| <HTML> |
| <BODY BGCOLOR="white"> |
| <PRE> |
| <FONT color="green">001</FONT> /*<a name="line.1"></a> |
| <FONT color="green">002</FONT> * Licensed to the Apache Software Foundation (ASF) under one<a name="line.2"></a> |
| <FONT color="green">003</FONT> * or more contributor license agreements. See the NOTICE file<a name="line.3"></a> |
| <FONT color="green">004</FONT> * distributed with this work for additional information<a name="line.4"></a> |
| <FONT color="green">005</FONT> * regarding copyright ownership. The ASF licenses this file<a name="line.5"></a> |
| <FONT color="green">006</FONT> * to you under the Apache License, Version 2.0 (the<a name="line.6"></a> |
| <FONT color="green">007</FONT> * "License"); you may not use this file except in compliance<a name="line.7"></a> |
| <FONT color="green">008</FONT> * with the License. You may obtain a copy of the License at<a name="line.8"></a> |
| <FONT color="green">009</FONT> *<a name="line.9"></a> |
| <FONT color="green">010</FONT> * http://www.apache.org/licenses/LICENSE-2.0<a name="line.10"></a> |
| <FONT color="green">011</FONT> *<a name="line.11"></a> |
| <FONT color="green">012</FONT> * Unless required by applicable law or agreed to in writing,<a name="line.12"></a> |
| <FONT color="green">013</FONT> * software distributed under the License is distributed on an<a name="line.13"></a> |
| <FONT color="green">014</FONT> * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY<a name="line.14"></a> |
| <FONT color="green">015</FONT> * KIND, either express or implied. See the License for the<a name="line.15"></a> |
| <FONT color="green">016</FONT> * specific language governing permissions and limitations<a name="line.16"></a> |
| <FONT color="green">017</FONT> * under the License.<a name="line.17"></a> |
| <FONT color="green">018</FONT> */<a name="line.18"></a> |
| <FONT color="green">019</FONT> package org.apache.shiro.authc.credential;<a name="line.19"></a> |
| <FONT color="green">020</FONT> <a name="line.20"></a> |
| <FONT color="green">021</FONT> import org.apache.shiro.authc.AuthenticationInfo;<a name="line.21"></a> |
| <FONT color="green">022</FONT> import org.apache.shiro.authc.AuthenticationToken;<a name="line.22"></a> |
| <FONT color="green">023</FONT> import org.apache.shiro.authc.SaltedAuthenticationInfo;<a name="line.23"></a> |
| <FONT color="green">024</FONT> import org.apache.shiro.codec.Base64;<a name="line.24"></a> |
| <FONT color="green">025</FONT> import org.apache.shiro.codec.Hex;<a name="line.25"></a> |
| <FONT color="green">026</FONT> import org.apache.shiro.crypto.hash.AbstractHash;<a name="line.26"></a> |
| <FONT color="green">027</FONT> import org.apache.shiro.crypto.hash.Hash;<a name="line.27"></a> |
| <FONT color="green">028</FONT> import org.apache.shiro.crypto.hash.SimpleHash;<a name="line.28"></a> |
| <FONT color="green">029</FONT> import org.apache.shiro.util.StringUtils;<a name="line.29"></a> |
| <FONT color="green">030</FONT> <a name="line.30"></a> |
| <FONT color="green">031</FONT> /**<a name="line.31"></a> |
| <FONT color="green">032</FONT> * A {@code HashedCredentialMatcher} provides support for hashing of supplied {@code AuthenticationToken} credentials<a name="line.32"></a> |
| <FONT color="green">033</FONT> * before being compared to those in the {@code AuthenticationInfo} from the data store.<a name="line.33"></a> |
| <FONT color="green">034</FONT> * <p/><a name="line.34"></a> |
| <FONT color="green">035</FONT> * Credential hashing is one of the most common security techniques when safeguarding a user's private credentials<a name="line.35"></a> |
| <FONT color="green">036</FONT> * (passwords, keys, etc). Most developers never want to store their users' credentials in plain form, viewable by<a name="line.36"></a> |
| <FONT color="green">037</FONT> * anyone, so they often hash the users' credentials before they are saved in the data store.<a name="line.37"></a> |
| <FONT color="green">038</FONT> * <p/><a name="line.38"></a> |
| <FONT color="green">039</FONT> * This class (and its subclasses) function as follows:<a name="line.39"></a> |
| <FONT color="green">040</FONT> * <ol><a name="line.40"></a> |
| <FONT color="green">041</FONT> * <li>Hash the {@code AuthenticationToken} credentials supplied by the user during their login.</li><a name="line.41"></a> |
| <FONT color="green">042</FONT> * <li>Compare this hashed value directly with the {@code AuthenticationInfo} credentials stored in the system<a name="line.42"></a> |
| <FONT color="green">043</FONT> * (the stored account credentials are expected to already be in hashed form).</li><a name="line.43"></a> |
| <FONT color="green">044</FONT> * <li>If these two values are {@link #equals(Object, Object) equal}, the submitted credentials match, otherwise<a name="line.44"></a> |
| <FONT color="green">045</FONT> * they do not.</li><a name="line.45"></a> |
| <FONT color="green">046</FONT> * </ol><a name="line.46"></a> |
| <FONT color="green">047</FONT> * <h2>Salting and Multiple Hash Iterations</h2><a name="line.47"></a> |
| <FONT color="green">048</FONT> * Because simple hashing is usually not good enough for secure applications, this class also supports 'salting'<a name="line.48"></a> |
| <FONT color="green">049</FONT> * and multiple hash iterations. Please read this excellent<a name="line.49"></a> |
| <FONT color="green">050</FONT> * <a href="http://www.owasp.org/index.php/Hashing_Java" _target="blank">Hashing Java article</a> to learn about<a name="line.50"></a> |
| <FONT color="green">051</FONT> * salting and multiple iterations and why you might want to use them. (Note of sections 5<a name="line.51"></a> |
| <FONT color="green">052</FONT> * &quot;Why add salt?&quot; and 6 "Hardening against the attacker's attack"). We should also note here that all of<a name="line.52"></a> |
| <FONT color="green">053</FONT> * Shiro's Hash implementations (for example, {@link org.apache.shiro.crypto.hash.Md5Hash Md5Hash},<a name="line.53"></a> |
| <FONT color="green">054</FONT> * {@link org.apache.shiro.crypto.hash.Sha1Hash Sha1Hash}, etc) support salting and multiple hash iterations via<a name="line.54"></a> |
| <FONT color="green">055</FONT> * overloaded constructors.<a name="line.55"></a> |
| <FONT color="green">056</FONT> * <h4>Real World Case Study</h4><a name="line.56"></a> |
