| <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> |
| <!-- NewPage --> |
| <html lang="en"> |
| <head> |
| <!-- Generated by javadoc (version 1.7.0_25) on Wed May 25 23:25:54 EDT 2016 --> |
| <meta http-equiv="Content-Type" content="text/html" charset="UTF-8"> |
| <title>HashedCredentialsMatcher (Apache Shiro 1.2.5 API)</title> |
| <meta name="date" content="2016-05-25"> |
| <link rel="stylesheet" type="text/css" href="../../../../../stylesheet.css" title="Style"> |
| </head> |
| <body> |
| <script type="text/javascript"><!-- |
| if (location.href.indexOf('is-external=true') == -1) { |
| parent.document.title="HashedCredentialsMatcher (Apache Shiro 1.2.5 API)"; |
| } |
| //--> |
| </script> |
| <noscript> |
| <div>JavaScript is disabled on your browser.</div> |
| </noscript> |
| |
| <!-- ========= START OF TOP NAVBAR ======= --> |
| <div class="topNav"><a name="navbar_top"> |
| <!-- --> |
| </a><a href="#skip-navbar_top" title="Skip navigation links"></a><a name="navbar_top_firstrow"> |
| <!-- --> |
| </a> |
| <ul class="navList" title="Navigation"> |
| <li><a href="../../../../../overview-summary.html">Overview</a></li> |
| <li><a href="package-summary.html">Package</a></li> |
| <li class="navBarCell1Rev">Class</li> |
| <li><a href="class-use/HashedCredentialsMatcher.html">Use</a></li> |
| <li><a href="package-tree.html">Tree</a></li> |
| <li><a href="../../../../../deprecated-list.html">Deprecated</a></li> |
| <li><a href="../../../../../index-all.html">Index</a></li> |
| <li><a href="../../../../../help-doc.html">Help</a></li> |
| </ul> |
| </div> |
| <div class="subNav"> |
| <ul class="navList"> |
| <li><a href="../../../../../org/apache/shiro/authc/credential/DefaultPasswordService.html" title="class in org.apache.shiro.authc.credential"><span class="strong">Prev Class</span></a></li> |
| <li><a href="../../../../../org/apache/shiro/authc/credential/HashingPasswordService.html" title="interface in org.apache.shiro.authc.credential"><span class="strong">Next Class</span></a></li> |
| </ul> |
| <ul class="navList"> |
| <li><a href="../../../../../index.html?org/apache/shiro/authc/credential/HashedCredentialsMatcher.html" target="_top">Frames</a></li> |
| <li><a href="HashedCredentialsMatcher.html" target="_top">No Frames</a></li> |
| </ul> |
| <ul class="navList" id="allclasses_navbar_top"> |
| <li><a href="../../../../../allclasses-noframe.html">All Classes</a></li> |
| </ul> |
| <div> |
| <script type="text/javascript"><!-- |
| allClassesLink = document.getElementById("allclasses_navbar_top"); |
| if(window==top) { |
| allClassesLink.style.display = "block"; |
| } |
| else { |
| allClassesLink.style.display = "none"; |
| } |
| //--> |
| </script> |
| </div> |
| <div> |
| <ul class="subNavList"> |
| <li>Summary: </li> |
| <li>Nested | </li> |
| <li><a href="#fields_inherited_from_class_org.apache.shiro.codec.CodecSupport">Field</a> | </li> |
| <li><a href="#constructor_summary">Constr</a> | </li> |
| <li><a href="#method_summary">Method</a></li> |
| </ul> |
| <ul class="subNavList"> |
| <li>Detail: </li> |
| <li>Field | </li> |
| <li><a href="#constructor_detail">Constr</a> | </li> |
| <li><a href="#method_detail">Method</a></li> |
| </ul> |
| </div> |
| <a name="skip-navbar_top"> |
| <!-- --> |
| </a></div> |
| <!-- ========= END OF TOP NAVBAR ========= --> |
| <!-- ======== START OF CLASS DATA ======== --> |
| <div class="header"> |
| <div class="subTitle">org.apache.shiro.authc.credential</div> |
| <h2 title="Class HashedCredentialsMatcher" class="title">Class HashedCredentialsMatcher</h2> |
| </div> |
| <div class="contentContainer"> |
| <ul class="inheritance"> |
| <li><a href="http://java.sun.com/javase/6/docs/api/java/lang/Object.html?is-external=true" title="class or interface in java.lang">java.lang.Object</a></li> |
| <li> |
| <ul class="inheritance"> |
| <li><a href="../../../../../org/apache/shiro/codec/CodecSupport.html" title="class in org.apache.shiro.codec">org.apache.shiro.codec.CodecSupport</a></li> |
| <li> |
| <ul class="inheritance"> |
| <li><a href="../../../../../org/apache/shiro/authc/credential/SimpleCredentialsMatcher.html" title="class in org.apache.shiro.authc.credential">org.apache.shiro.authc.credential.SimpleCredentialsMatcher</a></li> |
| <li> |
| <ul class="inheritance"> |
| <li>org.apache.shiro.authc.credential.HashedCredentialsMatcher</li> |
| </ul> |
| </li> |
| </ul> |
| </li> |
| </ul> |
| </li> |
| </ul> |
| <div class="description"> |
| <ul class="blockList"> |
| <li class="blockList"> |
| <dl> |
| <dt>All Implemented Interfaces:</dt> |
| <dd><a href="../../../../../org/apache/shiro/authc/credential/CredentialsMatcher.html" title="interface in org.apache.shiro.authc.credential">CredentialsMatcher</a></dd> |
| </dl> |
| <dl> |
| <dt>Direct Known Subclasses:</dt> |
| <dd><a href="../../../../../org/apache/shiro/authc/credential/Md2CredentialsMatcher.html" title="class in org.apache.shiro.authc.credential">Md2CredentialsMatcher</a>, <a href="../../../../../org/apache/shiro/authc/credential/Md5CredentialsMatcher.html" title="class in org.apache.shiro.authc.credential">Md5CredentialsMatcher</a>, <a href="../../../../../org/apache/shiro/authc/credential/Sha1CredentialsMatcher.html" title="class in org.apache.shiro.authc.credential">Sha1CredentialsMatcher</a>, <a href="../../../../../org/apache/shiro/authc/credential/Sha256CredentialsMatcher.html" title="class in org.apache.shiro.authc.credential">Sha256CredentialsMatcher</a>, <a href="../../../../../org/apache/shiro/authc/credential/Sha384CredentialsMatcher.html" title="class in org.apache.shiro.authc.credential">Sha384CredentialsMatcher</a>, <a href="../../../../../org/apache/shiro/authc/credential/Sha512CredentialsMatcher.html" title="class in org.apache.shiro.authc.credential">Sha512CredentialsMatcher</a></dd> |
| </dl> |
| <hr> |
| <br> |
| <pre>public class <a href="../../../../../src-html/org/apache/shiro/authc/credential/HashedCredentialsMatcher.html#line.120">HashedCredentialsMatcher</a> |
| extends <a href="../../../../../org/apache/shiro/authc/credential/SimpleCredentialsMatcher.html" title="class in org.apache.shiro.authc.credential">SimpleCredentialsMatcher</a></pre> |
| <div class="block">A <code>HashedCredentialMatcher</code> provides support for hashing of supplied <code>AuthenticationToken</code> credentials |
| before being compared to those in the <code>AuthenticationInfo</code> from the data store. |
| <p/> |
| Credential hashing is one of the most common security techniques when safeguarding a user's private credentials |
| (passwords, keys, etc). Most developers never want to store their users' credentials in plain form, viewable by |
| anyone, so they often hash the users' credentials before they are saved in the data store. |
| <p/> |
| This class (and its subclasses) function as follows: |
| <ol> |
| <li>Hash the <code>AuthenticationToken</code> credentials supplied by the user during their login.</li> |
| <li>Compare this hashed value directly with the <code>AuthenticationInfo</code> credentials stored in the system |
| (the stored account credentials are expected to already be in hashed form).</li> |
| <li>If these two values are <a href="../../../../../org/apache/shiro/authc/credential/SimpleCredentialsMatcher.html#equals(java.lang.Object, java.lang.Object)"><code>equal</code></a>, the submitted credentials match, otherwise |
| they do not.</li> |
| </ol> |
| <h2>Salting and Multiple Hash Iterations</h2> |
| Because simple hashing is usually not good enough for secure applications, this class also supports 'salting' |
| and multiple hash iterations. Please read this excellent |
| <a href="http://www.owasp.org/index.php/Hashing_Java" _target="blank">Hashing Java article</a> to learn about |
| salting and multiple iterations and why you might want to use them. (Note of sections 5 |
| "Why add salt?" and 6 "Hardening against the attacker's attack"). We should also note here that all of |
| Shiro's Hash implementations (for example, <a href="../../../../../org/apache/shiro/crypto/hash/Md5Hash.html" title="class in org.apache.shiro.crypto.hash"><code>Md5Hash</code></a>, |
| <a href="../../../../../org/apache/shiro/crypto/hash/Sha1Hash.html" title="class in org.apache.shiro.crypto.hash"><code>Sha1Hash</code></a>, etc) support salting and multiple hash iterations via |
| overloaded constructors. |
| <h4>Real World Case Study</h4> |
| In April 2010, some public Atlassian Jira and Confluence |
