Hashing and Salting passwords with shiro
In apache shiro the default hash implementation is as follows:
MessageDigest di开发者_Go百科gest = getDigest(getAlgorithmName());
if (salt != null) {
digest.reset();
digest.update(salt);
}
byte[] hashed = digest.digest(bytes);
int iterations = hashIterations - 1; //already hashed once above
//iterate remaining number:
for (int i = 0; i < iterations; i++) {
digest.reset();
hashed = digest.digest(hashed);
}
return hashed;
Notice how it puts the salt first. We are having to authenticate against a legacy system where the hashes were password + salt and not salt+password
I'm currently doing the concat outside this method call and passing null in for the salt. Aside from subclassing and overriding this method is there a better way than what I'm having to do?
It turns out subclassing SimpleHash and overriding one method did the trick. Just reset the digest, add the salt then the pw and then digest it and it works fine
精彩评论