| <FONT color="green">057</FONT> * In April 2010, some public Atlassian Jira and Confluence<a name="line.57"></a> |
| <FONT color="green">058</FONT> * installations (Apache Software Foundation, Codehaus, etc) were the target of account attacks and user accounts<a name="line.58"></a> |
| <FONT color="green">059</FONT> * were compromised. The reason? Jira and Confluence at the time did not salt user passwords and attackers were<a name="line.59"></a> |
| <FONT color="green">060</FONT> * able to use dictionary attacks to compromise user accounts (Atlassian has since<a name="line.60"></a> |
| <FONT color="green">061</FONT> * <a href="http://blogs.atlassian.com/news/2010/04/oh_man_what_a_day_an_update_on_our_security_breach.html"><a name="line.61"></a> |
| <FONT color="green">062</FONT> * fixed the problem</a> of course).<a name="line.62"></a> |
| <FONT color="green">063</FONT> * <p/><a name="line.63"></a> |
| <FONT color="green">064</FONT> * The lesson?<a name="line.64"></a> |
| <FONT color="green">065</FONT> * <p/><a name="line.65"></a> |
| <FONT color="green">066</FONT> * <b>ALWAYS, ALWAYS, ALWAYS SALT USER PASSWORDS!</b><a name="line.66"></a> |
| <FONT color="green">067</FONT> * <p/><a name="line.67"></a> |
| <FONT color="green">068</FONT> * <h3>Salting</h3><a name="line.68"></a> |
| <FONT color="green">069</FONT> * Prior to Shiro 1.1, salts could be obtained based on the end-user submitted<a name="line.69"></a> |
| <FONT color="green">070</FONT> * {@link AuthenticationToken AuthenticationToken} via the now-deprecated<a name="line.70"></a> |
| <FONT color="green">071</FONT> * {@link #getSalt(org.apache.shiro.authc.AuthenticationToken) getSalt(AuthenticationToken)} method. This however<a name="line.71"></a> |
| <FONT color="green">072</FONT> * could constitute a security hole since ideally salts should never be obtained based on what a user can submit.<a name="line.72"></a> |
| <FONT color="green">073</FONT> * User-submitted salt mechanisms are <em>much</em> more susceptible to dictionary attacks and <b>SHOULD NOT</b> be<a name="line.73"></a> |
| <FONT color="green">074</FONT> * used in secure systems. Instead salts should ideally be a secure randomly-generated number that is generated when<a name="line.74"></a> |
| <FONT color="green">075</FONT> * the user account is created. The secure number should never be disseminated to the user and always kept private<a name="line.75"></a> |
| <FONT color="green">076</FONT> * by the application.<a name="line.76"></a> |
| <FONT color="green">077</FONT> * <h4>Shiro 1.1</h4><a name="line.77"></a> |
| <FONT color="green">078</FONT> * As of Shiro 1.1, it is expected that any salt used to hash the submitted credentials will be obtained from the<a name="line.78"></a> |
| <FONT color="green">079</FONT> * stored account information (represented as an {@link AuthenticationInfo AuthenticationInfo} instance). This is much<a name="line.79"></a> |
| <FONT color="green">080</FONT> * more secure because the salt value remains private to the application (Shiro will never store this value).<a name="line.80"></a> |
| <FONT color="green">081</FONT> * <p/><a name="line.81"></a> |
| <FONT color="green">082</FONT> * To enable this, {@code Realm}s should return {@link SaltedAuthenticationInfo SaltedAuthenticationInfo} instances<a name="line.82"></a> |
| <FONT color="green">083</FONT> * during authentication. {@code HashedCredentialsMatcher} implementations will then use the provided<a name="line.83"></a> |
| <FONT color="green">084</FONT> * {@link org.apache.shiro.authc.SaltedAuthenticationInfo#getCredentialsSalt credentialsSalt} for hashing. To avoid<a name="line.84"></a> |
| <FONT color="green">085</FONT> * security risks,<a name="line.85"></a> |
| <FONT color="green">086</FONT> * <b>it is highly recommended that any existing {@code Realm} implementations that support hashed credentials are<a name="line.86"></a> |
| <FONT color="green">087</FONT> * updated to return {@link SaltedAuthenticationInfo SaltedAuthenticationInfo} instances as soon as possible</b>.<a name="line.87"></a> |
| <FONT color="green">088</FONT> * <h4>Shiro 1.0 Backwards Compatibility</h4><a name="line.88"></a> |
| <FONT color="green">089</FONT> * Because of the identified security risk, {@code Realm} implementations that support credentials hashing should<a name="line.89"></a> |
| <FONT color="green">090</FONT> * be updated to return {@link SaltedAuthenticationInfo SaltedAuthenticationInfo} instances as<a name="line.90"></a> |
| <FONT color="green">091</FONT> * soon as possible.<a name="line.91"></a> |
| <FONT color="green">092</FONT> * <p/><a name="line.92"></a> |
| <FONT color="green">093</FONT> * If this is not possible for some reason, this class will retain 1.0 backwards-compatible behavior of obtaining<a name="line.93"></a> |
| <FONT color="green">094</FONT> * the salt via the now-deprecated {@link #getSalt(AuthenticationToken) getSalt(AuthenticationToken)} method. This<a name="line.94"></a> |
| <FONT color="green">095</FONT> * method will only be invoked if a {@code Realm} <em>does not</em> return<a name="line.95"></a> |
| <FONT color="green">096</FONT> * {@link SaltedAuthenticationInfo SaltedAutenticationInfo} instances and {@link #isHashSalted() hashSalted} is<a name="line.96"></a> |
| <FONT color="green">097</FONT> * {@code true}.<a name="line.97"></a> |
| <FONT color="green">098</FONT> * But please note that the {@link #isHashSalted() hashSalted} property and the<a name="line.98"></a> |
| <FONT color="green">099</FONT> * {@link #getSalt(AuthenticationToken) getSalt(AuthenticationToken)} methods will be removed before the Shiro 2.0<a name="line.99"></a> |
| <FONT color="green">100</FONT> * release.<a name="line.100"></a> |
| <FONT color="green">101</FONT> * <h3>Multiple Hash Iterations</h3><a name="line.101"></a> |
| <FONT color="green">102</FONT> * If you hash your users' credentials multiple times before persisting to the data store, you will also need to<a name="line.102"></a> |
| <FONT color="green">103</FONT> * set this class's {@link #setHashIterations(int) hashIterations} property. See the<a name="line.103"></a> |
| <FONT color="green">104</FONT> * <a href="http://www.owasp.org/index.php/Hashing_Java" _target="blank">Hashing Java article</a>'s<a name="line.104"></a> |
