.shiro.jndi.JndiObjectFactory   
ds.requiredType = javax.sql.DataSource  
ds.resourceName = java:/comp/env/jdbc/at

credentialsMatcher=org.apache.shiro.authc.credential.HashedCredentialsMatcher
credentialsMatcher.hashAlgorithmName=MD5

credentialsMatcher.hashIterations=1024

credentialsMatcher.storedCredentialsHexEncoded=true

jdbcRealm = org.apache.shiro.realm.jdbc.JdbcRealm

jdbcRealm.permissionsLookupEnabled = true 

jdbcRealm.dataSource = $ds

jdbcRealm.authenticationQuery = SELECT password FROM accounts.users WHERE username = ?

jdbcRealm.userRolesQuery = SELECT role_id FROM accounts.org_user_roles WHERE user_id = (SELECT id FROM accounts.users WHERE username = ?)

jdbcRealm.permissionsQuery = SELECT feature_id FROM accounts.role_features WHERE role_id = ?

jdbcRealm.credentialsMatcher = $credentialsMatcher


shiro.loginUrl = /at/login.htm

authc = org.apache.shiro.web.filter.authc.FormAuthenticationFilter

authc.loginUrl = /at/login.htm

logout.redirectUrl = /at/login.htm

[urls]

/at/login.htm = authc

/at/forgotpw.htm  = anon

/at/resources/** = authc

/at/tss/** = authc

/at/tde/** = authc

/at/lcs/** = authc

/at/cdt/** = authc

/at/tp/** = authc

/at/ip/** = authc

/at/dashboard/** = authc

/at/logout.htm = logout

When I go to login page and type in my username and password I get an exception:

org.apache.shiro.authc.IncorrectCredentialsException: Submitted credentials for token [org.apache.shiro.authc.UsernamePasswordToken - root, rememberMe=false] did not match the expected credentials.

My DB contains MD5 hash of the password. It seems the validation isn't working. I can't understand why.

1

There are 1 answers

1
saibharath On

Removing the below property made this work. I think for a MD5 hash we need not specify the below property.

credentialsMatcher.hashIterations=1024