| installations (Apache Software Foundation, Codehaus, etc) were the target of account attacks and user accounts |
| were compromised. The reason? Jira and Confluence at the time did not salt user passwords and attackers were |
| able to use dictionary attacks to compromise user accounts (Atlassian has since |
| <a href="http://blogs.atlassian.com/news/2010/04/oh_man_what_a_day_an_update_on_our_security_breach.html"> |
| fixed the problem</a> of course). |
| <p/> |
| The lesson? |
| <p/> |
| <b>ALWAYS, ALWAYS, ALWAYS SALT USER PASSWORDS!</b> |
| <p/> |
| <h3>Salting</h3> |
| Prior to Shiro 1.1, salts could be obtained based on the end-user submitted |
| <a href="../../../../../org/apache/shiro/authc/AuthenticationToken.html" title="interface in org.apache.shiro.authc"><code>AuthenticationToken</code></a> via the now-deprecated |
| <a href="../../../../../org/apache/shiro/authc/credential/HashedCredentialsMatcher.html#getSalt(org.apache.shiro.authc.AuthenticationToken)"><code>getSalt(AuthenticationToken)</code></a> method. This however |
| could constitute a security hole since ideally salts should never be obtained based on what a user can submit. |
| User-submitted salt mechanisms are <em>much</em> more susceptible to dictionary attacks and <b>SHOULD NOT</b> be |
| used in secure systems. Instead salts should ideally be a secure randomly-generated number that is generated when |
| the user account is created. The secure number should never be disseminated to the user and always kept private |
| by the application. |
| <h4>Shiro 1.1</h4> |
| As of Shiro 1.1, it is expected that any salt used to hash the submitted credentials will be obtained from the |
| stored account information (represented as an <a href="../../../../../org/apache/shiro/authc/AuthenticationInfo.html" title="interface in org.apache.shiro.authc"><code>AuthenticationInfo</code></a> instance). This is much |
| more secure because the salt value remains private to the application (Shiro will never store this value). |
| <p/> |
| To enable this, <code>Realm</code>s should return <a href="../../../../../org/apache/shiro/authc/SaltedAuthenticationInfo.html" title="interface in org.apache.shiro.authc"><code>SaltedAuthenticationInfo</code></a> instances |
| during authentication. <code>HashedCredentialsMatcher</code> implementations will then use the provided |
| <a href="../../../../../org/apache/shiro/authc/SaltedAuthenticationInfo.html#getCredentialsSalt()"><code>credentialsSalt</code></a> for hashing. To avoid |
| security risks, |
| <b>it is highly recommended that any existing <code>Realm</code> implementations that support hashed credentials are |
| updated to return <a href="../../../../../org/apache/shiro/authc/SaltedAuthenticationInfo.html" title="interface in org.apache.shiro.authc"><code>SaltedAuthenticationInfo</code></a> instances as soon as possible</b>. |
| <h4>Shiro 1.0 Backwards Compatibility</h4> |
| Because of the identified security risk, <code>Realm</code> implementations that support credentials hashing should |
| be updated to return <a href="../../../../../org/apache/shiro/authc/SaltedAuthenticationInfo.html" title="interface in org.apache.shiro.authc"><code>SaltedAuthenticationInfo</code></a> instances as |
| soon as possible. |
| <p/> |
| If this is not possible for some reason, this class will retain 1.0 backwards-compatible behavior of obtaining |
| the salt via the now-deprecated <a href="../../../../../org/apache/shiro/authc/credential/HashedCredentialsMatcher.html#getSalt(org.apache.shiro.authc.AuthenticationToken)"><code>getSalt(AuthenticationToken)</code></a> method. This |
| method will only be invoked if a <code>Realm</code> <em>does not</em> return |
| <a href="../../../../../org/apache/shiro/authc/SaltedAuthenticationInfo.html" title="interface in org.apache.shiro.authc"><code>SaltedAutenticationInfo</code></a> instances and <a href="../../../../../org/apache/shiro/authc/credential/HashedCredentialsMatcher.html#isHashSalted()"><code>hashSalted</code></a> is |
| <code>true</code>. |
| But please note that the <a href="../../../../../org/apache/shiro/authc/credential/HashedCredentialsMatcher.html#isHashSalted()"><code>hashSalted</code></a> property and the |
| <a href="../../../../../org/apache/shiro/authc/credential/HashedCredentialsMatcher.html#getSalt(org.apache.shiro.authc.AuthenticationToken)"><code>getSalt(AuthenticationToken)</code></a> methods will be removed before the Shiro 2.0 |
| release. |
| <h3>Multiple Hash Iterations</h3> |
| If you hash your users' credentials multiple times before persisting to the data store, you will also need to |
| set this class's <a href="../../../../../org/apache/shiro/authc/credential/HashedCredentialsMatcher.html#setHashIterations(int)"><code>hashIterations</code></a> property. See the |
| <a href="http://www.owasp.org/index.php/Hashing_Java" _target="blank">Hashing Java article</a>'s |
| <a href="http://www.owasp.org/index.php/Hashing_Java#Hardening_against_the_attacker.27s_attack"> |
| "Hardening against the attacker's attack"</a> section to learn more about why you might want to use |
| multiple hash iterations. |
| <h2>MD5 & SHA-1 Notice</h2> |
| <a href="http://en.wikipedia.org/wiki/MD5">MD5</a> and |
| <a href="http://en.wikipedia.org/wiki/SHA_hash_functions">SHA-1</a> algorithms are now known to be vulnerable to |
| compromise and/or collisions (read the linked pages for more). While most applications are ok with either of these |
| two, if your application mandates high security, use the SHA-256 (or higher) hashing algorithms and their |
| supporting <code>CredentialsMatcher</code> implementations.</div> |
| <dl><dt><span class="strong">Since:</span></dt> |
| <dd>0.9</dd> |
| <dt><span class="strong">See Also:</span></dt><dd><a href="../../../../../org/apache/shiro/crypto/hash/Md5Hash.html" title="class in org.apache.shiro.crypto.hash"><code>Md5Hash</code></a>, |
| <a href="../../../../../org/apache/shiro/crypto/hash/Sha1Hash.html" title="class in org.apache.shiro.crypto.hash"><code>Sha1Hash</code></a>, |
| <a href="../../../../../org/apache/shiro/crypto/hash/Sha256Hash.html" title="class in org.apache.shiro.crypto.hash"><code>Sha256Hash</code></a></dd></dl> |
| </li> |
| </ul> |
| </div> |
| <div class="summary"> |
| <ul class="blockList"> |
| <li class="blockList"> |
| <!-- =========== FIELD SUMMARY =========== --> |
| <ul class="blockList"> |
| <li class="blockList"><a name="field_summary"> |
| <!-- --> |
| </a> |
| <h3>Field Summary</h3> |
| <ul class="blockList"> |
| <li class="blockList"><a name="fields_inherited_from_class_org.apache.shiro.codec.CodecSupport"> |
| <!-- --> |
| </a> |
| <h3>Fields inherited from class org.apache.shiro.codec.<a href="../../../../../org/apache/shiro/codec/CodecSupport.html" title="class in org.apache.shiro.codec">CodecSupport</a></h3> |
| <code><a href="../../../../../org/apache/shiro/codec/CodecSupport.html#PREFERRED_ENCODING">PREFERRED_ENCODING</a></code></li> |
| </ul> |
| </li> |
| </ul> |
| <!-- ======== CONSTRUCTOR SUMMARY ======== --> |
| <ul class="blockList"> |
| <li class="blockList"><a name="constructor_summary"> |
| <!-- --> |
| </a> |
| <h3>Constructor Summary</h3> |
| <table class="overviewSummary" border="0" cellpadding="3" cellspacing="0" summary="Constructor Summary table, listing constructors, and an explanation"> |
| <caption><span>Constructors</span><span class="tabEnd"> </span></caption> |
| <tr> |
| <th class="colOne" scope="col">Constructor and Description</th> |
| </tr> |
| <tr class="altColor"> |
| <td class="colOne"><code><strong><a href="../../../../../org/apache/shiro/authc/credential/HashedCredentialsMatcher.html#HashedCredentialsMatcher()">HashedCredentialsMatcher</a></strong>()</code> |
| <div class="block">JavaBeans-compatibile no-arg constructor intended for use in IoC/Dependency Injection environments.</div> |
| </td> |
| </tr> |
| <tr class="rowColor"> |
| <td class="colOne"><code><strong><a href="../../../../../org/apache/shiro/authc/credential/HashedCredentialsMatcher.html#HashedCredentialsMatcher(java.lang.String)">HashedCredentialsMatcher</a></strong>(<a href="http://java.sun.com/javase/6/docs/api/java/lang/String.html?is-external=true" title="class or interface in java.lang">String</a> hashAlgorithmName)</code> |
| <div class="block">Creates an instance using the specified <a href="../../../../../org/apache/shiro/authc/credential/HashedCredentialsMatcher.html#getHashAlgorithmName()"><code>hashAlgorithmName</code></a> to hash submitted |
