/** * This implementation first hashes the {@code token}'s credentials, potentially using a * {@code salt} if the {@code info} argument is a * {@link org.apache.shiro.authc.SaltedAuthenticationInfo SaltedAuthenticationInfo}. It then compares the hash * against the {@code AuthenticationInfo}'s * {@link #getCredentials(org.apache.shiro.authc.AuthenticationInfo) already-hashed credentials}. This method * returns {@code true} if those two values are {@link #equals(Object, Object) equal}, {@code false} otherwise. * * @param token the {@code AuthenticationToken} submitted during the authentication attempt. * @param info the {@code AuthenticationInfo} stored in the system matching the token principal * @return {@code true} if the provided token credentials hash match to the stored account credentials hash, * {@code false} otherwise * @since 1.1 */ @Override public boolean doCredentialsMatch(AuthenticationToken token, AuthenticationInfo info) { Object tokenHashedCredentials = hashProvidedCredentials(token, info); Object accountCredentials = getCredentials(info); return equals(tokenHashedCredentials, accountCredentials); }
/** * Hash the provided {@code token}'s credentials using the salt stored with the account if the * {@code info} instance is an {@code instanceof} {@link SaltedAuthenticationInfo SaltedAuthenticationInfo} (see * the class-level JavaDoc for why this is the preferred approach). * <p/> * If the {@code info} instance is <em>not</em> * an {@code instanceof} {@code SaltedAuthenticationInfo}, the logic will fall back to Shiro 1.0 * backwards-compatible logic: it will first check to see {@link #isHashSalted() isHashSalted} and if so, will try * to acquire the salt from {@link #getSalt(AuthenticationToken) getSalt(AuthenticationToken)}. See the class-level * JavaDoc for why this is not recommended. This 'fallback' logic exists only for backwards-compatibility. * {@code Realm}s should be updated as soon as possible to return {@code SaltedAuthenticationInfo} instances * if account credentials salting is enabled (highly recommended for password-based systems). * * @param token the submitted authentication token from which its credentials will be hashed * @param info the stored account data, potentially used to acquire a salt * @return the token credentials hash * @since 1.1 */ protected Object hashProvidedCredentials(AuthenticationToken token, AuthenticationInfo info) { Object salt = null; if (info instanceof SaltedAuthenticationInfo) { salt = ((SaltedAuthenticationInfo) info).getCredentialsSalt(); } else { //retain 1.0 backwards compatibility: if (isHashSalted()) { salt = getSalt(token); } } return hashProvidedCredentials(token.getCredentials(), salt, getHashIterations()); }
/** * This implementation first hashes the {@code token}'s credentials, potentially using a * {@code salt} if the {@code info} argument is a * {@link org.apache.shiro.authc.SaltedAuthenticationInfo SaltedAuthenticationInfo}. It then compares the hash * against the {@code AuthenticationInfo}'s * {@link #getCredentials(org.apache.shiro.authc.AuthenticationInfo) already-hashed credentials}. This method * returns {@code true} if those two values are {@link #equals(Object, Object) equal}, {@code false} otherwise. * * @param token the {@code AuthenticationToken} submitted during the authentication attempt. * @param info the {@code AuthenticationInfo} stored in the system matching the token principal * @return {@code true} if the provided token credentials hash match to the stored account credentials hash, * {@code false} otherwise * @since 1.1 */ @Override public boolean doCredentialsMatch(AuthenticationToken token, AuthenticationInfo info) { Object tokenHashedCredentials = hashProvidedCredentials(token, info); Object accountCredentials = getCredentials(info); return equals(tokenHashedCredentials, accountCredentials); }
/** * Hash the provided {@code token}'s credentials using the salt stored with the account if the * {@code info} instance is an {@code instanceof} {@link SaltedAuthenticationInfo SaltedAuthenticationInfo} (see * the class-level JavaDoc for why this is the preferred approach). * <p/> * If the {@code info} instance is <em>not</em> * an {@code instanceof} {@code SaltedAuthenticationInfo}, the logic will fall back to Shiro 1.0 * backwards-compatible logic: it will first check to see {@link #isHashSalted() isHashSalted} and if so, will try * to acquire the salt from {@link #getSalt(AuthenticationToken) getSalt(AuthenticationToken)}. See the class-level * JavaDoc for why this is not recommended. This 'fallback' logic exists only for backwards-compatibility. * {@code Realm}s should be updated as soon as possible to return {@code SaltedAuthenticationInfo} instances * if account credentials salting is enabled (highly recommended for password-based systems). * * @param token the submitted authentication token from which its credentials will be hashed * @param info the stored account data, potentially used to acquire a salt * @return the token credentials hash * @since 1.1 */ protected Object hashProvidedCredentials(AuthenticationToken token, AuthenticationInfo info) { Object salt = null; if (info instanceof SaltedAuthenticationInfo) { salt = ((SaltedAuthenticationInfo) info).getCredentialsSalt(); } else { //retain 1.0 backwards compatibility: if (isHashSalted()) { salt = getSalt(token); } } return hashProvidedCredentials(token.getCredentials(), salt, getHashIterations()); }
/** * This implementation first hashes the {@code token}'s credentials, potentially using a * {@code salt} if the {@code info} argument is a * {@link org.apache.shiro.authc.SaltedAuthenticationInfo SaltedAuthenticationInfo}. It then compares the hash * against the {@code AuthenticationInfo}'s * {@link #getCredentials(org.apache.shiro.authc.AuthenticationInfo) already-hashed credentials}. This method * returns {@code true} if those two values are {@link #equals(Object, Object) equal}, {@code false} otherwise. * * @param token the {@code AuthenticationToken} submitted during the authentication attempt. * @param info the {@code AuthenticationInfo} stored in the system matching the token principal * @return {@code true} if the provided token credentials hash match to the stored account credentials hash, * {@code false} otherwise * @since 1.1 */ @Override public boolean doCredentialsMatch(AuthenticationToken token, AuthenticationInfo info) { Object tokenHashedCredentials = hashProvidedCredentials(token, info); Object accountCredentials = getCredentials(info); return equals(tokenHashedCredentials, accountCredentials); }
/** * Hash the provided {@code token}'s credentials using the salt stored with the account if the * {@code info} instance is an {@code instanceof} {@link SaltedAuthenticationInfo SaltedAuthenticationInfo} (see * the class-level JavaDoc for why this is the preferred approach). * <p/> * If the {@code info} instance is <em>not</em> * an {@code instanceof} {@code SaltedAuthenticationInfo}, the logic will fall back to Shiro 1.0 * backwards-compatible logic: it will first check to see {@link #isHashSalted() isHashSalted} and if so, will try * to acquire the salt from {@link #getSalt(AuthenticationToken) getSalt(AuthenticationToken)}. See the class-level * JavaDoc for why this is not recommended. This 'fallback' logic exists only for backwards-compatibility. * {@code Realm}s should be updated as soon as possible to return {@code SaltedAuthenticationInfo} instances * if account credentials salting is enabled (highly recommended for password-based systems). * * @param token the submitted authentication token from which its credentials will be hashed * @param info the stored account data, potentially used to acquire a salt * @return the token credentials hash * @since 1.1 */ protected Object hashProvidedCredentials(AuthenticationToken token, AuthenticationInfo info) { Object salt = null; if (info instanceof SaltedAuthenticationInfo) { salt = ((SaltedAuthenticationInfo) info).getCredentialsSalt(); } else { //retain 1.0 backwards compatibility: if (isHashSalted()) { salt = getSalt(token); } } return hashProvidedCredentials(token.getCredentials(), salt, getHashIterations()); }