| <FONT color="green">105</FONT> * <a href="http://www.owasp.org/index.php/Hashing_Java#Hardening_against_the_attacker.27s_attack"><a name="line.105"></a> |
| <FONT color="green">106</FONT> * &quot;Hardening against the attacker's attack&quot;</a> section to learn more about why you might want to use<a name="line.106"></a> |
| <FONT color="green">107</FONT> * multiple hash iterations.<a name="line.107"></a> |
| <FONT color="green">108</FONT> * <h2>MD5 &amp; SHA-1 Notice</h2><a name="line.108"></a> |
| <FONT color="green">109</FONT> * <a href="http://en.wikipedia.org/wiki/MD5">MD5</a> and<a name="line.109"></a> |
| <FONT color="green">110</FONT> * <a href="http://en.wikipedia.org/wiki/SHA_hash_functions">SHA-1</a> algorithms are now known to be vulnerable to<a name="line.110"></a> |
| <FONT color="green">111</FONT> * compromise and/or collisions (read the linked pages for more). While most applications are ok with either of these<a name="line.111"></a> |
| <FONT color="green">112</FONT> * two, if your application mandates high security, use the SHA-256 (or higher) hashing algorithms and their<a name="line.112"></a> |
| <FONT color="green">113</FONT> * supporting {@code CredentialsMatcher} implementations.<a name="line.113"></a> |
| <FONT color="green">114</FONT> *<a name="line.114"></a> |
| <FONT color="green">115</FONT> * @see org.apache.shiro.crypto.hash.Md5Hash<a name="line.115"></a> |
| <FONT color="green">116</FONT> * @see org.apache.shiro.crypto.hash.Sha1Hash<a name="line.116"></a> |
| <FONT color="green">117</FONT> * @see org.apache.shiro.crypto.hash.Sha256Hash<a name="line.117"></a> |
| <FONT color="green">118</FONT> * @since 0.9<a name="line.118"></a> |
| <FONT color="green">119</FONT> */<a name="line.119"></a> |
| <FONT color="green">120</FONT> public class HashedCredentialsMatcher extends SimpleCredentialsMatcher {<a name="line.120"></a> |
| <FONT color="green">121</FONT> <a name="line.121"></a> |
| <FONT color="green">122</FONT> /**<a name="line.122"></a> |
| <FONT color="green">123</FONT> * @since 1.1<a name="line.123"></a> |
| <FONT color="green">124</FONT> */<a name="line.124"></a> |
| <FONT color="green">125</FONT> private String hashAlgorithm;<a name="line.125"></a> |
| <FONT color="green">126</FONT> private int hashIterations;<a name="line.126"></a> |
| <FONT color="green">127</FONT> private boolean hashSalted;<a name="line.127"></a> |
| <FONT color="green">128</FONT> private boolean storedCredentialsHexEncoded;<a name="line.128"></a> |
| <FONT color="green">129</FONT> <a name="line.129"></a> |
| <FONT color="green">130</FONT> /**<a name="line.130"></a> |
| <FONT color="green">131</FONT> * JavaBeans-compatibile no-arg constructor intended for use in IoC/Dependency Injection environments. If you<a name="line.131"></a> |
| <FONT color="green">132</FONT> * use this constructor, you <em>MUST</em> also additionally set the<a name="line.132"></a> |
| <FONT color="green">133</FONT> * {@link #setHashAlgorithmName(String) hashAlgorithmName} property.<a name="line.133"></a> |
| <FONT color="green">134</FONT> */<a name="line.134"></a> |
| <FONT color="green">135</FONT> public HashedCredentialsMatcher() {<a name="line.135"></a> |
| <FONT color="green">136</FONT> this.hashAlgorithm = null;<a name="line.136"></a> |
| <FONT color="green">137</FONT> this.hashSalted = false;<a name="line.137"></a> |
| <FONT color="green">138</FONT> this.hashIterations = 1;<a name="line.138"></a> |
| <FONT color="green">139</FONT> this.storedCredentialsHexEncoded = true; //false means Base64-encoded<a name="line.139"></a> |
| <FONT color="green">140</FONT> }<a name="line.140"></a> |
| <FONT color="green">141</FONT> <a name="line.141"></a> |
| <FONT color="green">142</FONT> /**<a name="line.142"></a> |
| <FONT color="green">143</FONT> * Creates an instance using the specified {@link #getHashAlgorithmName() hashAlgorithmName} to hash submitted<a name="line.143"></a> |
| <FONT color="green">144</FONT> * credentials.<a name="line.144"></a> |
| <FONT color="green">145</FONT> * @param hashAlgorithmName the {@code Hash} {@link org.apache.shiro.crypto.hash.Hash#getAlgorithmName() algorithmName}<a name="line.145"></a> |
| <FONT color="green">146</FONT> * to use when performing hashes for credentials matching.<a name="line.146"></a> |
| <FONT color="green">147</FONT> * @since 1.1<a name="line.147"></a> |
| <FONT color="green">148</FONT> */<a name="line.148"></a> |
| <FONT color="green">149</FONT> public HashedCredentialsMatcher(String hashAlgorithmName) {<a name="line.149"></a> |
| <FONT color="green">150</FONT> this();<a name="line.150"></a> |
| <FONT color="green">151</FONT> if (!StringUtils.hasText(hashAlgorithmName) ) {<a name="line.151"></a> |
| <FONT color="green">152</FONT> throw new IllegalArgumentException("hashAlgorithmName cannot be null or empty.");<a name="line.152"></a> |
| <FONT color="green">153</FONT> }<a name="line.153"></a> |
| <FONT color="green">154</FONT> this.hashAlgorithm = hashAlgorithmName;<a name="line.154"></a> |
| <FONT color="green">155</FONT> }<a name="line.155"></a> |
| <FONT color="green">156</FONT> <a name="line.156"></a> |
| <FONT color="green">157</FONT> /**<a name="line.157"></a> |
| <FONT color="green">158</FONT> * Returns the {@code Hash} {@link org.apache.shiro.crypto.hash.Hash#getAlgorithmName() algorithmName} to use<a name="line.158"></a> |
| <FONT color="green">159</FONT> * when performing hashes for credentials matching.<a name="line.159"></a> |
| <FONT color="green">160</FONT> *<a name="line.160"></a> |
| <FONT color="green">161</FONT> * @return the {@code Hash} {@link org.apache.shiro.crypto.hash.Hash#getAlgorithmName() algorithmName} to use<a name="line.161"></a> |
| <FONT color="green">162</FONT> * when performing hashes for credentials matching.<a name="line.162"></a> |
| <FONT color="green">163</FONT> * @since 1.1<a name="line.163"></a> |
| <FONT color="green">164</FONT> */<a name="line.164"></a> |
| <FONT color="green">165</FONT> public String getHashAlgorithmName() {<a name="line.165"></a> |
| <FONT color="green">166</FONT> return hashAlgorithm;<a name="line.166"></a> |
| <FONT color="green">167</FONT> }<a name="line.167"></a> |
| <FONT color="green">168</FONT> <a name="line.168"></a> |
| <FONT color="green">169</FONT> /**<a name="line.169"></a> |
| <FONT color="green">170</FONT> * Sets the {@code Hash} {@link org.apache.shiro.crypto.hash.Hash#getAlgorithmName() algorithmName} to use<a name="line.170"></a> |
| <FONT color="green">171</FONT> * when performing hashes for credentials matching.<a name="line.171"></a> |
| <FONT color="green">172</FONT> *<a name="line.172"></a> |
| <FONT color="green">173</FONT> * @param hashAlgorithmName the {@code Hash} {@link org.apache.shiro.crypto.hash.Hash#getAlgorithmName() algorithmName}<a name="line.173"></a> |
| <FONT color="green">174</FONT> * to use when performing hashes for credentials matching.<a name="line.174"></a> |
| <FONT color="green">175</FONT> * @since 1.1<a name="line.175"></a> |
| <FONT color="green">176</FONT> */<a name="line.176"></a> |
| <FONT color="green">177</FONT> public void setHashAlgorithmName(String hashAlgorithmName) {<a name="line.177"></a> |
| <FONT color="green">178</FONT> this.hashAlgorithm = hashAlgorithmName;<a name="line.178"></a> |
| <FONT color="green">179</FONT> }<a name="line.179"></a> |
| <FONT color="green">180</FONT> <a name="line.180"></a> |
| <FONT color="green">181</FONT> /**<a name="line.181"></a> |
| <FONT color="green">182</FONT> * Returns {@code true} if the system's stored credential hash is Hex encoded, {@code false} if it<a name="line.182"></a> |
| <FONT color="green">183</FONT> * is Base64 encoded.<a name="line.183"></a> |
| <FONT color="green">184</FONT> * <p/><a name="line.184"></a> |
| <FONT color="green">185</FONT> * Default value is {@code true} for convenience - all of Shiro's {@link Hash Hash#toString()}<a name="line.185"></a> |
| <FONT color="green">186</FONT> * implementations return Hex encoded values by default, making this class's use with those implementations<a name="line.186"></a> |
| <FONT color="green">187</FONT> * easier.<a name="line.187"></a> |
| <FONT color="green">188</FONT> *<a name="line.188"></a> |
| <FONT color="green">189</FONT> * @return {@code true} if the system's stored credential hash is Hex encoded, {@code false} if it<a name="line.189"></a> |
| <FONT color="green">190</FONT> * is Base64 encoded. Default is {@code true}<a name="line.190"></a> |
| <FONT color="green">191</FONT> */<a name="line.191"></a> |
| <FONT color="green">192</FONT> public boolean isStoredCredentialsHexEncoded() {<a name="line.192"></a> |
| <FONT color="green">193</FONT> return storedCredentialsHexEncoded;<a name="line.193"></a> |
| <FONT color="green">194</FONT> }<a name="line.194"></a> |
| <FONT color="green">195</FONT> <a name="line.195"></a> |
| <FONT color="green">196</FONT> /**<a name="line.196"></a> |
| <FONT color="green">197</FONT> * Sets the indicator if this system's stored credential hash is Hex encoded or not.<a name="line.197"></a> |
| <FONT color="green">198</FONT> * <p/><a name="line.198"></a> |
| <FONT color="green">199</FONT> * A value of {@code true} will cause this class to decode the system credential from Hex, a<a name="line.199"></a> |
| <FONT color="green">200</FONT> * value of {@code false} will cause this class to decode the system credential from Base64.<a name="line.200"></a> |
| <FONT color="green">201</FONT> * <p/><a name="line.201"></a> |
| <FONT color="green">202</FONT> * Unless overridden via this method, the default value is {@code true} for convenience - all of Shiro's<a name="line.202"></a> |
| <FONT color="green">203</FONT> * {@link Hash Hash#toString()} implementations return Hex encoded values by default, making this class's use with<a name="line.203"></a> |
| <FONT color="green">204</FONT> * those implementations easier.<a name="line.204"></a> |
| <FONT color="green">205</FONT> *<a name="line.205"></a> |
| <FONT color="green">206</FONT> * @param storedCredentialsHexEncoded the indicator if this system's stored credential hash is Hex<a name="line.206"></a> |
| <FONT color="green">207</FONT> * encoded or not ('not' automatically implying it is Base64 encoded).<a name="line.207"></a> |
| <FONT color="green">208</FONT> */<a name="line.208"></a> |
| <FONT color="green">209</FONT> public void setStoredCredentialsHexEncoded(boolean storedCredentialsHexEncoded) {<a name="line.209"></a> |
| <FONT color="green">210</FONT> this.storedCredentialsHexEncoded = storedCredentialsHexEncoded;<a name="line.210"></a> |
| <FONT color="green">211</FONT> }<a name="line.211"></a> |
| <FONT color="green">212</FONT> <a name="line.212"></a> |
| <FONT color="green">213</FONT> /**<a name="line.213"></a> |
| <FONT color="green">214</FONT> * Returns {@code true} if a submitted {@code AuthenticationToken}'s credentials should be salted when hashing,<a name="line.214"></a> |
| <FONT color="green">215</FONT> * {@code false} if it should not be salted.<a name="line.215"></a> |
| <FONT color="green">216</FONT> * <p/><a name="line.216"></a> |
| <FONT color="green">217</FONT> * If enabled, the salt used will be obtained via the {@link #getSalt(AuthenticationToken) getSalt} method.<a name="line.217"></a> |
| <FONT color="green">218</FONT> * <p/><a name="line.218"></a> |
| <FONT color="green">219</FONT> * The default value is {@code false}.<a name="line.219"></a> |
| <FONT color="green">220</FONT> *<a name="line.220"></a> |
| <FONT color="green">221</FONT> * @return {@code true} if a submitted {@code AuthenticationToken}'s credentials should be salted when hashing,<a name="line.221"></a> |
| <FONT color="green">222</FONT> * {@code false} if it should not be salted.<a name="line.222"></a> |
| <FONT color="green">223</FONT> * @deprecated since Shiro 1.1. Hash salting is now expected to be based on if the {@link AuthenticationInfo}<a name="line.223"></a> |
| <FONT color="green">224</FONT> * returned from the {@code Realm} is a {@link SaltedAuthenticationInfo} instance and its<a name="line.224"></a> |
| <FONT color="green">225</FONT> * {@link org.apache.shiro.authc.SaltedAuthenticationInfo#getCredentialsSalt() getCredentialsSalt()} method returns a non-null value.<a name="line.225"></a> |
| <FONT color="green">226</FONT> * This method and the 1.0 behavior still exists for backwards compatibility if the {@code Realm} does not return<a name="line.226"></a> |
| <FONT color="green">227</FONT> * {@code SaltedAuthenticationInfo} instances, but <b>it is highly recommended that {@code Realm} implementations<a name="line.227"></a> |
| <FONT color="green">228</FONT> * that support hashed credentials start returning {@link SaltedAuthenticationInfo SaltedAuthenticationInfo}<a name="line.228"></a> |
| <FONT color="green">229</FONT> * instances as soon as possible</b>.<a name="line.229"></a> |
| <FONT color="green">230</FONT> * <p/><a name="line.230"></a> |
| <FONT color="green">231</FONT> * This is because salts should always be obtained from the stored account information and<a name="line.231"></a> |
| <FONT color="green">232</FONT> * never be interpreted based on user/Subject-entered data. User-entered data is easier to compromise for<a name="line.232"></a> |
| <FONT color="green">233</FONT> * attackers, whereas account-unique (and secure randomly-generated) salts never disseminated to the end-user<a name="line.233"></a> |
| <FONT color="green">234</FONT> * are almost impossible to break. This method will be removed in Shiro 2.0.<a name="line.234"></a> |
| <FONT color="green">235</FONT> */<a name="line.235"></a> |
| <FONT color="green">236</FONT> @Deprecated<a name="line.236"></a> |
| <FONT color="green">237</FONT> public boolean isHashSalted() {<a name="line.237"></a> |
| <FONT color="green">238</FONT> return hashSalted;<a name="line.238"></a> |
| <FONT color="green">239</FONT> }<a name="line.239"></a> |
| <FONT color="green">240</FONT> <a name="line.240"></a> |
| <FONT color="green">241</FONT> /**<a name="line.241"></a> |
| <FONT color="green">242</FONT> * Sets whether or not to salt a submitted {@code AuthenticationToken}'s credentials when hashing.<a name="line.242"></a> |
| <FONT color="green">243</FONT> * <p/><a name="line.243"></a> |
| <FONT color="green">244</FONT> * If enabled, the salt used will be obtained via the {@link #getSalt(org.apache.shiro.authc.AuthenticationToken) getCredentialsSalt} method.<a name="line.244"></a> |
| <FONT color="green">245</FONT> * </p><a name="line.245"></a> |
| <FONT color="green">246</FONT> * The default value is {@code false}.<a name="line.246"></a> |
| <FONT color="green">247</FONT> *<a name="line.247"></a> |
| <FONT color="green">248</FONT> * @param hashSalted whether or not to salt a submitted {@code AuthenticationToken}'s credentials when hashing.<a name="line.248"></a> |
| <FONT color="green">249</FONT> * @deprecated since Shiro 1.1. Hash salting is now expected to be based on if the {@link AuthenticationInfo}<a name="line.249"></a> |
| <FONT color="green">250</FONT> * returned from the {@code Realm} is a {@link SaltedAuthenticationInfo} instance and its<a name="line.250"></a> |
| <FONT color="green">251</FONT> * {@link org.apache.shiro.authc.SaltedAuthenticationInfo#getCredentialsSalt() getCredentialsSalt()} method returns a non-null value.<a name="line.251"></a> |
| <FONT color="green">252</FONT> * This method and the 1.0 behavior still exists for backwards compatibility if the {@code Realm} does not return<a name="line.252"></a> |
| <FONT color="green">253</FONT> * {@code SaltedAuthenticationInfo} instances, but <b>it is highly recommended that {@code Realm} implementations<a name="line.253"></a> |
| <FONT color="green">254</FONT> * that support hashed credentials start returning {@link SaltedAuthenticationInfo SaltedAuthenticationInfo}<a name="line.254"></a> |
| <FONT color="green">255</FONT> * instances as soon as possible</b>.<a name="line.255"></a> |
| <FONT color="green">256</FONT> * <p/><a name="line.256"></a> |
| <FONT color="green">257</FONT> * This is because salts should always be obtained from the stored account information and<a name="line.257"></a> |
| <FONT color="green">258</FONT> * never be interpreted based on user/Subject-entered data. User-entered data is easier to compromise for<a name="line.258"></a> |
| <FONT color="green">259</FONT> * attackers, whereas account-unique (and secure randomly-generated) salts never disseminated to the end-user<a name="line.259"></a> |
| <FONT color="green">260</FONT> * are almost impossible to break. This method will be removed in Shiro 2.0.<a name="line.260"></a> |
| <FONT color="green">261</FONT> */<a name="line.261"></a> |
| <FONT color="green">262</FONT> @Deprecated<a name="line.262"></a> |
| <FONT color="green">263</FONT> public void setHashSalted(boolean hashSalted) {<a name="line.263"></a> |
| <FONT color="green">264</FONT> this.hashSalted = hashSalted;<a name="line.264"></a> |
| <FONT color="green">265</FONT> }<a name="line.265"></a> |
| <FONT color="green">266</FONT> <a name="line.266"></a> |
| <FONT color="green">267</FONT> /**<a name="line.267"></a> |
| <FONT color="green">268</FONT> * Returns the number of times a submitted {@code AuthenticationToken}'s credentials will be hashed before<a name="line.268"></a> |
| <FONT color="green">269</FONT> * comparing to the credentials stored in the system.<a name="line.269"></a> |
| <FONT color="green">270</FONT> * <p/><a name="line.270"></a> |
| <FONT color="green">271</FONT> * Unless overridden, the default value is {@code 1}, meaning a normal hash execution will occur.<a name="line.271"></a> |
| <FONT color="green">272</FONT> *<a name="line.272"></a> |
| <FONT color="green">273</FONT> * @return the number of times a submitted {@code AuthenticationToken}'s credentials will be hashed before<a name="line.273"></a> |
| <FONT color="green">274</FONT> * comparing to the credentials stored in the system.<a name="line.274"></a> |
| <FONT color="green">275</FONT> */<a name="line.275"></a> |
| <FONT color="green">276</FONT> public int getHashIterations() {<a name="line.276"></a> |
| <FONT color="green">277</FONT> return hashIterations;<a name="line.277"></a> |
| <FONT color="green">278</FONT> }<a name="line.278"></a> |
| <FONT color="green">279</FONT> <a name="line.279"></a> |
| <FONT color="green">280</FONT> /**<a name="line.280"></a> |
| <FONT color="green">281</FONT> * Sets the number of times a submitted {@code AuthenticationToken}'s credentials will be hashed before comparing<a name="line.281"></a> |
| <FONT color="green">282</FONT> * to the credentials stored in the system.<a name="line.282"></a> |
| <FONT color="green">283</FONT> * <p/><a name="line.283"></a> |
| <FONT color="green">284</FONT> * Unless overridden, the default value is {@code 1}, meaning a normal single hash execution will occur.<a name="line.284"></a> |