| credentials.</div> |
| </td> |
| </tr> |
| </table> |
| </li> |
| </ul> |
| <!-- ========== METHOD SUMMARY =========== --> |
| <ul class="blockList"> |
| <li class="blockList"><a name="method_summary"> |
| <!-- --> |
| </a> |
| <h3>Method Summary</h3> |
| <table class="overviewSummary" border="0" cellpadding="3" cellspacing="0" summary="Method Summary table, listing methods, and an explanation"> |
| <caption><span>Methods</span><span class="tabEnd"> </span></caption> |
| <tr> |
| <th class="colFirst" scope="col">Modifier and Type</th> |
| <th class="colLast" scope="col">Method and Description</th> |
| </tr> |
| <tr class="altColor"> |
| <td class="colFirst"><code>boolean</code></td> |
| <td class="colLast"><code><strong><a href="../../../../../org/apache/shiro/authc/credential/HashedCredentialsMatcher.html#doCredentialsMatch(org.apache.shiro.authc.AuthenticationToken, org.apache.shiro.authc.AuthenticationInfo)">doCredentialsMatch</a></strong>(<a href="../../../../../org/apache/shiro/authc/AuthenticationToken.html" title="interface in org.apache.shiro.authc">AuthenticationToken</a> token, |
| <a href="../../../../../org/apache/shiro/authc/AuthenticationInfo.html" title="interface in org.apache.shiro.authc">AuthenticationInfo</a> info)</code> |
| <div class="block">This implementation first hashes the <code>token</code>'s credentials, potentially using a |
| <code>salt</code> if the <code>info</code> argument is a |
| <a href="../../../../../org/apache/shiro/authc/SaltedAuthenticationInfo.html" title="interface in org.apache.shiro.authc"><code>SaltedAuthenticationInfo</code></a>.</div> |
| </td> |
| </tr> |
| <tr class="rowColor"> |
| <td class="colFirst"><code>protected <a href="http://java.sun.com/javase/6/docs/api/java/lang/Object.html?is-external=true" title="class or interface in java.lang">Object</a></code></td> |
| <td class="colLast"><code><strong><a href="../../../../../org/apache/shiro/authc/credential/HashedCredentialsMatcher.html#getCredentials(org.apache.shiro.authc.AuthenticationInfo)">getCredentials</a></strong>(<a href="../../../../../org/apache/shiro/authc/AuthenticationInfo.html" title="interface in org.apache.shiro.authc">AuthenticationInfo</a> info)</code> |
| <div class="block">Returns a <a href="../../../../../org/apache/shiro/crypto/hash/Hash.html" title="interface in org.apache.shiro.crypto.hash"><code>Hash</code></a> instance representing the already-hashed AuthenticationInfo credentials stored in the system.</div> |
| </td> |
| </tr> |
| <tr class="altColor"> |
| <td class="colFirst"><code><a href="http://java.sun.com/javase/6/docs/api/java/lang/String.html?is-external=true" title="class or interface in java.lang">String</a></code></td> |
| <td class="colLast"><code><strong><a href="../../../../../org/apache/shiro/authc/credential/HashedCredentialsMatcher.html#getHashAlgorithmName()">getHashAlgorithmName</a></strong>()</code> |
| <div class="block">Returns the <code>Hash</code> <a href="../../../../../org/apache/shiro/crypto/hash/Hash.html#getAlgorithmName()"><code>algorithmName</code></a> to use |
| when performing hashes for credentials matching.</div> |
| </td> |
| </tr> |
| <tr class="rowColor"> |
| <td class="colFirst"><code>int</code></td> |
| <td class="colLast"><code><strong><a href="../../../../../org/apache/shiro/authc/credential/HashedCredentialsMatcher.html#getHashIterations()">getHashIterations</a></strong>()</code> |
| <div class="block">Returns the number of times a submitted <code>AuthenticationToken</code>'s credentials will be hashed before |
| comparing to the credentials stored in the system.</div> |
| </td> |
| </tr> |
| <tr class="altColor"> |
| <td class="colFirst"><code>protected <a href="http://java.sun.com/javase/6/docs/api/java/lang/Object.html?is-external=true" title="class or interface in java.lang">Object</a></code></td> |
| <td class="colLast"><code><strong><a href="../../../../../org/apache/shiro/authc/credential/HashedCredentialsMatcher.html#getSalt(org.apache.shiro.authc.AuthenticationToken)">getSalt</a></strong>(<a href="../../../../../org/apache/shiro/authc/AuthenticationToken.html" title="interface in org.apache.shiro.authc">AuthenticationToken</a> token)</code> |
| <div class="block"><strong>Deprecated.</strong> |
| <div class="block"><i>since Shiro 1.1. Hash salting is now expected to be based on if the <a href="../../../../../org/apache/shiro/authc/AuthenticationInfo.html" title="interface in org.apache.shiro.authc"><code>AuthenticationInfo</code></a> |
| returned from the <code>Realm</code> is a <a href="../../../../../org/apache/shiro/authc/SaltedAuthenticationInfo.html" title="interface in org.apache.shiro.authc"><code>SaltedAuthenticationInfo</code></a> instance and its |
| <a href="../../../../../org/apache/shiro/authc/SaltedAuthenticationInfo.html#getCredentialsSalt()"><code>getCredentialsSalt()</code></a> method returns a non-null value. |
| This method and the 1.0 behavior still exists for backwards compatibility if the <code>Realm</code> does not return |
| <code>SaltedAuthenticationInfo</code> instances, but <b>it is highly recommended that <code>Realm</code> implementations |
| that support hashed credentials start returning <a href="../../../../../org/apache/shiro/authc/SaltedAuthenticationInfo.html" title="interface in org.apache.shiro.authc"><code>SaltedAuthenticationInfo</code></a> |
| instances as soon as possible</b>.<p/> |
| This is because salts should always be obtained from the stored account information and |
| never be interpreted based on user/Subject-entered data. User-entered data is easier to compromise for |
| attackers, whereas account-unique (and secure randomly-generated) salts never disseminated to the end-user |
| are almost impossible to break. This method will be removed in Shiro 2.0.</i></div> |
| </div> |
| </td> |
| </tr> |
| <tr class="rowColor"> |
| <td class="colFirst"><code>protected <a href="http://java.sun.com/javase/6/docs/api/java/lang/Object.html?is-external=true" title="class or interface in java.lang">Object</a></code></td> |
| <td class="colLast"><code><strong><a href="../../../../../org/apache/shiro/authc/credential/HashedCredentialsMatcher.html#hashProvidedCredentials(org.apache.shiro.authc.AuthenticationToken, org.apache.shiro.authc.AuthenticationInfo)">hashProvidedCredentials</a></strong>(<a href="../../../../../org/apache/shiro/authc/AuthenticationToken.html" title="interface in org.apache.shiro.authc">AuthenticationToken</a> token, |
| <a href="../../../../../org/apache/shiro/authc/AuthenticationInfo.html" title="interface in org.apache.shiro.authc">AuthenticationInfo</a> info)</code> |
| <div class="block">Hash the provided <code>token</code>'s credentials using the salt stored with the account if the |
| <code>info</code> instance is an <code>instanceof</code> <a href="../../../../../org/apache/shiro/authc/SaltedAuthenticationInfo.html" title="interface in org.apache.shiro.authc"><code>SaltedAuthenticationInfo</code></a> (see |
| the class-level JavaDoc for why this is the preferred approach).</div> |
| </td> |
| </tr> |
| <tr class="altColor"> |
| <td class="colFirst"><code>protected <a href="../../../../../org/apache/shiro/crypto/hash/Hash.html" title="interface in org.apache.shiro.crypto.hash">Hash</a></code></td> |
| <td class="colLast"><code><strong><a href="../../../../../org/apache/shiro/authc/credential/HashedCredentialsMatcher.html#hashProvidedCredentials(java.lang.Object, java.lang.Object, int)">hashProvidedCredentials</a></strong>(<a href="http://java.sun.com/javase/6/docs/api/java/lang/Object.html?is-external=true" title="class or interface in java.lang">Object</a> credentials, |
| <a href="http://java.sun.com/javase/6/docs/api/java/lang/Object.html?is-external=true" title="class or interface in java.lang">Object</a> salt, |
| int hashIterations)</code> |
| <div class="block">Hashes the provided credentials a total of <code>hashIterations</code> times, using the given salt.</div> |
| </td> |
| </tr> |
| <tr class="rowColor"> |
| <td class="colFirst"><code>boolean</code></td> |
| <td class="colLast"><code><strong><a href="../../../../../org/apache/shiro/authc/credential/HashedCredentialsMatcher.html#isHashSalted()">isHashSalted</a></strong>()</code> |
| <div class="block"><strong>Deprecated.</strong> |
