Shiro 1.2 new PasswordService and PasswordMatcher

This becomes super simple and clean.

Here is the summary:

1. Signing-up code:
  // Using the new PasswordService instead
  PasswordService svc = new DefaultPasswordService();

  //e.g. during account signup or password reset:
  String encryptedPassword = svc.encryptPassword(password);
  logger.debug("encryptedPassword: " + encryptedPassword);

  // Salt is not needed to handel separately but encrypted all together within the "password"
  // Example password becomes $shiro1$SHA-256$500000$gTF/EC2mLKxlln2w1CMUAQ==$HvG+0Qe1RONAF41bUy11hjkgqdHrwwf/urEAXeYDt1w=
  User user = new User(username, encryptedPassword, null, email);
  userDao.createUser(user);

 2. INI configuration:
  passwordMatcher = org.apache.shiro.authc.credential.TempFixPasswordMatcher
  # since jdbcRealm is used, the stored password in String needs to be converted to char[]
  # algorithm related configuration comes in default
  passwordService = org.apache.shiro.authc.credential.DefaultPasswordService
  passwordMatcher.passwordService = $passwordService

  realmDS = com.mysql.jdbc.jdbc2.optional.MysqlDataSource
  realmDS.serverName = localhost
  realmDS.user = root
  realmDS.databaseName = test

  jdbcRealm = org.apache.shiro.realm.jdbc.JdbcRealm
  jdbcRealm.credentialsMatcher = $passwordMatcher
  jdbcRealm.authenticationQuery = select password from user where username = ?
  jdbcRealm.dataSource = $realmDS

  securityManager.realm = $jdbcRealm

3. Matcher code
  public class TempFixPasswordMatcher extends PasswordMatcher {

      @Override
      protected Object getStoredPassword(AuthenticationInfo storedAccountInfo) {
          Object stored = super.getStoredPassword(storedAccountInfo);
          if (stored instanceof char[]) {
              return new String((char[])stored);
          }
          return stored;
      }
  }

  source1, source2

Shiro @RequiresPermissions not working

@RequiresPermission and other annotations do not work just yet like mentioned in the documentation.

This post gives the solution by explicit configuration of using AOP and cglib.

And don't forget to keep the configuration in the same Spring configuration where MVC annotation scanning is specified. 

What's new in Java 7

• Improved Type Inference for Generic Instance Creation (Diamond)
• Multi-catch
• try-with-resources statement
• Simplified Varargs Method Invocation
• Strings in switch
• Polymorphic Methods
• Miscellaneous

--- source

JSON Padding explained

The following is effectively what will happen when using JSON padding in JavaScript.

 <script type="text/javascript">showPrice({symbol: 'IBM', price: 91.42});</script>

• {...} is the useful JSON data (JavaScript Object formatted) provided by the remote server.

•  showPrice is the callback function that will need to be defined in the calling script. The padding is also added by the remote server.

•  In order to achieve all these, the whole lot highlighted will need to be dynamically inserted to the calling script by for example the following:

  <script type="text/javascript">
  // This is our function to be called with JSON data
  function showPrice(data) {
      alert("Symbol: " + data.symbol + ", Price: " + data.price);
  }
  var url = “http://server2.example.com/RetrievePrice?symbol=IBM&jsonp=showPrice”; // URL of the external script
  // this shows dynamic script insertion
  var script = document.createElement('script');
  script.setAttribute('src', url);
 
  // load the script
  document.getElementsByTagName('head')[0].appendChild(script);
  </script>
   

All this is, loosely, due to that JavaScript is not allowed to access foreign domain code, except from within. i.e. "... the domain of the requested URL must be the same as the domain of the current Web page ..." --- source