Fork me on GitHub

Apache Shiro Logo Simple. Java. Security. Apache Software Foundation Event Banner

Command Line Hasher

Handy Hint
Shiro v1 version notice

As of February 28, 2024, Shiro v1 was superseded by v2.

Read this page in the v2 documentation.

Table of Contents

Shiro 1.2.0 and later provides a command line program that can hash strings and resources (files, URLs, classpath entries) of almost any type. To use it, you must have a Java Virtual Machine installed and the 'java' command must be accessible in your $PATH environment variable.

Do not use the hashes provided in the command line hasher 1.x versions anymore! They are outdated and all considered insecure!

Usage

Ensure you have access to the shiro-tools-hasher-2.0.6-cli.jar file. You can either find this in a source build in the buildroot`/tools/hasher/target` directory or via download through Maven.

# Use the following to download from Maven Central into
# ~/.m2/repository/org/apache/shiro/tools/shiro-tools-hasher/2.0.6/shiro-tools-hasher-2.0.6-cli.jar
$ mvn dependency:get -DgroupId=org.apache.shiro.tools -DartifactId=shiro-tools-hasher -Dclassifier=cli -Dversion=2.0.6

Once you have access to the jar, you can run the following command:

$ java -jar shiro-tools-hasher-2.0.6-cli.jar

This will print all available options for both standard (SHA-256, SHA-256) and more complex password hashing scenarios.

Older algorithms such as MD5 and SHA-1 are no longer available since Shiro 2.0+ due to security concerns.

Common Scenarios

Please read the printed instructions for the above command. It will provide an exhaustive list of instructions which will help you use the hasher depending on your needs. However, we’ve provided some quick reference usages/scenarios below for convenience.

shiro.ini User Passwords

It is best to keep user passwords in the shiro.ini [users] section secure. To add a new user account line, use the above command with the -p (or --password) option:

$ java -jar shiro-tools-hasher-2.0.6-cli.jar -p

It will then ask you to enter the password and then confirm it:

Password to hash:
Password to hash (confirm):

When this command executes, it will print out the securely-salted-iterated-and-hashed password. For example:

$shiro1$SHA-256$500000$eWpVX2tGX7WCP2J+jMCNqw==$it/NRclMOHrfOvhAEFZ0mxIZRdbcfqIBdwdwdDXW2dM=

Take this value and place it as the password in the user definition line (followed by any optional roles) as defined in the INI Users Configuration documentation. For example:

[users]
...
user1 = $shiro1$SHA-256$500000$eWpVX2tGX7WCP2J+jMCNqw==$it/NRclMOHrfOvhAEFZ0mxIZRdbcfqIBdwdwdDXW2dM=

You will also need to ensure that the implicit iniRealm uses a CredentialsMatcher that knows how to perform secure hashed password comparisons. So configure this in the [main] section as well:

[main]
...
passwordMatcher = org.apache.shiro.authc.credential.PasswordMatcher
iniRealm.credentialsMatcher = $passwordMatcher
...

SHA-256 checksum

Although you can perform any hash with any algorithm supported on the JVM, the default hashing algorithm is SHA-256, common for file checksums. Just use the -r (or --resource) option to indicate the following value is a resource location (and not text you wish hashed):

$ java -jar shiro-tools-hasher-X.X.X-cli.jar -r RESOURCE_PATH

By default RESOURCE_PATH is expected to be a file path, but you may specify classpath or URL resources by using the classpath: or url: prefix respectively.

Some examples:

<command> -r fileInCurrentDirectory.txt
<command> -r ../../relativePathFile.xml
<command> -r ~/documents/myfile.pdf
<command> -r ~/documents/myfile.pdf -a SHA-512
<command> -r /usr/local/logs/absolutePathFile.log
<command> -r url:http://foo.com/page.html <command> -r classpath:/WEB-INF/lib/something.jar