| <div class="block"><i>since Shiro 1.1. Hash salting is now expected to be based on if the <a href="../../../../../org/apache/shiro/authc/AuthenticationInfo.html" title="interface in org.apache.shiro.authc"><code>AuthenticationInfo</code></a> |
| returned from the <code>Realm</code> is a <a href="../../../../../org/apache/shiro/authc/SaltedAuthenticationInfo.html" title="interface in org.apache.shiro.authc"><code>SaltedAuthenticationInfo</code></a> instance and its |
| <a href="../../../../../org/apache/shiro/authc/SaltedAuthenticationInfo.html#getCredentialsSalt()"><code>getCredentialsSalt()</code></a> method returns a non-null value. |
| This method and the 1.0 behavior still exists for backwards compatibility if the <code>Realm</code> does not return |
| <code>SaltedAuthenticationInfo</code> instances, but <b>it is highly recommended that <code>Realm</code> implementations |
| that support hashed credentials start returning <a href="../../../../../org/apache/shiro/authc/SaltedAuthenticationInfo.html" title="interface in org.apache.shiro.authc"><code>SaltedAuthenticationInfo</code></a> |
| instances as soon as possible</b>. |
| <p/> |
| This is because salts should always be obtained from the stored account information and |
| never be interpreted based on user/Subject-entered data. User-entered data is easier to compromise for |
| attackers, whereas account-unique (and secure randomly-generated) salts never disseminated to the end-user |
| are almost impossible to break. This method will be removed in Shiro 2.0.</i></div> |
| </div> |
| </td> |
| </tr> |
| <tr class="altColor"> |
| <td class="colFirst"><code>boolean</code></td> |
| <td class="colLast"><code><strong><a href="../../../../../org/apache/shiro/authc/credential/HashedCredentialsMatcher.html#isStoredCredentialsHexEncoded()">isStoredCredentialsHexEncoded</a></strong>()</code> |
| <div class="block">Returns <code>true</code> if the system's stored credential hash is Hex encoded, <code>false</code> if it |
| is Base64 encoded.</div> |
| </td> |
| </tr> |
| <tr class="rowColor"> |
| <td class="colFirst"><code>protected <a href="../../../../../org/apache/shiro/crypto/hash/AbstractHash.html" title="class in org.apache.shiro.crypto.hash">AbstractHash</a></code></td> |
| <td class="colLast"><code><strong><a href="../../../../../org/apache/shiro/authc/credential/HashedCredentialsMatcher.html#newHashInstance()">newHashInstance</a></strong>()</code> |
| <div class="block">Returns a new, <em>uninitialized</em> instance, without its byte array set.</div> |
| </td> |
| </tr> |
| <tr class="altColor"> |
| <td class="colFirst"><code>void</code></td> |
| <td class="colLast"><code><strong><a href="../../../../../org/apache/shiro/authc/credential/HashedCredentialsMatcher.html#setHashAlgorithmName(java.lang.String)">setHashAlgorithmName</a></strong>(<a href="http://java.sun.com/javase/6/docs/api/java/lang/String.html?is-external=true" title="class or interface in java.lang">String</a> hashAlgorithmName)</code> |
| <div class="block">Sets the <code>Hash</code> <a href="../../../../../org/apache/shiro/crypto/hash/Hash.html#getAlgorithmName()"><code>algorithmName</code></a> to use |
| when performing hashes for credentials matching.</div> |
| </td> |
| </tr> |
| <tr class="rowColor"> |
| <td class="colFirst"><code>void</code></td> |
| <td class="colLast"><code><strong><a href="../../../../../org/apache/shiro/authc/credential/HashedCredentialsMatcher.html#setHashIterations(int)">setHashIterations</a></strong>(int hashIterations)</code> |
| <div class="block">Sets the number of times a submitted <code>AuthenticationToken</code>'s credentials will be hashed before comparing |
| to the credentials stored in the system.</div> |
| </td> |
| </tr> |
| <tr class="altColor"> |
| <td class="colFirst"><code>void</code></td> |
| <td class="colLast"><code><strong><a href="../../../../../org/apache/shiro/authc/credential/HashedCredentialsMatcher.html#setHashSalted(boolean)">setHashSalted</a></strong>(boolean hashSalted)</code> |
| <div class="block"><strong>Deprecated.</strong> |
| <div class="block"><i>since Shiro 1.1. Hash salting is now expected to be based on if the <a href="../../../../../org/apache/shiro/authc/AuthenticationInfo.html" title="interface in org.apache.shiro.authc"><code>AuthenticationInfo</code></a> |
| returned from the <code>Realm</code> is a <a href="../../../../../org/apache/shiro/authc/SaltedAuthenticationInfo.html" title="interface in org.apache.shiro.authc"><code>SaltedAuthenticationInfo</code></a> instance and its |
| <a href="../../../../../org/apache/shiro/authc/SaltedAuthenticationInfo.html#getCredentialsSalt()"><code>getCredentialsSalt()</code></a> method returns a non-null value. |
| This method and the 1.0 behavior still exists for backwards compatibility if the <code>Realm</code> does not return |
| <code>SaltedAuthenticationInfo</code> instances, but <b>it is highly recommended that <code>Realm</code> implementations |
| that support hashed credentials start returning <a href="../../../../../org/apache/shiro/authc/SaltedAuthenticationInfo.html" title="interface in org.apache.shiro.authc"><code>SaltedAuthenticationInfo</code></a> |
| instances as soon as possible</b>. |
| <p/> |
| This is because salts should always be obtained from the stored account information and |
| never be interpreted based on user/Subject-entered data. User-entered data is easier to compromise for |
| attackers, whereas account-unique (and secure randomly-generated) salts never disseminated to the end-user |
| are almost impossible to break. This method will be removed in Shiro 2.0.</i></div> |
| </div> |
| </td> |
| </tr> |
| <tr class="rowColor"> |
| <td class="colFirst"><code>void</code></td> |
| <td class="colLast"><code><strong><a href="../../../../../org/apache/shiro/authc/credential/HashedCredentialsMatcher.html#setStoredCredentialsHexEncoded(boolean)">setStoredCredentialsHexEncoded</a></strong>(boolean storedCredentialsHexEncoded)</code> |
| <div class="block">Sets the indicator if this system's stored credential hash is Hex encoded or not.</div> |
| </td> |
| </tr> |
| </table> |
| <ul class="blockList"> |
| <li class="blockList"><a name="methods_inherited_from_class_org.apache.shiro.authc.credential.SimpleCredentialsMatcher"> |
| <!-- --> |
| </a> |
| <h3>Methods inherited from class org.apache.shiro.authc.credential.<a href="../../../../../org/apache/shiro/authc/credential/SimpleCredentialsMatcher.html" title="class in org.apache.shiro.authc.credential">SimpleCredentialsMatcher</a></h3> |
| <code><a href="../../../../../org/apache/shiro/authc/credential/SimpleCredentialsMatcher.html#equals(java.lang.Object, java.lang.Object)">equals</a>, <a href="../../../../../org/apache/shiro/authc/credential/SimpleCredentialsMatcher.html#getCredentials(org.apache.shiro.authc.AuthenticationToken)">getCredentials</a></code></li> |
| </ul> |
| <ul class="blockList"> |
| <li class="blockList"><a name="methods_inherited_from_class_org.apache.shiro.codec.CodecSupport"> |
| <!-- --> |
| </a> |
| <h3>Methods inherited from class org.apache.shiro.codec.<a href="../../../../../org/apache/shiro/codec/CodecSupport.html" title="class in org.apache.shiro.codec">CodecSupport</a></h3> |
| <code><a href="../../../../../org/apache/shiro/codec/CodecSupport.html#isByteSource(java.lang.Object)">isByteSource</a>, <a href="../../../../../org/apache/shiro/codec/CodecSupport.html#objectToBytes(java.lang.Object)">objectToBytes</a>, <a href="../../../../../org/apache/shiro/codec/CodecSupport.html#objectToString(java.lang.Object)">objectToString</a>, <a href="../../../../../org/apache/shiro/codec/CodecSupport.html#toBytes(char[])">toBytes</a>, <a href="../../../../../org/apache/shiro/codec/CodecSupport.html#toBytes(char[], java.lang.String)">toBytes</a>, <a href="../../../../../org/apache/shiro/codec/CodecSupport.html#toBytes(java.io.File)">toBytes</a>, <a href="../../../../../org/apache/shiro/codec/CodecSupport.html#toBytes(java.io.InputStream)">toBytes</a>, <a href="../../../../../org/apache/shiro/codec/CodecSupport.html#toBytes(java.lang.Object)">toBytes</a>, <a href="../../../../../org/apache/shiro/codec/CodecSupport.html#toBytes(java.lang.String)">toBytes</a>, <a href="../../../../../org/apache/shiro/codec/CodecSupport.html#toBytes(java.lang.String, java.lang.String)">toBytes</a>, <a href="../../../../../org/apache/shiro/codec/CodecSupport.html#toChars(byte[])">toChars</a>, <a href="../../../../../org/apache/shiro/codec/CodecSupport.html#toChars(byte[], java.lang.String)">toChars</a>, <a href="../../../../../org/apache/shiro/codec/CodecSupport.html#toString(byte[])">toString</a>, <a href="../../../../../org/apache/shiro/codec/CodecSupport.html#toString(byte[], java.lang.String)">toString</a>, <a href="../../../../../org/apache/shiro/codec/CodecSupport.html#toString(java.lang.Object)">toString</a></code></li> |
