@Override public void updateUserPassword(final String username, final String password, final String updatedBy) throws SecurityApiException { final ByteSource salt = rng.nextBytes(); final String hashedPasswordBase64 = new SimpleHash(KillbillCredentialsMatcher.HASH_ALGORITHM_NAME, password, salt.toBase64(), securityConfig.getShiroNbHashIterations()).toBase64(); inTransactionWithExceptionHandling(new TransactionCallback<Void>() { @Override public Void inTransaction(final Handle handle, final TransactionStatus status) throws Exception { final DateTime updatedDate = clock.getUTCNow(); final UsersSqlDao usersSqlDao = handle.attach(UsersSqlDao.class); final UserModelDao userModelDao = usersSqlDao.getByUsername(username); if (userModelDao == null) { throw new SecurityApiException(ErrorCode.SECURITY_INVALID_USER, username); } usersSqlDao.updatePassword(username, hashedPasswordBase64, salt.toBase64(), updatedDate.toDate(), updatedBy); return null; } }); }
@Override public void create(final TenantModelDao entity, final InternalCallContext context) throws TenantApiException { // Create the salt and password final ByteSource salt = rng.nextBytes(); // Hash the plain-text password with the random salt and multiple iterations and then Base64-encode the value (requires less space than Hex) final String hashedPasswordBase64 = new SimpleHash(KillbillCredentialsMatcher.HASH_ALGORITHM_NAME, entity.getApiSecret(), salt, securityConfig.getShiroNbHashIterations()).toBase64(); transactionalSqlDao.execute(false, new EntitySqlDaoTransactionWrapper<Void>() { @Override public Void inTransaction(final EntitySqlDaoWrapperFactory entitySqlDaoWrapperFactory) throws Exception { final TenantModelDao tenantModelDaoWithSecret = new TenantModelDao(entity.getId(), context.getCreatedDate(), context.getUpdatedDate(), entity.getExternalKey(), entity.getApiKey(), hashedPasswordBase64, salt.toBase64()); final TenantSqlDao tenantSqlDao = entitySqlDaoWrapperFactory.become(TenantSqlDao.class); createAndRefresh(tenantSqlDao, tenantModelDaoWithSecret, context); return null; } }); }
@Override public void insertUser(final String username, final String password, final List<String> roles, final String createdBy) throws SecurityApiException { final ByteSource salt = rng.nextBytes(); final String hashedPasswordBase64 = new SimpleHash(KillbillCredentialsMatcher.HASH_ALGORITHM_NAME, password, salt.toBase64(), securityConfig.getShiroNbHashIterations()).toBase64(); final DateTime createdDate = clock.getUTCNow(); inTransactionWithExceptionHandling(new TransactionCallback<Void>() { @Override public Void inTransaction(final Handle handle, final TransactionStatus status) throws Exception { final UserRolesSqlDao userRolesSqlDao = handle.attach(UserRolesSqlDao.class); for (final String role : roles) { userRolesSqlDao.create(new UserRolesModelDao(username, role, createdDate, createdBy)); } final UsersSqlDao usersSqlDao = handle.attach(UsersSqlDao.class); final UserModelDao userModelDao = usersSqlDao.getByUsername(username); if (userModelDao != null) { throw new SecurityApiException(ErrorCode.SECURITY_USER_ALREADY_EXISTS, username); } usersSqlDao.create(new UserModelDao(username, hashedPasswordBase64, salt.toBase64(), createdDate, createdBy)); return null; } }); }
publicSalt = getRandomNumberGenerator().nextBytes();
public void add(final String userName, final String password, final String email) { try { Hash hash = new SimpleHash(Sha256Hash.ALGORITHM_NAME, password, rng.nextBytes(), 1024); AuthorizedUser user = new AuthorizedUser(userName, hash, email); dao.create(user); } catch (SQLException ex) { Logger.getLogger(AuthorizedUserRepository.class).error("Error adding a user to DB - ", ex); } }
private ByteSource generateRandomSalt( int bytesSize ) { return getRandomNumberGenerator().nextBytes( bytesSize ); } }
RandomNumberGenerator rng = new SecureRandomNumberGenerator(); Object salt = rng.nextBytes(); //Now hash the plain-text password with the random salt and multiple //iterations and then Base64-encode the value (requires less space than Hex): String hashedPasswordBase64 = new Sha256Hash(password, salt, 1024).toBase64();
