shiro-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Richard Bradley (JIRA)" <j...@apache.org>
Subject [jira] [Created] (SHIRO-552) JdbcRealm in SaltStyle.COLUMN assumes that password column is Base64 but salt column is utf8 bytes
Date Thu, 17 Dec 2015 15:02:46 GMT
Richard Bradley created SHIRO-552:
-------------------------------------

             Summary: JdbcRealm in SaltStyle.COLUMN assumes that password column is Base64
but salt column is utf8 bytes
                 Key: SHIRO-552
                 URL: https://issues.apache.org/jira/browse/SHIRO-552
             Project: Shiro
          Issue Type: Bug
    Affects Versions: 1.2.4
            Reporter: Richard Bradley


The {{org.apache.shiro.realm.jdbc.JdbcRealm}} class, when configured with SaltStyle.COLUMN,
assumes that password column is Base64 but salt column is utf8 bytes.

The password is returned as a {{char[]}} (see JdbcRealm.java:241), which {{org.apache.shiro.authc.credential.HashedCredentialsMatcher}}
(see HashedCredentialsMatcher.java:353):

{code}
        if (credentials instanceof String || credentials instanceof char[]) {
            //account.credentials were a char[] or String, so
            //we need to do text decoding first:
            if (isStoredCredentialsHexEncoded()) {
                storedBytes = Hex.decode(storedBytes);
            } else {
                storedBytes = Base64.decode(storedBytes);
            }
        }
{code}

However, the salt is returned as a {{ByteSource}}, by converting the DB-returned String into
its UTF-8 bytes. See JdbcRealm.java:224:

{code}
            if (salt != null) {
                info.setCredentialsSalt(ByteSource.Util.bytes(salt));
            }
{code}

This is broken and inconsistent.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Mime
View raw message