| </ul> |
| <ul class="blockList"> |
| <li class="blockList"><a name="methods_inherited_from_class_java.lang.Object"> |
| <!-- --> |
| </a> |
| <h3>Methods inherited from class java.lang.<a href="http://java.sun.com/javase/6/docs/api/java/lang/Object.html?is-external=true" title="class or interface in java.lang">Object</a></h3> |
| <code><a href="http://java.sun.com/javase/6/docs/api/java/lang/Object.html?is-external=true#clone()" title="class or interface in java.lang">clone</a>, <a href="http://java.sun.com/javase/6/docs/api/java/lang/Object.html?is-external=true#equals(java.lang.Object)" title="class or interface in java.lang">equals</a>, <a href="http://java.sun.com/javase/6/docs/api/java/lang/Object.html?is-external=true#finalize()" title="class or interface in java.lang">finalize</a>, <a href="http://java.sun.com/javase/6/docs/api/java/lang/Object.html?is-external=true#getClass()" title="class or interface in java.lang">getClass</a>, <a href="http://java.sun.com/javase/6/docs/api/java/lang/Object.html?is-external=true#hashCode()" title="class or interface in java.lang">hashCode</a>, <a href="http://java.sun.com/javase/6/docs/api/java/lang/Object.html?is-external=true#notify()" title="class or interface in java.lang">notify</a>, <a href="http://java.sun.com/javase/6/docs/api/java/lang/Object.html?is-external=true#notifyAll()" title="class or interface in java.lang">notifyAll</a>, <a href="http://java.sun.com/javase/6/docs/api/java/lang/Object.html?is-external=true#toString()" title="class or interface in java.lang">toString</a>, <a href="http://java.sun.com/javase/6/docs/api/java/lang/Object.html?is-external=true#wait()" title="class or interface in java.lang">wait</a>, <a href="http://java.sun.com/javase/6/docs/api/java/lang/Object.html?is-external=true#wait(long)" title="class or interface in java.lang">wait</a>, <a href="http://java.sun.com/javase/6/docs/api/java/lang/Object.html?is-external=true#wait(long, int)" title="class or interface in java.lang">wait</a></code></li> |
| </ul> |
| </li> |
| </ul> |
| </li> |
| </ul> |
| </div> |
| <div class="details"> |
| <ul class="blockList"> |
| <li class="blockList"> |
| <!-- ========= CONSTRUCTOR DETAIL ======== --> |
| <ul class="blockList"> |
| <li class="blockList"><a name="constructor_detail"> |
| <!-- --> |
| </a> |
| <h3>Constructor Detail</h3> |
| <a name="HashedCredentialsMatcher()"> |
| <!-- --> |
| </a> |
| <ul class="blockList"> |
| <li class="blockList"> |
| <h4>HashedCredentialsMatcher</h4> |
| <pre>public <a href="../../../../../src-html/org/apache/shiro/authc/credential/HashedCredentialsMatcher.html#line.135">HashedCredentialsMatcher</a>()</pre> |
| <div class="block">JavaBeans-compatibile no-arg constructor intended for use in IoC/Dependency Injection environments. If you |
| use this constructor, you <em>MUST</em> also additionally set the |
| <a href="../../../../../org/apache/shiro/authc/credential/HashedCredentialsMatcher.html#setHashAlgorithmName(java.lang.String)"><code>hashAlgorithmName</code></a> property.</div> |
| </li> |
| </ul> |
| <a name="HashedCredentialsMatcher(java.lang.String)"> |
| <!-- --> |
| </a> |
| <ul class="blockListLast"> |
| <li class="blockList"> |
| <h4>HashedCredentialsMatcher</h4> |
| <pre>public <a href="../../../../../src-html/org/apache/shiro/authc/credential/HashedCredentialsMatcher.html#line.149">HashedCredentialsMatcher</a>(<a href="http://java.sun.com/javase/6/docs/api/java/lang/String.html?is-external=true" title="class or interface in java.lang">String</a> hashAlgorithmName)</pre> |
| <div class="block">Creates an instance using the specified <a href="../../../../../org/apache/shiro/authc/credential/HashedCredentialsMatcher.html#getHashAlgorithmName()"><code>hashAlgorithmName</code></a> to hash submitted |
| credentials.</div> |
| <dl><dt><span class="strong">Parameters:</span></dt><dd><code>hashAlgorithmName</code> - the <code>Hash</code> <a href="../../../../../org/apache/shiro/crypto/hash/Hash.html#getAlgorithmName()"><code>algorithmName</code></a> |
| to use when performing hashes for credentials matching.</dd><dt><span class="strong">Since:</span></dt> |
| <dd>1.1</dd></dl> |
| </li> |
| </ul> |
| </li> |
| </ul> |
| <!-- ============ METHOD DETAIL ========== --> |
| <ul class="blockList"> |
| <li class="blockList"><a name="method_detail"> |
| <!-- --> |
| </a> |
| <h3>Method Detail</h3> |
| <a name="getHashAlgorithmName()"> |
| <!-- --> |
| </a> |
| <ul class="blockList"> |
| <li class="blockList"> |
| <h4>getHashAlgorithmName</h4> |
| <pre>public <a href="http://java.sun.com/javase/6/docs/api/java/lang/String.html?is-external=true" title="class or interface in java.lang">String</a> <a href="../../../../../src-html/org/apache/shiro/authc/credential/HashedCredentialsMatcher.html#line.165">getHashAlgorithmName</a>()</pre> |
| <div class="block">Returns the <code>Hash</code> <a href="../../../../../org/apache/shiro/crypto/hash/Hash.html#getAlgorithmName()"><code>algorithmName</code></a> to use |
| when performing hashes for credentials matching.</div> |
| <dl><dt><span class="strong">Returns:</span></dt><dd>the <code>Hash</code> <a href="../../../../../org/apache/shiro/crypto/hash/Hash.html#getAlgorithmName()"><code>algorithmName</code></a> to use |
| when performing hashes for credentials matching.</dd><dt><span class="strong">Since:</span></dt> |
| <dd>1.1</dd></dl> |
| </li> |
| </ul> |
| <a name="setHashAlgorithmName(java.lang.String)"> |
| <!-- --> |
| </a> |
| <ul class="blockList"> |
| <li class="blockList"> |
| <h4>setHashAlgorithmName</h4> |
| <pre>public void <a href="../../../../../src-html/org/apache/shiro/authc/credential/HashedCredentialsMatcher.html#line.177">setHashAlgorithmName</a>(<a href="http://java.sun.com/javase/6/docs/api/java/lang/String.html?is-external=true" title="class or interface in java.lang">String</a> hashAlgorithmName)</pre> |
| <div class="block">Sets the <code>Hash</code> <a href="../../../../../org/apache/shiro/crypto/hash/Hash.html#getAlgorithmName()"><code>algorithmName</code></a> to use |
| when performing hashes for credentials matching.</div> |
| <dl><dt><span class="strong">Parameters:</span></dt><dd><code>hashAlgorithmName</code> - the <code>Hash</code> <a href="../../../../../org/apache/shiro/crypto/hash/Hash.html#getAlgorithmName()"><code>algorithmName</code></a> |
| to use when performing hashes for credentials matching.</dd><dt><span class="strong">Since:</span></dt> |
| <dd>1.1</dd></dl> |
| </li> |
| </ul> |
| <a name="isStoredCredentialsHexEncoded()"> |
| <!-- --> |
| </a> |
| <ul class="blockList"> |
| <li class="blockList"> |
| <h4>isStoredCredentialsHexEncoded</h4> |
| <pre>public boolean <a href="../../../../../src-html/org/apache/shiro/authc/credential/HashedCredentialsMatcher.html#line.192">isStoredCredentialsHexEncoded</a>()</pre> |
| <div class="block">Returns <code>true</code> if the system's stored credential hash is Hex encoded, <code>false</code> if it |
| is Base64 encoded. |
| <p/> |
| Default value is <code>true</code> for convenience - all of Shiro's <a href="../../../../../org/apache/shiro/crypto/hash/Hash.html" title="interface in org.apache.shiro.crypto.hash"><code>Hash#toString()</code></a> |
| implementations return Hex encoded values by default, making this class's use with those implementations |
| easier.</div> |
| <dl><dt><span class="strong">Returns:</span></dt><dd><code>true</code> if the system's stored credential hash is Hex encoded, <code>false</code> if it |
| is Base64 encoded. Default is <code>true</code></dd></dl> |
| </li> |
| </ul> |
| <a name="setStoredCredentialsHexEncoded(boolean)"> |
| <!-- --> |
| </a> |
| <ul class="blockList"> |
| <li class="blockList"> |
| <h4>setStoredCredentialsHexEncoded</h4> |
| <pre>public void <a href="../../../../../src-html/org/apache/shiro/authc/credential/HashedCredentialsMatcher.html#line.209">setStoredCredentialsHexEncoded</a>(boolean storedCredentialsHexEncoded)</pre> |
| <div class="block">Sets the indicator if this system's stored credential hash is Hex encoded or not. |
| <p/> |
