-
Notifications
You must be signed in to change notification settings - Fork 653
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Shiro 2.X doesn't allow plain text password in user section of shiro.ini #2617
Comments
It seems to work -- possibly because the example default file is setting the
It would be better to update the documentation and default file to use argon2 as suggested. |
This is a working example: using command line hasher: (https://shiro.apache.org/command-line-hasher.html) # change shiro version to current version in case of updated/improved defaults
export SHIRO_VERSION=2.0.1
# download shiro-tools-hasher to local repository
mvn dependency:get -DgroupId=org.apache.shiro.tools -DartifactId=shiro-tools-hasher -Dclassifier=cli -Dversion=$SHIRO_VERSION # output
[INFO] Scanning for projects...
[INFO]
[INFO] ------------------< org.apache.maven:standalone-pom >-------------------
[INFO] Building Maven Stub Project (No POM) 1
[INFO] --------------------------------[ pom ]---------------------------------
[INFO]
[INFO] --- dependency:3.7.0:get (default-cli) @ standalone-pom ---
[INFO] Resolving org.apache.shiro.tools:shiro-tools-hasher:jar:cli:2.0.1 with transitive dependencies
[INFO] ------------------------------------------------------------------------
[INFO] BUILD SUCCESS
[INFO] ------------------------------------------------------------------------
[INFO] Total time: 1.802 s
[INFO] Finished at: 2024-08-10T13:25:46+02:00
[INFO] ------------------------------------------------------------------------ # for more fine-grained control of configuring consult the shiro-tools-hasher docs, or run it with no parameters to list options
# run shiro-tools-hasher from local repository
java -jar ~/.m2/repository/org/apache/shiro/tools/shiro-tools-hasher/${SHIRO_VERSION}/shiro-tools-hasher-{SHIRO_VERSION}-cli.jar -p
shiro.ini
Since unencrypted still works, should both versions be present and commented in the ini files and the docs, or should the current configuration be replaced? |
Version
5.1
What happened?
https://shiro.apache.org/configuration.html#Configuration-INIConfiguration
The examples provided for shiro.ini contains plain text passwords, which I don't think works since shiro was bumped to 2.0 in 4.10. I stumbled onto it when reading the docs, trying to configure a custom shino.ini.
https://shiro.apache.org/configuration.html#Configuration-INIConfiguration
There is a section with how to do it, which supplies a shiro cli-tool for creating the required password string to paste.
https://shiro.apache.org/command-line-hasher.html
I suggest updating the ini file with a working commented example, maybe using the same password and username as today, but with the password encrypted using the cli-tool and with a comment stating the change to plain-text passwords.
Haven't confirmed that plain text passwords fails yet in practice, but will try.
Relevant output and stacktrace
No response
Are you interested in making a pull request?
Yes
The text was updated successfully, but these errors were encountered: