Examples of org.apache.shiro.crypto.hash.DefaultHashService

• org.apache.shiro.crypto.hash.DefaultHashService
  tormpath.com/blog/strong-password-hashing-apache-shiro">blog article explains in greater detail why this is useful, as well as information on how many iterations is 'enough'.

  You may set the number of hash iterations via the {@link #setHashIterations(int)} property. The default is{@code 1}, but should be increased significantly if the {@code HashService} is intended to be used for passwordhashing. See the linked blog article for more info.

  Private Salt

  If using this implementation as part of a password hashing strategy, it might be desirable to configure a {@link #setPrivateSalt(ByteSource) private salt}:

  A hash and the salt used to compute it are often stored together. If an attacker is ever able to access the hash (e.g. during password cracking) and it has the full salt value, the attacker has all of the input necessary to try to brute-force crack the hash (source + complete salt).

  However, if part of the salt is not available to the attacker (because it is not stored with the hash), it is much harder to crack the hash value since the attacker does not have the complete inputs necessary.

  The {@link #getPrivateSalt() privateSalt} property exists to satisfy this private-and-not-shared part of the salt.If you configure this attribute, you can obtain this additional very important safety feature.

  *By default, the {@link #getPrivateSalt() privateSalt} is null, since a sensible default cannot be used thatisn't easily compromised (because Shiro is an open-source project and any default could be easily seen and used). @since 1.2

        configuration.refresh();
        PasswordRealmConfiguration config = configuration.get();
        String algorithm = config.hashAlgorithmName().get();
        Integer iterations = config.hashIterationsCount().get();
        if ( algorithm != null || iterations != null ) {
            DefaultHashService hashService = ( DefaultHashService ) passwordService.getHashService();
            if ( algorithm != null ) {
                hashService.setHashAlgorithmName( algorithm );
            }
            if ( iterations != null ) {
                hashService.setHashIterations( iterations );
            }
        }
    }

  DefaultPasswordService md5PasswordService;

  public LegacyNexusPasswordService() {
    //Initialize and configure sha1 password service
    this.sha1PasswordService = new DefaultPasswordService();
    DefaultHashService sha1HashService = new DefaultHashService();
    sha1HashService.setHashAlgorithmName("SHA-1");
    sha1HashService.setHashIterations(1);
    sha1HashService.setGeneratePublicSalt(false);
    this.sha1PasswordService.setHashService(sha1HashService);
    this.sha1PasswordService.setHashFormat(new HexFormat());

    //Initialize and configure md5 password service
    this.md5PasswordService = new DefaultPasswordService();
    DefaultHashService md5HashService = new DefaultHashService();
    md5HashService.setHashAlgorithmName("MD5");
    md5HashService.setHashIterations(1);
    md5HashService.setGeneratePublicSalt(false);
    this.md5PasswordService.setHashService(md5HashService);
    this.md5PasswordService.setHashFormat(new HexFormat());
  }

    this.securityConfiguration = securityConfiguration;
    this.passwordService = new DefaultPasswordService();
    this.legacyPasswordService = legacyPasswordService;

    //Create and set a hash service according to our hashing policies
    DefaultHashService hashService = new DefaultHashService();
    hashService.setHashAlgorithmName(DEFAULT_HASH_ALGORITHM);
    hashService.setHashIterations(this.securityConfiguration.getHashIterations());
    hashService.setGeneratePublicSalt(true);
    this.passwordService.setHashService(hashService);
  }

    private volatile boolean hashFormatWarned; //used to avoid excessive log noise

    public DefaultPasswordService() {
        this.hashFormatWarned = false;

        DefaultHashService hashService = new DefaultHashService();
        hashService.setHashAlgorithmName(DEFAULT_HASH_ALGORITHM);
        hashService.setHashIterations(DEFAULT_HASH_ITERATIONS);
        hashService.setGeneratePublicSalt(true); //always want generated salts for user passwords to be most secure
        this.hashService = hashService;

        this.hashFormat = new Shiro1CryptFormat();
        this.hashFormatFactory = new DefaultHashFormatFactory();
    }