| A value of <code>true</code> will cause this class to decode the system credential from Hex, a |
| value of <code>false</code> will cause this class to decode the system credential from Base64. |
| <p/> |
| Unless overridden via this method, the default value is <code>true</code> for convenience - all of Shiro's |
| <a href="../../../../../org/apache/shiro/crypto/hash/Hash.html" title="interface in org.apache.shiro.crypto.hash"><code>Hash#toString()</code></a> implementations return Hex encoded values by default, making this class's use with |
| those implementations easier.</div> |
| <dl><dt><span class="strong">Parameters:</span></dt><dd><code>storedCredentialsHexEncoded</code> - the indicator if this system's stored credential hash is Hex |
| encoded or not ('not' automatically implying it is Base64 encoded).</dd></dl> |
| </li> |
| </ul> |
| <a name="isHashSalted()"> |
| <!-- --> |
| </a> |
| <ul class="blockList"> |
| <li class="blockList"> |
| <h4>isHashSalted</h4> |
| <pre><a href="http://java.sun.com/javase/6/docs/api/java/lang/Deprecated.html?is-external=true" title="class or interface in java.lang">@Deprecated</a> |
| public boolean <a href="../../../../../src-html/org/apache/shiro/authc/credential/HashedCredentialsMatcher.html#line.237">isHashSalted</a>()</pre> |
| <div class="block"><span class="strong">Deprecated.</span> <i>since Shiro 1.1. Hash salting is now expected to be based on if the <a href="../../../../../org/apache/shiro/authc/AuthenticationInfo.html" title="interface in org.apache.shiro.authc"><code>AuthenticationInfo</code></a> |
| returned from the <code>Realm</code> is a <a href="../../../../../org/apache/shiro/authc/SaltedAuthenticationInfo.html" title="interface in org.apache.shiro.authc"><code>SaltedAuthenticationInfo</code></a> instance and its |
| <a href="../../../../../org/apache/shiro/authc/SaltedAuthenticationInfo.html#getCredentialsSalt()"><code>getCredentialsSalt()</code></a> method returns a non-null value. |
| This method and the 1.0 behavior still exists for backwards compatibility if the <code>Realm</code> does not return |
| <code>SaltedAuthenticationInfo</code> instances, but <b>it is highly recommended that <code>Realm</code> implementations |
| that support hashed credentials start returning <a href="../../../../../org/apache/shiro/authc/SaltedAuthenticationInfo.html" title="interface in org.apache.shiro.authc"><code>SaltedAuthenticationInfo</code></a> |
| instances as soon as possible</b>. |
| <p/> |
| This is because salts should always be obtained from the stored account information and |
| never be interpreted based on user/Subject-entered data. User-entered data is easier to compromise for |
| attackers, whereas account-unique (and secure randomly-generated) salts never disseminated to the end-user |
| are almost impossible to break. This method will be removed in Shiro 2.0.</i></div> |
| <div class="block">Returns <code>true</code> if a submitted <code>AuthenticationToken</code>'s credentials should be salted when hashing, |
| <code>false</code> if it should not be salted. |
| <p/> |
| If enabled, the salt used will be obtained via the <a href="../../../../../org/apache/shiro/authc/credential/HashedCredentialsMatcher.html#getSalt(org.apache.shiro.authc.AuthenticationToken)"><code>getSalt</code></a> method. |
| <p/> |
| The default value is <code>false</code>.</div> |
| <dl><dt><span class="strong">Returns:</span></dt><dd><code>true</code> if a submitted <code>AuthenticationToken</code>'s credentials should be salted when hashing, |
| <code>false</code> if it should not be salted.</dd></dl> |
| </li> |
| </ul> |
| <a name="setHashSalted(boolean)"> |
| <!-- --> |
| </a> |
| <ul class="blockList"> |
| <li class="blockList"> |
| <h4>setHashSalted</h4> |
| <pre><a href="http://java.sun.com/javase/6/docs/api/java/lang/Deprecated.html?is-external=true" title="class or interface in java.lang">@Deprecated</a> |
| public void <a href="../../../../../src-html/org/apache/shiro/authc/credential/HashedCredentialsMatcher.html#line.263">setHashSalted</a>(boolean hashSalted)</pre> |
| <div class="block"><span class="strong">Deprecated.</span> <i>since Shiro 1.1. Hash salting is now expected to be based on if the <a href="../../../../../org/apache/shiro/authc/AuthenticationInfo.html" title="interface in org.apache.shiro.authc"><code>AuthenticationInfo</code></a> |
| returned from the <code>Realm</code> is a <a href="../../../../../org/apache/shiro/authc/SaltedAuthenticationInfo.html" title="interface in org.apache.shiro.authc"><code>SaltedAuthenticationInfo</code></a> instance and its |
| <a href="../../../../../org/apache/shiro/authc/SaltedAuthenticationInfo.html#getCredentialsSalt()"><code>getCredentialsSalt()</code></a> method returns a non-null value. |
| This method and the 1.0 behavior still exists for backwards compatibility if the <code>Realm</code> does not return |
| <code>SaltedAuthenticationInfo</code> instances, but <b>it is highly recommended that <code>Realm</code> implementations |
| that support hashed credentials start returning <a href="../../../../../org/apache/shiro/authc/SaltedAuthenticationInfo.html" title="interface in org.apache.shiro.authc"><code>SaltedAuthenticationInfo</code></a> |
| instances as soon as possible</b>. |
| <p/> |
| This is because salts should always be obtained from the stored account information and |
| never be interpreted based on user/Subject-entered data. User-entered data is easier to compromise for |
| attackers, whereas account-unique (and secure randomly-generated) salts never disseminated to the end-user |
| are almost impossible to break. This method will be removed in Shiro 2.0.</i></div> |
| <div class="block">Sets whether or not to salt a submitted <code>AuthenticationToken</code>'s credentials when hashing. |
| <p/> |
| If enabled, the salt used will be obtained via the <a href="../../../../../org/apache/shiro/authc/credential/HashedCredentialsMatcher.html#getSalt(org.apache.shiro.authc.AuthenticationToken)"><code>getCredentialsSalt</code></a> method. |
| </p> |
| The default value is <code>false</code>.</div> |
| <dl><dt><span class="strong">Parameters:</span></dt><dd><code>hashSalted</code> - whether or not to salt a submitted <code>AuthenticationToken</code>'s credentials when hashing.</dd></dl> |
| </li> |
| </ul> |
| <a name="getHashIterations()"> |
| <!-- --> |
| </a> |
| <ul class="blockList"> |
| <li class="blockList"> |
| <h4>getHashIterations</h4> |
| <pre>public int <a href="../../../../../src-html/org/apache/shiro/authc/credential/HashedCredentialsMatcher.html#line.276">getHashIterations</a>()</pre> |
| <div class="block">Returns the number of times a submitted <code>AuthenticationToken</code>'s credentials will be hashed before |
| comparing to the credentials stored in the system. |
| <p/> |
| Unless overridden, the default value is <code>1</code>, meaning a normal hash execution will occur.</div> |
| <dl><dt><span class="strong">Returns:</span></dt><dd>the number of times a submitted <code>AuthenticationToken</code>'s credentials will be hashed before |
| comparing to the credentials stored in the system.</dd></dl> |
| </li> |
| </ul> |
| <a name="setHashIterations(int)"> |
| <!-- --> |
| </a> |
| <ul class="blockList"> |
| <li class="blockList"> |
| <h4>setHashIterations</h4> |
| <pre>public void <a href="../../../../../src-html/org/apache/shiro/authc/credential/HashedCredentialsMatcher.html#line.291">setHashIterations</a>(int hashIterations)</pre> |
| <div class="block">Sets the number of times a submitted <code>AuthenticationToken</code>'s credentials will be hashed before comparing |
| to the credentials stored in the system. |
| <p/> |
| Unless overridden, the default value is <code>1</code>, meaning a normal single hash execution will occur. |
| <p/> |
| If this argument is less than 1 (i.e. 0 or negative), the default value of 1 is applied. There must always be |
| at least 1 hash iteration (otherwise there would be no hash).</div> |
| <dl><dt><span class="strong">Parameters:</span></dt><dd><code>hashIterations</code> - the number of times to hash a submitted <code>AuthenticationToken</code>'s credentials.</dd></dl> |
| </li> |
| </ul> |
| <a name="getSalt(org.apache.shiro.authc.AuthenticationToken)"> |
| <!-- --> |
| </a> |
| <ul class="blockList"> |
| <li class="blockList"> |
| <h4>getSalt</h4> |
| <pre><a href="http://java.sun.com/javase/6/docs/api/java/lang/Deprecated.html?is-external=true" title="class or interface in java.lang">@Deprecated</a> |