| <FONT color="green">285</FONT> * <p/><a name="line.285"></a> |
| <FONT color="green">286</FONT> * If this argument is less than 1 (i.e. 0 or negative), the default value of 1 is applied. There must always be<a name="line.286"></a> |
| <FONT color="green">287</FONT> * at least 1 hash iteration (otherwise there would be no hash).<a name="line.287"></a> |
| <FONT color="green">288</FONT> *<a name="line.288"></a> |
| <FONT color="green">289</FONT> * @param hashIterations the number of times to hash a submitted {@code AuthenticationToken}'s credentials.<a name="line.289"></a> |
| <FONT color="green">290</FONT> */<a name="line.290"></a> |
| <FONT color="green">291</FONT> public void setHashIterations(int hashIterations) {<a name="line.291"></a> |
| <FONT color="green">292</FONT> if (hashIterations < 1) {<a name="line.292"></a> |
| <FONT color="green">293</FONT> this.hashIterations = 1;<a name="line.293"></a> |
| <FONT color="green">294</FONT> } else {<a name="line.294"></a> |
| <FONT color="green">295</FONT> this.hashIterations = hashIterations;<a name="line.295"></a> |
| <FONT color="green">296</FONT> }<a name="line.296"></a> |
| <FONT color="green">297</FONT> }<a name="line.297"></a> |
| <FONT color="green">298</FONT> <a name="line.298"></a> |
| <FONT color="green">299</FONT> /**<a name="line.299"></a> |
| <FONT color="green">300</FONT> * Returns a salt value used to hash the token's credentials.<a name="line.300"></a> |
| <FONT color="green">301</FONT> * <p/><a name="line.301"></a> |
| <FONT color="green">302</FONT> * This default implementation merely returns {@code token.getPrincipal()}, effectively using the user's<a name="line.302"></a> |
| <FONT color="green">303</FONT> * identity (username, user id, etc) as the salt, a most common technique. If you wish to provide the<a name="line.303"></a> |
| <FONT color="green">304</FONT> * authentication token's salt another way, you may override this method.<a name="line.304"></a> |
| <FONT color="green">305</FONT> *<a name="line.305"></a> |
| <FONT color="green">306</FONT> * @param token the AuthenticationToken submitted during the authentication attempt.<a name="line.306"></a> |
| <FONT color="green">307</FONT> * @return a salt value to use to hash the authentication token's credentials.<a name="line.307"></a> |
| <FONT color="green">308</FONT> * @deprecated since Shiro 1.1. Hash salting is now expected to be based on if the {@link AuthenticationInfo}<a name="line.308"></a> |
| <FONT color="green">309</FONT> * returned from the {@code Realm} is a {@link SaltedAuthenticationInfo} instance and its<a name="line.309"></a> |
| <FONT color="green">310</FONT> * {@link org.apache.shiro.authc.SaltedAuthenticationInfo#getCredentialsSalt() getCredentialsSalt()} method returns a non-null value.<a name="line.310"></a> |
| <FONT color="green">311</FONT> * This method and the 1.0 behavior still exists for backwards compatibility if the {@code Realm} does not return<a name="line.311"></a> |
| <FONT color="green">312</FONT> * {@code SaltedAuthenticationInfo} instances, but <b>it is highly recommended that {@code Realm} implementations<a name="line.312"></a> |
| <FONT color="green">313</FONT> * that support hashed credentials start returning {@link SaltedAuthenticationInfo SaltedAuthenticationInfo}<a name="line.313"></a> |
| <FONT color="green">314</FONT> * instances as soon as possible</b>.<p/><a name="line.314"></a> |
| <FONT color="green">315</FONT> * This is because salts should always be obtained from the stored account information and<a name="line.315"></a> |
| <FONT color="green">316</FONT> * never be interpreted based on user/Subject-entered data. User-entered data is easier to compromise for<a name="line.316"></a> |
| <FONT color="green">317</FONT> * attackers, whereas account-unique (and secure randomly-generated) salts never disseminated to the end-user<a name="line.317"></a> |
| <FONT color="green">318</FONT> * are almost impossible to break. This method will be removed in Shiro 2.0.<a name="line.318"></a> |
| <FONT color="green">319</FONT> */<a name="line.319"></a> |
| <FONT color="green">320</FONT> @Deprecated<a name="line.320"></a> |
| <FONT color="green">321</FONT> protected Object getSalt(AuthenticationToken token) {<a name="line.321"></a> |
| <FONT color="green">322</FONT> return token.getPrincipal();<a name="line.322"></a> |
| <FONT color="green">323</FONT> }<a name="line.323"></a> |
| <FONT color="green">324</FONT> <a name="line.324"></a> |
| <FONT color="green">325</FONT> /**<a name="line.325"></a> |
| <FONT color="green">326</FONT> * Returns a {@link Hash Hash} instance representing the already-hashed AuthenticationInfo credentials stored in the system.<a name="line.326"></a> |
| <FONT color="green">327</FONT> * <p/><a name="line.327"></a> |
| <FONT color="green">328</FONT> * This method reconstructs a {@link Hash Hash} instance based on a {@code info.getCredentials} call,<a name="line.328"></a> |
| <FONT color="green">329</FONT> * but it does <em>not</em> hash that value - it is expected that method call will return an already-hashed value.<a name="line.329"></a> |
| <FONT color="green">330</FONT> * <p/><a name="line.330"></a> |
| <FONT color="green">331</FONT> * This implementation's reconstruction effort functions as follows:<a name="line.331"></a> |
| <FONT color="green">332</FONT> * <ol><a name="line.332"></a> |
| <FONT color="green">333</FONT> * <li>Convert {@code account.getCredentials()} to a byte array via the {@link #toBytes toBytes} method.<a name="line.333"></a> |
| <FONT color="green">334</FONT> * <li>If {@code account.getCredentials()} was originally a String or char[] before {@code toBytes} was<a name="line.334"></a> |
| <FONT color="green">335</FONT> * called, check for encoding:<a name="line.335"></a> |
| <FONT color="green">336</FONT> * <li>If {@link #storedCredentialsHexEncoded storedCredentialsHexEncoded}, Hex decode that byte array, otherwise<a name="line.336"></a> |
| <FONT color="green">337</FONT> * Base64 decode the byte array</li><a name="line.337"></a> |
| <FONT color="green">338</FONT> * <li>Set the byte[] array directly on the {@code Hash} implementation and return it.</li><a name="line.338"></a> |
| <FONT color="green">339</FONT> * </ol><a name="line.339"></a> |
