[Bug] Stored Shiro1 passwords can not be correctly matched when private salts are used

[mdgomes]

Search before asking

• I had searched in the issues, including closed issues and found no similar issues.

Environment

Java 21, shiro-core, plain java

Shiro version

2.0.6

What was the actual outcome?

Failure to match password

What was the expected outcome?

Password was matched correctly

How to reproduce

Hi, I'm having issues migrating from Shiro 1 to 2, and before anyone suggests, reseting passwords and asking users to create new ones is not a valid suggestion for my use case, I can't seem to figure out how to actually make Shiro2 work with private salts.

Take a Shiro1 hashed password generated with the 1.x version (i.e. 1.13), take the plainText password and use the passwordsMatch(String,String) method to validate the passwords.

Example saved password (String storedPassword): $shiro1$SHA-256$500000$qP2nXnatLnmrr+LQeZxnQg==$ABXgt5ZDlgCRRyaxXORR/QFrpZMW77didcJ8P7AYs/M=
Associated plain text (String plainText): "admin"

Setup:

PasswordService passwordService = new DefaultPasswordService();
DefaultHashService hashService = new DefaultHashService();
hashService.setDefaultAlgorithmName("SHA-256");
passwordService.setHashService(hashService);
Shiro1CryptFormat hashFormat = new Shiro1CryptFormat();
passwordService.setHashFormat(hashFormat);

// Assert true: passwordService.passwordsMatch(plainText, storedPassword) fails

Our saved password was created using a private salt. And previously (i.e. 1.13) the passwordsMatch method was successful because of this the passwordsMatch(plainText, savedHash) did this:

    public boolean passwordsMatch(Object plaintext, Hash saved) {
        ByteSource plaintextBytes = createByteSource(plaintext);

        if (saved == null || saved.isEmpty()) {
            return plaintextBytes == null || plaintextBytes.isEmpty();
        } else {
            if (plaintextBytes == null || plaintextBytes.isEmpty()) {
                return false;
            }
        }

        HashRequest request = buildHashRequest(plaintextBytes, saved);

        Hash computed = this.hashService.computeHash(request);

        return constantEquals(saved.toString(), computed.toString());
    }

Specifically the computeHash call, which combines the private and public salts.

The current 2.x method flow for the passwordsMatch(Object plainText, Hash saved) never calls computeHash so the passwords never match.

So either I'm missing how Shiro 2.x handles the Shiro 1 format or the way to handle stored passwords is to override the DefaultPasswordService with support for using private salts.

Can you help?

Debug logs

No response

[bmarwell]

Hi! I kinda remember what was done for Shiro 2... To be honest: if possible, do not use storing passwords using Shiro at all. It excels in Authentication and Authorization, but I always found password storage incomplete.

I will take a look into it when I feel better. It's highly possible you can just write an add-on class.