开发者

Hashing and Salting passwords with shiro

In apache shiro the default hash implementation is as follows:

MessageDigest di开发者_Go百科gest = getDigest(getAlgorithmName());
        if (salt != null) {
            digest.reset();
            digest.update(salt);
        }
        byte[] hashed = digest.digest(bytes);
        int iterations = hashIterations - 1; //already hashed once above
        //iterate remaining number:
        for (int i = 0; i < iterations; i++) {
            digest.reset();
            hashed = digest.digest(hashed);
        }
        return hashed;

Notice how it puts the salt first. We are having to authenticate against a legacy system where the hashes were password + salt and not salt+password

I'm currently doing the concat outside this method call and passing null in for the salt. Aside from subclassing and overriding this method is there a better way than what I'm having to do?


It turns out subclassing SimpleHash and overriding one method did the trick. Just reset the digest, add the salt then the pw and then digest it and it works fine

0

上一篇:

下一篇:

精彩评论

暂无评论...
验证码 换一张
取 消

最新问答

问答排行榜