| <FONT color="green">340</FONT> *<a name="line.340"></a> |
| <FONT color="green">341</FONT> * @param info the AuthenticationInfo from which to retrieve the credentials which assumed to be in already-hashed form.<a name="line.341"></a> |
| <FONT color="green">342</FONT> * @return a {@link Hash Hash} instance representing the given AuthenticationInfo's stored credentials.<a name="line.342"></a> |
| <FONT color="green">343</FONT> */<a name="line.343"></a> |
| <FONT color="green">344</FONT> protected Object getCredentials(AuthenticationInfo info) {<a name="line.344"></a> |
| <FONT color="green">345</FONT> Object credentials = info.getCredentials();<a name="line.345"></a> |
| <FONT color="green">346</FONT> <a name="line.346"></a> |
| <FONT color="green">347</FONT> byte[] storedBytes = toBytes(credentials);<a name="line.347"></a> |
| <FONT color="green">348</FONT> <a name="line.348"></a> |
| <FONT color="green">349</FONT> if (credentials instanceof String || credentials instanceof char[]) {<a name="line.349"></a> |
| <FONT color="green">350</FONT> //account.credentials were a char[] or String, so<a name="line.350"></a> |
| <FONT color="green">351</FONT> //we need to do text decoding first:<a name="line.351"></a> |
| <FONT color="green">352</FONT> if (isStoredCredentialsHexEncoded()) {<a name="line.352"></a> |
| <FONT color="green">353</FONT> storedBytes = Hex.decode(storedBytes);<a name="line.353"></a> |
| <FONT color="green">354</FONT> } else {<a name="line.354"></a> |
| <FONT color="green">355</FONT> storedBytes = Base64.decode(storedBytes);<a name="line.355"></a> |
| <FONT color="green">356</FONT> }<a name="line.356"></a> |
| <FONT color="green">357</FONT> }<a name="line.357"></a> |
| <FONT color="green">358</FONT> AbstractHash hash = newHashInstance();<a name="line.358"></a> |
| <FONT color="green">359</FONT> hash.setBytes(storedBytes);<a name="line.359"></a> |
| <FONT color="green">360</FONT> return hash;<a name="line.360"></a> |
| <FONT color="green">361</FONT> }<a name="line.361"></a> |
| <FONT color="green">362</FONT> <a name="line.362"></a> |
| <FONT color="green">363</FONT> /**<a name="line.363"></a> |
| <FONT color="green">364</FONT> * This implementation first hashes the {@code token}'s credentials, potentially using a<a name="line.364"></a> |
| <FONT color="green">365</FONT> * {@code salt} if the {@code info} argument is a<a name="line.365"></a> |
| <FONT color="green">366</FONT> * {@link org.apache.shiro.authc.SaltedAuthenticationInfo SaltedAuthenticationInfo}. It then compares the hash<a name="line.366"></a> |
| <FONT color="green">367</FONT> * against the {@code AuthenticationInfo}'s<a name="line.367"></a> |
| <FONT color="green">368</FONT> * {@link #getCredentials(org.apache.shiro.authc.AuthenticationInfo) already-hashed credentials}. This method<a name="line.368"></a> |
| <FONT color="green">369</FONT> * returns {@code true} if those two values are {@link #equals(Object, Object) equal}, {@code false} otherwise.<a name="line.369"></a> |
| <FONT color="green">370</FONT> *<a name="line.370"></a> |
| <FONT color="green">371</FONT> * @param token the {@code AuthenticationToken} submitted during the authentication attempt.<a name="line.371"></a> |
| <FONT color="green">372</FONT> * @param info the {@code AuthenticationInfo} stored in the system matching the token principal<a name="line.372"></a> |
| <FONT color="green">373</FONT> * @return {@code true} if the provided token credentials hash match to the stored account credentials hash,<a name="line.373"></a> |
| <FONT color="green">374</FONT> * {@code false} otherwise<a name="line.374"></a> |
| <FONT color="green">375</FONT> * @since 1.1<a name="line.375"></a> |
| <FONT color="green">376</FONT> */<a name="line.376"></a> |
| <FONT color="green">377</FONT> @Override<a name="line.377"></a> |
| <FONT color="green">378</FONT> public boolean doCredentialsMatch(AuthenticationToken token, AuthenticationInfo info) {<a name="line.378"></a> |
| <FONT color="green">379</FONT> Object tokenHashedCredentials = hashProvidedCredentials(token, info);<a name="line.379"></a> |
| <FONT color="green">380</FONT> Object accountCredentials = getCredentials(info);<a name="line.380"></a> |
| <FONT color="green">381</FONT> return equals(tokenHashedCredentials, accountCredentials);<a name="line.381"></a> |
| <FONT color="green">382</FONT> }<a name="line.382"></a> |
| <FONT color="green">383</FONT> <a name="line.383"></a> |
| <FONT color="green">384</FONT> /**<a name="line.384"></a> |
| <FONT color="green">385</FONT> * Hash the provided {@code token}'s credentials using the salt stored with the account if the<a name="line.385"></a> |
| <FONT color="green">386</FONT> * {@code info} instance is an {@code instanceof} {@link SaltedAuthenticationInfo SaltedAuthenticationInfo} (see<a name="line.386"></a> |
| <FONT color="green">387</FONT> * the class-level JavaDoc for why this is the preferred approach).<a name="line.387"></a> |
| <FONT color="green">388</FONT> * <p/><a name="line.388"></a> |
| <FONT color="green">389</FONT> * If the {@code info} instance is <em>not</em><a name="line.389"></a> |
| <FONT color="green">390</FONT> * an {@code instanceof} {@code SaltedAuthenticationInfo}, the logic will fall back to Shiro 1.0<a name="line.390"></a> |
| <FONT color="green">391</FONT> * backwards-compatible logic: it will first check to see {@link #isHashSalted() isHashSalted} and if so, will try<a name="line.391"></a> |
| <FONT color="green">392</FONT> * to acquire the salt from {@link #getSalt(AuthenticationToken) getSalt(AuthenticationToken)}. See the class-level<a name="line.392"></a> |
| <FONT color="green">393</FONT> * JavaDoc for why this is not recommended. This 'fallback' logic exists only for backwards-compatibility.<a name="line.393"></a> |
| <FONT color="green">394</FONT> * {@code Realm}s should be updated as soon as possible to return {@code SaltedAuthenticationInfo} instances<a name="line.394"></a> |
| <FONT color="green">395</FONT> * if account credentials salting is enabled (highly recommended for password-based systems).<a name="line.395"></a> |
| <FONT color="green">396</FONT> *<a name="line.396"></a> |
| <FONT color="green">397</FONT> * @param token the submitted authentication token from which its credentials will be hashed<a name="line.397"></a> |
