shiro-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Richard J. Barbalace (JIRA)" <>
Subject [jira] [Commented] (SHIRO-445) Mechanism needed to secure passwords in shiro.ini
Date Thu, 06 Jun 2013 21:38:21 GMT


Richard J. Barbalace commented on SHIRO-445:

The JavaDoc in the file explains the basic approach:

The following is a summary of the class hierarchy:
- PasswordFactory - A simple interface for factories that retrieve passwords from data sources
other than the default shiro.ini configuration file.
  - INIPasswordFactory - A base class for factories for retrieving passwords from an INI file.
    - ShadowPasswordFactory - A factory for retrieving plaintext passwords from a shadow INI
      - MasterKeyFactory - A factory for retrieving a master key from a master INI file.
      - EncryptedPasswordFactory - A factory for retrieving passwords encrypted with a master
key from a shadow INI file.
        - PasswordHelper - A utility to generate hex-encoded master keys and encrypted passwords.

In general, developers should use EncryptedPasswordFactory with MasterKeyFactory to secure
passwords for services with a master key. The PasswordHelper utility can generated random
hex-encoded master keys and encrypt passwords using these master keys for such purposes. See
each class for details on the format of the INI configuration files.

> Mechanism needed to secure passwords in shiro.ini
> -------------------------------------------------
>                 Key: SHIRO-445
>                 URL:
>             Project: Shiro
>          Issue Type: New Feature
>          Components: Authentication (log-in), Specification API
>    Affects Versions: 1.2.2
>         Environment: Any.
>            Reporter: Richard J. Barbalace
>             Fix For: 1.2.3
>         Attachments: mypatch.txt
>   Original Estimate: 24h
>  Remaining Estimate: 24h
> There should be a mechanism to secure passwords stored in shiro.ini for accessing databases
or other data sources, as described in this Shiro user forum post:
> A flexible and extensible approach should allow for passwords to be stored in other INI
or properties files, JNDI resources, databases, key stores, key servers, or other data sources.
 Passwords might be encrypted using a master key, which could likewise be stored in various
data sources.
> I already have an initial patch prepared that allows for passwords to be stored (plaintext
or encrypted with a master key) in other INI files, similar to a shadow password file.  This
can be further extended to use other data sources as needs arise.

This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see:

View raw message