Class DefaultPasswordService

java.lang.Object
org.apache.shiro.authc.credential.DefaultPasswordService
All Implemented Interfaces:
HashingPasswordService, PasswordService
public class DefaultPasswordService extends Object implements HashingPasswordService
Default implementation of the PasswordService interface that relies on an internal HashService, HashFormat, and HashFormatFactory to function:

Hashing Passwords

Comparing Passwords

All hashing operations are performed by the internal hashService.
Since:
1.2

  • Field Summary

    Fields
    Modifier and Type
    Field
    Description
    static final String
    DEFAULT_HASH_ALGORITHM
    default hash algorithm.

  • Constructor Summary

    Constructors
    Constructor
    Description
    DefaultPasswordService()
    Constructs a new PasswordService with a default hash service and the default algorithm name "argon2id", a default hash format (shiro2) and a default hash format factory.

  • Method Summary

    Modifier and Type
    Method
    Description
    protected void
    checkHashFormatDurability()
     
    protected org.apache.shiro.lang.util.ByteSource
    createByteSource(Object o)
     
    protected org.apache.shiro.crypto.hash.HashRequest
    createHashRequest(org.apache.shiro.lang.util.ByteSource plaintext)
     
    String
    encryptPassword(Object plaintext)
    Converts the specified plaintext password (usually acquired from your application's 'new user' or 'password reset' workflow) into a formatted string safe for storage.
    org.apache.shiro.crypto.hash.format.HashFormat
    getHashFormat()
     
    org.apache.shiro.crypto.hash.format.HashFormatFactory
    getHashFormatFactory()
     
    org.apache.shiro.crypto.hash.HashService
    getHashService()
     
    org.apache.shiro.crypto.hash.Hash
    hashPassword(Object plaintext)
    Hashes the specified plaintext password using internal hashing configuration settings pertinent to password hashing.
    boolean
    passwordsMatch(Object submittedPlaintext, String saved)
    Returns true if the submittedPlaintext password matches the existing saved password, false otherwise.
    boolean
    passwordsMatch(Object plaintext, org.apache.shiro.crypto.hash.Hash saved)
    Returns true if the submittedPlaintext password matches the existing savedPasswordHash, false otherwise.
    void
    setHashFormat(org.apache.shiro.crypto.hash.format.HashFormat hashFormat)
     
    void
    setHashFormatFactory(org.apache.shiro.crypto.hash.format.HashFormatFactory hashFormatFactory)
     
    void
    setHashService(org.apache.shiro.crypto.hash.HashService hashService)
     

    Methods inherited from class java.lang.Object

    clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

  • Field Details

  • Constructor Details

    • DefaultPasswordService

      public DefaultPasswordService()
      Constructs a new PasswordService with a default hash service and the default algorithm name "argon2id", a default hash format (shiro2) and a default hash format factory.

      The default algorithm can change between minor versions and does not introduce API incompatibility by design.

  • Method Details

    • encryptPassword

      public String encryptPassword(Object plaintext)
      Description copied from interface: PasswordService
      Converts the specified plaintext password (usually acquired from your application's 'new user' or 'password reset' workflow) into a formatted string safe for storage. The returned string can be safely saved with the corresponding user account record (e.g. as a 'password' attribute).

      It is expected that the String returned from this method will be presented to the passwordsMatch(plaintext,encrypted) method when performing a password comparison check.

      Usage

      The input argument type can be any 'byte backed' Object - almost always either a String or character array representing passwords (character arrays are often a safer way to represent passwords as they can be cleared/nulled-out after use. Any argument type supported by ByteSource.Util.isCompatible(Object) is valid.

      For example: 

       String rawPassword = ...
 String encryptedValue = passwordService.encryptPassword(rawPassword);
      or, identically: 
       char[] rawPasswordChars = ...
 String encryptedValue = passwordService.encryptPassword(rawPasswordChars);

      The resulting encryptedValue should be stored with the account to be retrieved later during a login attempt. For example: 

       String encryptedValue = passwordService.encryptPassword(rawPassword);
 ...
 userAccount.setPassword(encryptedValue);
 userAccount.save(); //create or update to your data store
      Specified by:
      encryptPassword in interface PasswordService
      Parameters:
      plaintext - the raw password as 'byte-backed' object (String, character array, ByteSource, etc.) usually acquired from your application's 'new user' or 'password reset' workflow.
      Returns:
      the encrypted password, formatted for storage.
      See Also:
      • ByteSource.Util.isCompatible(Object)

    • hashPassword

      public org.apache.shiro.crypto.hash.Hash hashPassword(Object plaintext)
      Description copied from interface: HashingPasswordService
      Hashes the specified plaintext password using internal hashing configuration settings pertinent to password hashing.

      Note that this method is only likely to be used in more complex environments that wish to format and/or save the returned Hash object in a custom manner. Most applications will find the encryptPassword method suitable enough for safety and ease-of-use.

      Usage

      The input argument type can be any 'byte backed' Object - almost always either a String or character array representing passwords (character arrays are often a safer way to represent passwords as they can be cleared/nulled-out after use. Any argument type supported by ByteSource.Util.isCompatible(Object) is valid.

      Regardless of your choice of using Strings or character arrays to represent submitted passwords, you can wrap either as a ByteSource by using ByteSource.Util, for example, when the passwords are captured as Strings: 

       ByteSource passwordBytes = ByteSource.Util.bytes(submittedPasswordString);
 Hash hashedPassword = hashingPasswordService.hashPassword(passwordBytes);
      or, identically, when captured as a character array: 
       ByteSource passwordBytes = ByteSource.Util.bytes(submittedPasswordCharacterArray);
 Hash hashedPassword = hashingPasswordService.hashPassword(passwordBytes);
      Specified by:
      hashPassword in interface HashingPasswordService
      Parameters:
      plaintext - the raw password as 'byte-backed' object (String, character array, ByteSource, etc.) usually acquired from your application's 'new user' or 'password reset' workflow.
      Returns:
      the hashed password.
      See Also:

    • passwordsMatch

      public boolean passwordsMatch(Object plaintext, org.apache.shiro.crypto.hash.Hash saved)
      Description copied from interface: HashingPasswordService
      Returns true if the submittedPlaintext password matches the existing savedPasswordHash, false otherwise. Note that this method is only likely to be used in more complex environments that save hashes in a custom manner. Most applications will find the passwordsMatch(plaintext,string) method sufficient if encrypting passwords as Strings.

      Usage

      The submittedPlaintext argument type can be any 'byte backed' Object - almost always either a String or character array representing passwords (character arrays are often a safer way to represent passwords as they can be cleared/nulled-out after use. Any argument type supported by ByteSource.Util.isCompatible(Object) is valid.
      Specified by:
      passwordsMatch in interface HashingPasswordService
      Parameters:
      plaintext - a raw/plaintext password submitted by an end user/Subject.
      saved - the previously hashed password known to be associated with an account. This value is expected to have been previously generated from the hashPassword method (typically when the account is created or the account's password is reset).
      Returns:
      true if the plaintext password matches the existing savedPasswordHash, false otherwise.

    • checkHashFormatDurability

      protected void checkHashFormatDurability()

    • createHashRequest

      protected org.apache.shiro.crypto.hash.HashRequest createHashRequest(org.apache.shiro.lang.util.ByteSource plaintext)

    • createByteSource

      protected org.apache.shiro.lang.util.ByteSource createByteSource(Object o)

    • passwordsMatch

      public boolean passwordsMatch(Object submittedPlaintext, String saved)
      Description copied from interface: PasswordService
      Returns true if the submittedPlaintext password matches the existing saved password, false otherwise.

      Usage

      The submittedPlaintext argument type can be any 'byte backed' Object - almost always either a String or character array representing passwords (character arrays are often a safer way to represent passwords as they can be cleared/nulled-out after use. Any argument type supported by ByteSource.Util.isCompatible(Object) is valid.

      For example: 

       String submittedPassword = ...
 passwordService.passwordsMatch(submittedPassword, encryptedPassword);
      or similarly: 
       char[] submittedPasswordCharacters = ...
 passwordService.passwordsMatch(submittedPasswordCharacters, encryptedPassword);
      Specified by:
      passwordsMatch in interface PasswordService
      Parameters:
      submittedPlaintext - a raw/plaintext password submitted by an end user/Subject.
      saved - the previously encrypted password known to be associated with an account. This value is expected to have been previously generated from the encryptPassword method (typically when the account is created or the account's password is reset).
      Returns:
      true if the submittedPlaintext password matches the existing saved password, false otherwise.
      See Also:
      • ByteSource.Util.isCompatible(Object)

    • getHashService

      public org.apache.shiro.crypto.hash.HashService getHashService()

    • setHashService

      public void setHashService(org.apache.shiro.crypto.hash.HashService hashService)

    • getHashFormat

      public org.apache.shiro.crypto.hash.format.HashFormat getHashFormat()

    • setHashFormat

      public void setHashFormat(org.apache.shiro.crypto.hash.format.HashFormat hashFormat)

    • getHashFormatFactory

      public org.apache.shiro.crypto.hash.format.HashFormatFactory getHashFormatFactory()

    • setHashFormatFactory

      public void setHashFormatFactory(org.apache.shiro.crypto.hash.format.HashFormatFactory hashFormatFactory)