| <FONT color="green">398</FONT> * @param info the stored account data, potentially used to acquire a salt<a name="line.398"></a> |
| <FONT color="green">399</FONT> * @return the token credentials hash<a name="line.399"></a> |
| <FONT color="green">400</FONT> * @since 1.1<a name="line.400"></a> |
| <FONT color="green">401</FONT> */<a name="line.401"></a> |
| <FONT color="green">402</FONT> protected Object hashProvidedCredentials(AuthenticationToken token, AuthenticationInfo info) {<a name="line.402"></a> |
| <FONT color="green">403</FONT> Object salt = null;<a name="line.403"></a> |
| <FONT color="green">404</FONT> if (info instanceof SaltedAuthenticationInfo) {<a name="line.404"></a> |
| <FONT color="green">405</FONT> salt = ((SaltedAuthenticationInfo) info).getCredentialsSalt();<a name="line.405"></a> |
| <FONT color="green">406</FONT> } else {<a name="line.406"></a> |
| <FONT color="green">407</FONT> //retain 1.0 backwards compatibility:<a name="line.407"></a> |
| <FONT color="green">408</FONT> if (isHashSalted()) {<a name="line.408"></a> |
| <FONT color="green">409</FONT> salt = getSalt(token);<a name="line.409"></a> |
| <FONT color="green">410</FONT> }<a name="line.410"></a> |
| <FONT color="green">411</FONT> }<a name="line.411"></a> |
| <FONT color="green">412</FONT> return hashProvidedCredentials(token.getCredentials(), salt, getHashIterations());<a name="line.412"></a> |
| <FONT color="green">413</FONT> }<a name="line.413"></a> |
| <FONT color="green">414</FONT> <a name="line.414"></a> |
| <FONT color="green">415</FONT> /**<a name="line.415"></a> |
| <FONT color="green">416</FONT> * Returns the {@link #getHashAlgorithmName() hashAlgorithmName} property, but will throw an<a name="line.416"></a> |
| <FONT color="green">417</FONT> * {@link IllegalStateException} if it has not been set.<a name="line.417"></a> |
| <FONT color="green">418</FONT> *<a name="line.418"></a> |
| <FONT color="green">419</FONT> * @return the required {@link #getHashAlgorithmName() hashAlgorithmName} property<a name="line.419"></a> |
| <FONT color="green">420</FONT> * @throws IllegalStateException if the property has not been set prior to calling this method.<a name="line.420"></a> |
| <FONT color="green">421</FONT> * @since 1.1<a name="line.421"></a> |
| <FONT color="green">422</FONT> */<a name="line.422"></a> |
| <FONT color="green">423</FONT> private String assertHashAlgorithmName() throws IllegalStateException {<a name="line.423"></a> |
| <FONT color="green">424</FONT> String hashAlgorithmName = getHashAlgorithmName();<a name="line.424"></a> |
| <FONT color="green">425</FONT> if (hashAlgorithmName == null) {<a name="line.425"></a> |
| <FONT color="green">426</FONT> String msg = "Required 'hashAlgorithmName' property has not been set. This is required to execute " +<a name="line.426"></a> |
| <FONT color="green">427</FONT> "the hashing algorithm.";<a name="line.427"></a> |
| <FONT color="green">428</FONT> throw new IllegalStateException(msg);<a name="line.428"></a> |
| <FONT color="green">429</FONT> }<a name="line.429"></a> |
| <FONT color="green">430</FONT> return hashAlgorithmName;<a name="line.430"></a> |
| <FONT color="green">431</FONT> }<a name="line.431"></a> |
| <FONT color="green">432</FONT> <a name="line.432"></a> |
| <FONT color="green">433</FONT> /**<a name="line.433"></a> |
| <FONT color="green">434</FONT> * Hashes the provided credentials a total of {@code hashIterations} times, using the given salt. The hash<a name="line.434"></a> |
| <FONT color="green">435</FONT> * implementation/algorithm used is based on the {@link #getHashAlgorithmName() hashAlgorithmName} property.<a name="line.435"></a> |
| <FONT color="green">436</FONT> *<a name="line.436"></a> |
| <FONT color="green">437</FONT> * @param credentials the submitted authentication token's credentials to hash<a name="line.437"></a> |
| <FONT color="green">438</FONT> * @param salt the value to salt the hash, or {@code null} if a salt will not be used.<a name="line.438"></a> |
| <FONT color="green">439</FONT> * @param hashIterations the number of times to hash the credentials. At least one hash will always occur though,<a name="line.439"></a> |
| <FONT color="green">440</FONT> * even if this argument is 0 or negative.<a name="line.440"></a> |
| <FONT color="green">441</FONT> * @return the hashed value of the provided credentials, according to the specified salt and hash iterations.<a name="line.441"></a> |
| <FONT color="green">442</FONT> */<a name="line.442"></a> |
| <FONT color="green">443</FONT> protected Hash hashProvidedCredentials(Object credentials, Object salt, int hashIterations) {<a name="line.443"></a> |
| <FONT color="green">444</FONT> String hashAlgorithmName = assertHashAlgorithmName();<a name="line.444"></a> |
| <FONT color="green">445</FONT> return new SimpleHash(hashAlgorithmName, credentials, salt, hashIterations);<a name="line.445"></a> |
| <FONT color="green">446</FONT> }<a name="line.446"></a> |
| <FONT color="green">447</FONT> <a name="line.447"></a> |
| <FONT color="green">448</FONT> /**<a name="line.448"></a> |
| <FONT color="green">449</FONT> * Returns a new, <em>uninitialized</em> instance, without its byte array set. Used as a utility method in the<a name="line.449"></a> |
| <FONT color="green">450</FONT> * {@link SimpleCredentialsMatcher#getCredentials(org.apache.shiro.authc.AuthenticationInfo) getCredentials(AuthenticationInfo)} implementation.<a name="line.450"></a> |
| <FONT color="green">451</FONT> *<a name="line.451"></a> |
| <FONT color="green">452</FONT> * @return a new, <em>uninitialized</em> instance, without its byte array set.<a name="line.452"></a> |
| <FONT color="green">453</FONT> */<a name="line.453"></a> |
| <FONT color="green">454</FONT> protected AbstractHash newHashInstance() {<a name="line.454"></a> |
| <FONT color="green">455</FONT> String hashAlgorithmName = assertHashAlgorithmName();<a name="line.455"></a> |
| <FONT color="green">456</FONT> return new SimpleHash(hashAlgorithmName);<a name="line.456"></a> |
| <FONT color="green">457</FONT> }<a name="line.457"></a> |
| <FONT color="green">458</FONT> <a name="line.458"></a> |
| <FONT color="green">459</FONT> }<a name="line.459"></a> |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| </PRE> |
| </BODY> |
| </HTML> |