import org.apache.shiro.crypto.hash.Sha256Hash; import org.apache.shiro.crypto.RandomNumberGenerator; import org.apache.shiro.crypto.SecureRandomNumberGenerator; ... //We'll use a Random Number Generator to generate salts. This //is much more secure than using a username as a salt or not //having a salt at all. Shiro makes this easy. // //Note that a normal app would reference an attribute rather //than create a new RNG every time: RandomNumberGenerator rng = new SecureRandomNumberGenerator(); Object salt = rng.nextBytes(); //Now hash the plain-text password with the random salt and multiple //iterations and then Base64-encode the value (requires less space than Hex): String hashedPasswordBase64 = new Sha256Hash(plainTextPassword, salt, 1024).toBase64(); User user = new User(username, hashedPasswordBase64); //save the salt with the new account. The HashedCredentialsMatcher //will need it later when handling login attempts: user.setPasswordSalt(salt); userDAO.create(user);
/** * Generates a salt for use with password salting * * @return randomly generated salt in Base64 format */ public static String generateSalt() { // Generate a random salt for a password (password salt is Base64) RandomNumberGenerator rng = new SecureRandomNumberGenerator(); return rng.nextBytes().toBase64(); }
private byte[] randomBytes(int length) { RandomNumberGenerator generator = new SecureRandomNumberGenerator(); return generator.nextBytes(length).getBytes(); }
private byte randomByte(int max) { RandomNumberGenerator generator = new SecureRandomNumberGenerator(); return (byte) (generator.nextBytes(1).getBytes()[0] % max); }
public ConstantKeyConstantSuffixAESECB(byte[] suffix, boolean shouldAddRandomPrefix) { RandomNumberGenerator generator = new SecureRandomNumberGenerator(); key = generator.nextBytes(aesecb.getBlockSize()).getBytes(); this.suffix = suffix; this.shouldAddRandomPrefix = shouldAddRandomPrefix; }
public NoIvMessageValidatingConstantKeyAESCBC() { RandomNumberGenerator generator = new SecureRandomNumberGenerator(); this.key = generator.nextBytes(aescbc.getBlockSize()).getBytes(); }
@Override protected byte[] getIv() { RandomNumberGenerator generator = new SecureRandomNumberGenerator(); return generator.nextBytes(getBlockSize()).getBytes(); }
public ConstantKeyAESCBC(byte[] key) { this.key = key; RandomNumberGenerator generator = new SecureRandomNumberGenerator(); iv = generator.nextBytes(aescbc.getBlockSize()).getBytes(); }
public ConstantKeyAESCTR() { RandomNumberGenerator generator = new SecureRandomNumberGenerator(); key = generator.nextBytes(aesctr.getBlockSize()).getBytes(); }
private static void encryptPassword(User user) throws UnsupportedEncodingException { RandomNumberGenerator rng = new SecureRandomNumberGenerator(); ByteSource byteSource = rng.nextBytes(); String salt = byteSource.toBase64(); String hashedPasswordBase64 = new Sha256Hash(user.getPassword(), salt, 1024).toBase64(); user.setPassword(hashedPasswordBase64); user.setSalt(salt); }
@Override public void create(final TenantModelDao entity, final InternalCallContext context) throws TenantApiException { // Create the salt and password final ByteSource salt = rng.nextBytes(); // Hash the plain-text password with the random salt and multiple iterations and then Base64-encode the value (requires less space than Hex) final String hashedPasswordBase64 = new SimpleHash(KillbillCredentialsMatcher.HASH_ALGORITHM_NAME, entity.getApiSecret(), salt, KillbillCredentialsMatcher.HASH_ITERATIONS).toBase64(); transactionalSqlDao.execute(new EntitySqlDaoTransactionWrapper<Void>() { @Override public Void inTransaction(final EntitySqlDaoWrapperFactory<EntitySqlDao> entitySqlDaoWrapperFactory) throws Exception { final TenantModelDao tenantModelDaoWithSecret = new TenantModelDao(entity.getId(), context.getCreatedDate(), context.getUpdatedDate(), entity.getExternalKey(), entity.getApiKey(), hashedPasswordBase64, salt.toBase64()); entitySqlDaoWrapperFactory.become(TenantSqlDao.class).create(tenantModelDaoWithSecret, context); return null; } }); }