| protected <a href="http://java.sun.com/javase/6/docs/api/java/lang/Object.html?is-external=true" title="class or interface in java.lang">Object</a> <a href="../../../../../src-html/org/apache/shiro/authc/credential/HashedCredentialsMatcher.html#line.321">getSalt</a>(<a href="../../../../../org/apache/shiro/authc/AuthenticationToken.html" title="interface in org.apache.shiro.authc">AuthenticationToken</a> token)</pre> |
| <div class="block"><span class="strong">Deprecated.</span> <i>since Shiro 1.1. Hash salting is now expected to be based on if the <a href="../../../../../org/apache/shiro/authc/AuthenticationInfo.html" title="interface in org.apache.shiro.authc"><code>AuthenticationInfo</code></a> |
| returned from the <code>Realm</code> is a <a href="../../../../../org/apache/shiro/authc/SaltedAuthenticationInfo.html" title="interface in org.apache.shiro.authc"><code>SaltedAuthenticationInfo</code></a> instance and its |
| <a href="../../../../../org/apache/shiro/authc/SaltedAuthenticationInfo.html#getCredentialsSalt()"><code>getCredentialsSalt()</code></a> method returns a non-null value. |
| This method and the 1.0 behavior still exists for backwards compatibility if the <code>Realm</code> does not return |
| <code>SaltedAuthenticationInfo</code> instances, but <b>it is highly recommended that <code>Realm</code> implementations |
| that support hashed credentials start returning <a href="../../../../../org/apache/shiro/authc/SaltedAuthenticationInfo.html" title="interface in org.apache.shiro.authc"><code>SaltedAuthenticationInfo</code></a> |
| instances as soon as possible</b>.<p/> |
| This is because salts should always be obtained from the stored account information and |
| never be interpreted based on user/Subject-entered data. User-entered data is easier to compromise for |
| attackers, whereas account-unique (and secure randomly-generated) salts never disseminated to the end-user |
| are almost impossible to break. This method will be removed in Shiro 2.0.</i></div> |
| <div class="block">Returns a salt value used to hash the token's credentials. |
| <p/> |
| This default implementation merely returns <code>token.getPrincipal()</code>, effectively using the user's |
| identity (username, user id, etc) as the salt, a most common technique. If you wish to provide the |
| authentication token's salt another way, you may override this method.</div> |
| <dl><dt><span class="strong">Parameters:</span></dt><dd><code>token</code> - the AuthenticationToken submitted during the authentication attempt.</dd> |
| <dt><span class="strong">Returns:</span></dt><dd>a salt value to use to hash the authentication token's credentials.</dd></dl> |
| </li> |
| </ul> |
| <a name="getCredentials(org.apache.shiro.authc.AuthenticationInfo)"> |
| <!-- --> |
| </a> |
| <ul class="blockList"> |
| <li class="blockList"> |
| <h4>getCredentials</h4> |
| <pre>protected <a href="http://java.sun.com/javase/6/docs/api/java/lang/Object.html?is-external=true" title="class or interface in java.lang">Object</a> <a href="../../../../../src-html/org/apache/shiro/authc/credential/HashedCredentialsMatcher.html#line.344">getCredentials</a>(<a href="../../../../../org/apache/shiro/authc/AuthenticationInfo.html" title="interface in org.apache.shiro.authc">AuthenticationInfo</a> info)</pre> |
| <div class="block">Returns a <a href="../../../../../org/apache/shiro/crypto/hash/Hash.html" title="interface in org.apache.shiro.crypto.hash"><code>Hash</code></a> instance representing the already-hashed AuthenticationInfo credentials stored in the system. |
| <p/> |
| This method reconstructs a <a href="../../../../../org/apache/shiro/crypto/hash/Hash.html" title="interface in org.apache.shiro.crypto.hash"><code>Hash</code></a> instance based on a <code>info.getCredentials</code> call, |
| but it does <em>not</em> hash that value - it is expected that method call will return an already-hashed value. |
| <p/> |
| This implementation's reconstruction effort functions as follows: |
| <ol> |
| <li>Convert <code>account.getCredentials()</code> to a byte array via the <a href="../../../../../org/apache/shiro/codec/CodecSupport.html#toBytes(char[])"><code>toBytes</code></a> method. |
| <li>If <code>account.getCredentials()</code> was originally a String or char[] before <code>toBytes</code> was |
| called, check for encoding: |
| <li>If <a href="../../../../../org/apache/shiro/authc/credential/HashedCredentialsMatcher.html#storedCredentialsHexEncoded"><code>storedCredentialsHexEncoded</code></a>, Hex decode that byte array, otherwise |
| Base64 decode the byte array</li> |
| <li>Set the byte[] array directly on the <code>Hash</code> implementation and return it.</li> |
| </ol></div> |
| <dl> |
| <dt><strong>Overrides:</strong></dt> |
| <dd><code><a href="../../../../../org/apache/shiro/authc/credential/SimpleCredentialsMatcher.html#getCredentials(org.apache.shiro.authc.AuthenticationInfo)">getCredentials</a></code> in class <code><a href="../../../../../org/apache/shiro/authc/credential/SimpleCredentialsMatcher.html" title="class in org.apache.shiro.authc.credential">SimpleCredentialsMatcher</a></code></dd> |
| <dt><span class="strong">Parameters:</span></dt><dd><code>info</code> - the AuthenticationInfo from which to retrieve the credentials which assumed to be in already-hashed form.</dd> |
| <dt><span class="strong">Returns:</span></dt><dd>a <a href="../../../../../org/apache/shiro/crypto/hash/Hash.html" title="interface in org.apache.shiro.crypto.hash"><code>Hash</code></a> instance representing the given AuthenticationInfo's stored credentials.</dd></dl> |
| </li> |
| </ul> |
| <a name="doCredentialsMatch(org.apache.shiro.authc.AuthenticationToken, org.apache.shiro.authc.AuthenticationInfo)"> |
| <!-- --> |
| </a> |
| <ul class="blockList"> |
| <li class="blockList"> |
| <h4>doCredentialsMatch</h4> |
| <pre>public boolean <a href="../../../../../src-html/org/apache/shiro/authc/credential/HashedCredentialsMatcher.html#line.378">doCredentialsMatch</a>(<a href="../../../../../org/apache/shiro/authc/AuthenticationToken.html" title="interface in org.apache.shiro.authc">AuthenticationToken</a> token, |
| <a href="../../../../../org/apache/shiro/authc/AuthenticationInfo.html" title="interface in org.apache.shiro.authc">AuthenticationInfo</a> info)</pre> |
| <div class="block">This implementation first hashes the <code>token</code>'s credentials, potentially using a |
| <code>salt</code> if the <code>info</code> argument is a |
| <a href="../../../../../org/apache/shiro/authc/SaltedAuthenticationInfo.html" title="interface in org.apache.shiro.authc"><code>SaltedAuthenticationInfo</code></a>. It then compares the hash |
| against the <code>AuthenticationInfo</code>'s |
| <a href="../../../../../org/apache/shiro/authc/credential/HashedCredentialsMatcher.html#getCredentials(org.apache.shiro.authc.AuthenticationInfo)"><code>already-hashed credentials</code></a>. This method |
| returns <code>true</code> if those two values are <a href="../../../../../org/apache/shiro/authc/credential/SimpleCredentialsMatcher.html#equals(java.lang.Object, java.lang.Object)"><code>equal</code></a>, <code>false</code> otherwise.</div> |
| <dl> |
| <dt><strong>Specified by:</strong></dt> |
| <dd><code><a href="../../../../../org/apache/shiro/authc/credential/CredentialsMatcher.html#doCredentialsMatch(org.apache.shiro.authc.AuthenticationToken, org.apache.shiro.authc.AuthenticationInfo)">doCredentialsMatch</a></code> in interface <code><a href="../../../../../org/apache/shiro/authc/credential/CredentialsMatcher.html" title="interface in org.apache.shiro.authc.credential">CredentialsMatcher</a></code></dd> |
| <dt><strong>Overrides:</strong></dt> |
| <dd><code><a href="../../../../../org/apache/shiro/authc/credential/SimpleCredentialsMatcher.html#doCredentialsMatch(org.apache.shiro.authc.AuthenticationToken, org.apache.shiro.authc.AuthenticationInfo)">doCredentialsMatch</a></code> in class <code><a href="../../../../../org/apache/shiro/authc/credential/SimpleCredentialsMatcher.html" title="class in org.apache.shiro.authc.credential">SimpleCredentialsMatcher</a></code></dd> |
| <dt><span class="strong">Parameters:</span></dt><dd><code>token</code> - the <code>AuthenticationToken</code> submitted during the authentication attempt.</dd><dd><code>info</code> - the <code>AuthenticationInfo</code> stored in the system matching the token principal</dd> |
| <dt><span class="strong">Returns:</span></dt><dd><code>true</code> if the provided token credentials hash match to the stored account credentials hash, |
| <code>false</code> otherwise</dd><dt><span class="strong">Since:</span></dt> |
| <dd>1.1</dd></dl> |
| </li> |
| </ul> |
| <a name="hashProvidedCredentials(org.apache.shiro.authc.AuthenticationToken, org.apache.shiro.authc.AuthenticationInfo)"> |
| <!-- --> |
| </a> |
| <ul class="blockList"> |
| <li class="blockList"> |
| <h4>hashProvidedCredentials</h4> |
| <pre>protected <a href="http://java.sun.com/javase/6/docs/api/java/lang/Object.html?is-external=true" title="class or interface in java.lang">Object</a> <a href="../../../../../src-html/org/apache/shiro/authc/credential/HashedCredentialsMatcher.html#line.402">hashProvidedCredentials</a>(<a href="../../../../../org/apache/shiro/authc/AuthenticationToken.html" title="interface in org.apache.shiro.authc">AuthenticationToken</a> token, |
| <a href="../../../../../org/apache/shiro/authc/AuthenticationInfo.html" title="interface in org.apache.shiro.authc">AuthenticationInfo</a> info)</pre> |
| <div class="block">Hash the provided <code>token</code>'s credentials using the salt stored with the account if the |
| <code>info</code> instance is an <code>instanceof</code> <a href="../../../../../org/apache/shiro/authc/SaltedAuthenticationInfo.html" title="interface in org.apache.shiro.authc"><code>SaltedAuthenticationInfo</code></a> (see |
| the class-level JavaDoc for why this is the preferred approach). |
| <p/> |
| If the <code>info</code> instance is <em>not</em> |
| an <code>instanceof</code> <code>SaltedAuthenticationInfo</code>, the logic will fall back to Shiro 1.0 |
| backwards-compatible logic: it will first check to see <a href="../../../../../org/apache/shiro/authc/credential/HashedCredentialsMatcher.html#isHashSalted()"><code>isHashSalted</code></a> and if so, will try |
| to acquire the salt from <a href="../../../../../org/apache/shiro/authc/credential/HashedCredentialsMatcher.html#getSalt(org.apache.shiro.authc.AuthenticationToken)"><code>getSalt(AuthenticationToken)</code></a>. See the class-level |
| JavaDoc for why this is not recommended. This 'fallback' logic exists only for backwards-compatibility. |
| <code>Realm</code>s should be updated as soon as possible to return <code>SaltedAuthenticationInfo</code> instances |
| if account credentials salting is enabled (highly recommended for password-based systems).</div> |
| <dl><dt><span class="strong">Parameters:</span></dt><dd><code>token</code> - the submitted authentication token from which its credentials will be hashed</dd><dd><code>info</code> - the stored account data, potentially used to acquire a salt</dd> |
| <dt><span class="strong">Returns:</span></dt><dd>the token credentials hash</dd><dt><span class="strong">Since:</span></dt> |
| <dd>1.1</dd></dl> |
| </li> |
| </ul> |
| <a name="hashProvidedCredentials(java.lang.Object, java.lang.Object, int)"> |
| <!-- --> |
| </a> |
| <ul class="blockList"> |
| <li class="blockList"> |
| <h4>hashProvidedCredentials</h4> |
| <pre>protected <a href="../../../../../org/apache/shiro/crypto/hash/Hash.html" title="interface in org.apache.shiro.crypto.hash">Hash</a> <a href="../../../../../src-html/org/apache/shiro/authc/credential/HashedCredentialsMatcher.html#line.443">hashProvidedCredentials</a>(<a href="http://java.sun.com/javase/6/docs/api/java/lang/Object.html?is-external=true" title="class or interface in java.lang">Object</a> credentials, |
| <a href="http://java.sun.com/javase/6/docs/api/java/lang/Object.html?is-external=true" title="class or interface in java.lang">Object</a> salt, |
| int hashIterations)</pre> |
| <div class="block">Hashes the provided credentials a total of <code>hashIterations</code> times, using the given salt. The hash |
| implementation/algorithm used is based on the <a href="../../../../../org/apache/shiro/authc/credential/HashedCredentialsMatcher.html#getHashAlgorithmName()"><code>hashAlgorithmName</code></a> property.</div> |
| <dl><dt><span class="strong">Parameters:</span></dt><dd><code>credentials</code> - the submitted authentication token's credentials to hash</dd><dd><code>salt</code> - the value to salt the hash, or <code>null</code> if a salt will not be used.</dd><dd><code>hashIterations</code> - the number of times to hash the credentials. At least one hash will always occur though, |
| even if this argument is 0 or negative.</dd> |
| <dt><span class="strong">Returns:</span></dt><dd>the hashed value of the provided credentials, according to the specified salt and hash iterations.</dd></dl> |
| </li> |
| </ul> |
| <a name="newHashInstance()"> |
| <!-- --> |
| </a> |
| <ul class="blockListLast"> |
| <li class="blockList"> |
| <h4>newHashInstance</h4> |
| <pre>protected <a href="../../../../../org/apache/shiro/crypto/hash/AbstractHash.html" title="class in org.apache.shiro.crypto.hash">AbstractHash</a> <a href="../../../../../src-html/org/apache/shiro/authc/credential/HashedCredentialsMatcher.html#line.454">newHashInstance</a>()</pre> |
| <div class="block">Returns a new, <em>uninitialized</em> instance, without its byte array set. Used as a utility method in the |
| <a href="../../../../../org/apache/shiro/authc/credential/SimpleCredentialsMatcher.html#getCredentials(org.apache.shiro.authc.AuthenticationInfo)"><code>getCredentials(AuthenticationInfo)</code></a> implementation.</div> |
| <dl><dt><span class="strong">Returns:</span></dt><dd>a new, <em>uninitialized</em> instance, without its byte array set.</dd></dl> |
| </li> |
| </ul> |
| </li> |
| </ul> |
| </li> |
| </ul> |
| </div> |
| </div> |
| <!-- ========= END OF CLASS DATA ========= --> |
| <!-- ======= START OF BOTTOM NAVBAR ====== --> |
| <div class="bottomNav"><a name="navbar_bottom"> |
| <!-- --> |
| </a><a href="#skip-navbar_bottom" title="Skip navigation links"></a><a name="navbar_bottom_firstrow"> |
| <!-- --> |
| </a> |
| <ul class="navList" title="Navigation"> |
| <li><a href="../../../../../overview-summary.html">Overview</a></li> |
| <li><a href="package-summary.html">Package</a></li> |
| <li class="navBarCell1Rev">Class</li> |
| <li><a href="class-use/HashedCredentialsMatcher.html">Use</a></li> |
| <li><a href="package-tree.html">Tree</a></li> |
| <li><a href="../../../../../deprecated-list.html">Deprecated</a></li> |
| <li><a href="../../../../../index-all.html">Index</a></li> |
| <li><a href="../../../../../help-doc.html">Help</a></li> |
| </ul> |
| </div> |
| <div class="subNav"> |
| <ul class="navList"> |
| <li><a href="../../../../../org/apache/shiro/authc/credential/DefaultPasswordService.html" title="class in org.apache.shiro.authc.credential"><span class="strong">Prev Class</span></a></li> |
| <li><a href="../../../../../org/apache/shiro/authc/credential/HashingPasswordService.html" title="interface in org.apache.shiro.authc.credential"><span class="strong">Next Class</span></a></li> |
| </ul> |
| <ul class="navList"> |
| <li><a href="../../../../../index.html?org/apache/shiro/authc/credential/HashedCredentialsMatcher.html" target="_top">Frames</a></li> |
| <li><a href="HashedCredentialsMatcher.html" target="_top">No Frames</a></li> |
| </ul> |
| <ul class="navList" id="allclasses_navbar_bottom"> |
| <li><a href="../../../../../allclasses-noframe.html">All Classes</a></li> |
| </ul> |
| <div> |
| <script type="text/javascript"><!-- |
| allClassesLink = document.getElementById("allclasses_navbar_bottom"); |
| if(window==top) { |
| allClassesLink.style.display = "block"; |
| } |
| else { |
| allClassesLink.style.display = "none"; |
| } |
| //--> |
| </script> |
| </div> |
| <div> |
| <ul class="subNavList"> |
| <li>Summary: </li> |
| <li>Nested | </li> |
| <li><a href="#fields_inherited_from_class_org.apache.shiro.codec.CodecSupport">Field</a> | </li> |
| <li><a href="#constructor_summary">Constr</a> | </li> |
| <li><a href="#method_summary">Method</a></li> |
| </ul> |
| <ul class="subNavList"> |
| <li>Detail: </li> |
| <li>Field | </li> |
| <li><a href="#constructor_detail">Constr</a> | </li> |
| <li><a href="#method_detail">Method</a></li> |
| </ul> |
| </div> |
| <a name="skip-navbar_bottom"> |
| <!-- --> |
| </a></div> |
| <!-- ======== END OF BOTTOM NAVBAR ======= --> |
| <p class="legalCopy"><small>Copyright © 2004-2016 <a href="http://www.apache.org/">The Apache Software Foundation</a>. All Rights Reserved.</small></p> |
| </body> |
| </html> |