|
||||||||||
PREV CLASS NEXT CLASS | FRAMES NO FRAMES | |||||||||
SUMMARY: NESTED | FIELD | CONSTR | METHOD | DETAIL: FIELD | CONSTR | METHOD |
java.lang.Object org.apache.shiro.crypto.hash.DefaultHashService
public class DefaultHashService
Default implementation of the HashService
interface, supporting a customizable hash algorithm name,
secure-random salt generation, multiple hash iterations and an optional internal
privateSalt
.
setHashAlgorithmName(String)
property. Any algorithm name
understood by the JDK
MessageDigest.getInstance(String algorithmName)
method
will work. The default is SHA-512
.
randomNumberGenerator
property.
Random salts (and potentially combined with the internal privateSalt
) is a very strong
salting strategy, as salts should ideally never be based on known/guessable data. The default instance is a
SecureRandomNumberGenerator
.
setHashIterations(int)
property. The default is
1
, but should be increased significantly if the HashService
is intended to be used for password
hashing. See the linked blog article for more info.
private salt
:
A hash and the salt used to compute it are often stored together. If an attacker is ever able to access
the hash (e.g. during password cracking) and it has the full salt value, the attacker has all of the input necessary
to try to brute-force crack the hash (source + complete salt).
However, if part of the salt is not available to the attacker (because it is not stored with the hash), it is
much harder to crack the hash value since the attacker does not have the complete inputs necessary.
The privateSalt
property exists to satisfy this private-and-not-shared part of the salt.
If you configure this attribute, you can obtain this additional very important safety feature.
*By default, the privateSalt
is null, since a sensible default cannot be used that
isn't easily compromised (because Shiro is an open-source project and any default could be easily seen and used).
Constructor Summary | |
---|---|
DefaultHashService()
Constructs a new DefaultHashService instance with the following defaults:
hashAlgorithmName = SHA-512
hashIterations = 1
randomNumberGenerator =
new SecureRandomNumberGenerator ()
generatePublicSalt = false
If this hashService will be used for password hashing it is recommended to set the
privateSalt and significantly increase the number of
hashIterations . |
Method Summary | |
---|---|
protected ByteSource |
combine(ByteSource privateSalt,
ByteSource publicSalt)
Combines the specified 'private' salt bytes with the specified additional extra bytes to use as the total salt during hash computation. |
Hash |
computeHash(HashRequest request)
Computes and responds with a hash based on the specified request. |
protected String |
getAlgorithmName(HashRequest request)
|
String |
getHashAlgorithmName()
|
int |
getHashIterations()
|
protected int |
getIterations(HashRequest request)
|
ByteSource |
getPrivateSalt()
|
protected ByteSource |
getPublicSalt(HashRequest request)
Returns the public salt that should be used to compute a hash based on the specified request or null if no public salt should be used. |
RandomNumberGenerator |
getRandomNumberGenerator()
|
boolean |
isGeneratePublicSalt()
Returns true if a public salt should be randomly generated and used to compute a hash if a
HashRequest does not specify a salt, false otherwise. |
void |
setGeneratePublicSalt(boolean generatePublicSalt)
Sets whether or not a public salt should be randomly generated and used to compute a hash if a HashRequest does not specify a salt. |
void |
setHashAlgorithmName(String name)
Sets the name of the MessageDigest algorithm that will be used to compute
hashes. |
void |
setHashIterations(int count)
Sets the number of hash iterations that will be performed during hash computation. |
void |
setPrivateSalt(ByteSource privateSalt)
Sets the 'private' (internal) salt to be paired with a 'public' (random or supplied) salt during hash computation. |
void |
setRandomNumberGenerator(RandomNumberGenerator rng)
Sets a source of randomness used to generate public salts that will in turn be used during hash computation. |
Methods inherited from class java.lang.Object |
---|
clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait |
Constructor Detail |
---|
public DefaultHashService()
DefaultHashService
instance with the following defaults:
hashAlgorithmName
= SHA-512
hashIterations
= 1
randomNumberGenerator
=
new SecureRandomNumberGenerator
()generatePublicSalt
= false
privateSalt
and significantly increase the number of
hashIterations
. See the class-level JavaDoc for more information.
