Yes, the HashedCredentialsMatcher, while sufficient, is a bit older. You'll probably find Shiro's newer PasswordMatcher easier to use. You can configure its internal PasswordService pretty easily:
[main]
passwordService = org.apache.shiro.authc.credential.DefaultPasswordService
#configure the passwordService to use the settings you desire
#...
passwordMatcher = org.apache.shiro.authc.credential.PasswordMatcher
passwordMatcher.passwordService = $passwordService
#...
# Finally, set the matcher on a realm that requires password matching for account authentication:
myRealm = ...
myRealm.credentialsMatcher = $passwordMatcher
You can use an instance of the PasswordService
in your application to create the password hash when you create an account or update the account's password:
String submittedPlaintextPassword = ...
String encryptedValue = passwordService.encryptPassword(submittedPlaintextPassword);
...
userAccount.setPassword(encryptedValue);
userAccount.save(); //create or update to your data store
Just make sure the passwordService configured in shiro.ini
has the same configuration as the passwordService
used in your application code.