Using Encrypted Passwords in Shiro

This is one of those topics that generates opinion on alternatives and improvement, but for our purposes we're going to cover using encrypted passwords in Shiro from the standpoint of simplicity with a reasonable amount of security. The source code can be found in my Bootique Shiro Demo app on GitHub.

The User Data

First let's look at our User records. UserId, username, email and hashed password as a VARCHAR(255). No Salted Key Column, just the password unrecognizable to all except Shiro who performs the encrypting and decrypting for us as you will see. And very simply.

Creating a User Password

We'll encrypt the password in our User Service using Shiro Sha356Hash(). Notice we then convert it to Hex with toHex(). Very important.

Realm Credentials Matching

For our Realm to correctly authenticate the User with our Sha256Hash encryption we have to set its CredentialsMatcher.

Authenticating the User

In our NixmashRealm doGetAuthenticationInfo(token) method where we retrieve and authenticate the user on login we use Shiro SimpleAuthenticationInfo() to authenticate the user, which matches our encrypted password to the clear "password" entered in the UserPasswordToken.

Source Code Notes for this Post

Source code discussed in this post is found in my Bootique Shiro Demo app on GitHub.