shiro-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Richard J. Barbalace (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (SHIRO-445) Mechanism needed to secure passwords in shiro.ini
Date Fri, 13 Dec 2013 22:12:07 GMT

    [ https://issues.apache.org/jira/browse/SHIRO-445?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13847971#comment-13847971
] 

Richard J. Barbalace commented on SHIRO-445:
--------------------------------------------

The new patch addresses the issue described here:
shiro-user.582556.n2.nabble.com/Best-practice-for-managing-different-shiro-ini-files-for-different-environment-td7579099.html

I have been using this patch for a couple months now in production.  (For the submission,
I had to change the logging in IniFactory.java to match that used in Shiro, but that is all.)
 The two packages included in this patch allow the inclusion of data from a separate INI file
(or other data source) aside from shiro.ini.  The details and use cases are described in the
package-info.java files.  The org.apache.shiro.config.external package can be used to allow
configuration settings to be read into shiro.ini from a separate config.ini file (which is
useful for server configurations when you want to check shiro.ini into version control, but
have per-server customizations) and the org.apache.shiro.config.password package allows for
the encryption of such plain text configuration.

This patch should be able to be incorporated into the Shiro project with minimal change. 
(As noted in a previous comment, some @override statements might be dropped depending on the
Java version used.)  Also, see the TODO note around lines 144-150 of IniFactory.java.

> Mechanism needed to secure passwords in shiro.ini
> -------------------------------------------------
>
>                 Key: SHIRO-445
>                 URL: https://issues.apache.org/jira/browse/SHIRO-445
>             Project: Shiro
>          Issue Type: New Feature
>          Components: Authentication (log-in), Specification API
>    Affects Versions: 1.2.2
>         Environment: Any.
>            Reporter: Richard J. Barbalace
>             Fix For: 1.2.3
>
>         Attachments: mypatch.txt, mypatch2.txt
>
>   Original Estimate: 24h
>  Remaining Estimate: 24h
>
> There should be a mechanism to secure passwords stored in shiro.ini for accessing databases
or other data sources, as described in this Shiro user forum post:
> http://shiro-user.582556.n2.nabble.com/How-to-secure-database-password-in-shiro-ini-td7578763.html
> A flexible and extensible approach should allow for passwords to be stored in other INI
or properties files, JNDI resources, databases, key stores, key servers, or other data sources.
 Passwords might be encrypted using a master key, which could likewise be stored in various
data sources.
> I already have an initial patch prepared that allows for passwords to be stored (plaintext
or encrypted with a master key) in other INI files, similar to a shadow password file.  This
can be further extended to use other data sources as needs arise.



--
This message was sent by Atlassian JIRA
(v6.1.4#6159)

Mime
View raw message