Method Detail |
---|
public Hash computeHash(HashRequest request)
salt
is null:
A salt will be generated and used to compute the hash. The salt is generated as follows:
randomNumberGenerator
to generate a new random number.combine
this random salt with any configured
privateSalt
combined
with any
configured privateSalt
and used as the complete salt during hash computation.
Hash
's salt
property
will contain only the 'public' part of the salt and NOT the privateSalt. See the class-level
JavaDoc explanation for more info.
computeHash
in interface HashService
request
- the request to process
Hash.getSalt()
protected String getAlgorithmName(HashRequest request)
protected int getIterations(HashRequest request)
protected ByteSource getPublicSalt(HashRequest request)
null
if no public salt should be used.
This implementation functions as follows:
isGeneratePublicSalt()
is true
,
auto generate a random public salt via the configured
randomNumberGenerator
.isGeneratePublicSalt()
is false
,
do nothing - return null
to indicate a salt should not be used during hash computation.
request
- request the request to process
null
if no public salt should be used.protected ByteSource combine(ByteSource privateSalt, ByteSource publicSalt)
privateSaltBytes
will be null
}if no private salt has been
configured.
privateSalt
- the (possibly null
) 'private' salt to combine with the specified extra bytespublicSalt
- the extra bytes to use in addition to the given private salt.
public void setHashAlgorithmName(String name)
ConfigurableHashService
MessageDigest
algorithm that will be used to compute
hashes.
setHashAlgorithmName
in interface ConfigurableHashService
name
- the name of the MessageDigest
algorithm that will be used to
compute hashes.public String getHashAlgorithmName()
public void setPrivateSalt(ByteSource privateSalt)
ConfigurableHashService
setPrivateSalt
in interface ConfigurableHashService
privateSalt
- the 'private' internal salt to be paired with a 'public' (random or supplied) salt during
hash computation.public ByteSource getPrivateSalt()
public void setHashIterations(int count)
ConfigurableHashService
setHashIterations
in interface ConfigurableHashService
count
- the number of hash iterations that will be performed during hash computation.public int getHashIterations()
public void setRandomNumberGenerator(RandomNumberGenerator rng)
ConfigurableHashService
setRandomNumberGenerator
in interface ConfigurableHashService
rng
- a source of randomness used to generate public salts that will in turn be used during hash computation.public RandomNumberGenerator getRandomNumberGenerator()
public boolean isGeneratePublicSalt()
true
if a public salt should be randomly generated and used to compute a hash if a
HashRequest
does not specify a salt, false
otherwise.
The default value is false
but should definitely be set to true
if the
HashService
instance is being used for password hashing.
NOTE: this property only has an effect if a privateSalt
is NOT configured. If a
private salt has been configured and a request does not provide a salt, a random salt will always be generated
to protect the integrity of the private salt (without a public salt, the private salt would be exposed as-is,
which is undesirable).
true
if a public salt should be randomly generated and used to compute a hash if a
HashRequest
does not specify a salt, false
otherwise.public void setGeneratePublicSalt(boolean generatePublicSalt)
HashRequest
does not specify a salt.
The default value is false
but should definitely be set to true
if the
HashService
instance is being used for password hashing.
NOTE: this property only has an effect if a privateSalt
is NOT configured. If a
private salt has been configured and a request does not provide a salt, a random salt will always be generated
to protect the integrity of the private salt (without a public salt, the private salt would be exposed as-is,
which is undesirable).
generatePublicSalt
- whether or not a public salt should be randomly generated and used to compute a hash
if a HashRequest
does not specify a salt.
|
||||||||||
PREV CLASS NEXT CLASS | FRAMES NO FRAMES | |||||||||
SUMMARY: NESTED | FIELD | CONSTR | METHOD | DETAIL: FIELD | CONSTR | METHOD |