Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Shiro 2.X doesn't allow plain text password in user section of shiro.ini #2617

Open
OyvindLGjesdal opened this issue Aug 2, 2024 · 2 comments
Labels
enhancement Incrementally add new feature

Comments

@OyvindLGjesdal
Copy link
Contributor

OyvindLGjesdal commented Aug 2, 2024

Version

5.1

What happened?

https://shiro.apache.org/configuration.html#Configuration-INIConfiguration

The examples provided for shiro.ini contains plain text passwords, which I don't think works since shiro was bumped to 2.0 in 4.10. I stumbled onto it when reading the docs, trying to configure a custom shino.ini.

Since Shiro 2.0, the [users] section cannot contain plain-text passwords. You can encrypt them using key derivation functions. Shiro provides implementations for bcrypt and argon2. If unsure, use argon2 derived passwords.

https://shiro.apache.org/configuration.html#Configuration-INIConfiguration

[users]

user1 = $shiro1$SHA-256$500000$eWpVX2tGX7WCP2J+jMCNqw==$it/NRclMOHrfOvhAEFZ0mxIZRdbcfqIBdwdwdDXW2dM=

There is a section with how to do it, which supplies a shiro cli-tool for creating the required password string to paste.

https://shiro.apache.org/command-line-hasher.html

I suggest updating the ini file with a working commented example, maybe using the same password and username as today, but with the password encrypted using the cli-tool and with a comment stating the change to plain-text passwords.

Haven't confirmed that plain text passwords fails yet in practice, but will try.

Relevant output and stacktrace

No response

Are you interested in making a pull request?

Yes

@OyvindLGjesdal OyvindLGjesdal changed the title Shiro 2.X doesn't allow storing plain text password in user sectrion Shiro 2.X doesn't allow storing plain text password in user section of shiro.ini Aug 2, 2024
@OyvindLGjesdal OyvindLGjesdal changed the title Shiro 2.X doesn't allow storing plain text password in user section of shiro.ini Shiro 2.X doesn't allow plain text password in user section of shiro.ini Aug 2, 2024
@afs
Copy link
Member

afs commented Aug 2, 2024

It seems to work -- possibly because the example default file is setting the credentialsMatcher.

[main]
plainMatcher=org.apache.shiro.authc.credential.SimpleCredentialsMatcher
iniRealm.credentialsMatcher = $plainMatcher

[users]
user99=password99

[urls]
/** = authcBasic,user[user99]

It would be better to update the documentation and default file to use argon2 as suggested.

@afs afs added enhancement Incrementally add new feature and removed bug labels Aug 2, 2024
@OyvindLGjesdal
Copy link
Contributor Author

OyvindLGjesdal commented Aug 10, 2024

This is a working example:

using command line hasher: (https://shiro.apache.org/command-line-hasher.html)

# change shiro version to current version in case of  updated/improved defaults 
export SHIRO_VERSION=2.0.1
# download shiro-tools-hasher to local repository
mvn dependency:get -DgroupId=org.apache.shiro.tools -DartifactId=shiro-tools-hasher -Dclassifier=cli -Dversion=$SHIRO_VERSION
# output
[INFO] Scanning for projects...
[INFO] 
[INFO] ------------------< org.apache.maven:standalone-pom >-------------------
[INFO] Building Maven Stub Project (No POM) 1
[INFO] --------------------------------[ pom ]---------------------------------
[INFO] 
[INFO] --- dependency:3.7.0:get (default-cli) @ standalone-pom ---
[INFO] Resolving org.apache.shiro.tools:shiro-tools-hasher:jar:cli:2.0.1 with transitive dependencies
[INFO] ------------------------------------------------------------------------
[INFO] BUILD SUCCESS
[INFO] ------------------------------------------------------------------------
[INFO] Total time:  1.802 s
[INFO] Finished at: 2024-08-10T13:25:46+02:00
[INFO] ------------------------------------------------------------------------
# for more fine-grained control of configuring consult the shiro-tools-hasher docs, or run it with no parameters to list options
# run shiro-tools-hasher from local repository
java -jar ~/.m2/repository/org/apache/shiro/tools/shiro-tools-hasher/${SHIRO_VERSION}/shiro-tools-hasher-${SHIRO_VERSION}-cli.jar -p
# cli prompts for password using the default configurations
# "pw" used as input in this example
*Password to hash: *
*Password to hash (confirm): *
# output
*$shiro2$argon2id$v=19$t=1,m=65536,p=4$Wr/2XKxWeYZt8JE5HCONQw$yev4bLiGzbeIZ8qDWrIY7J2msL2vRO/aYksb4RMeX7Y*

shiro.ini

[main]
passwordMatcher = org.apache.shiro.authc.credential.PasswordMatcher
iniRealm.credentialsMatcher = $passwordMatcher

[users]
# quote is required around the supplied string for shiro to properly parse parameters
example="$shiro2$argon2id$v=19$t=1,m=65536,p=4$Wr/2XKxWeYZt8JE5HCONQw$yev4bLiGzbeIZ8qDWrIY7J2msL2vRO/aYksb4RMeX7Y"

[urls]
/** = authcBasic,user[example]

Since unencrypted still works, should both versions be present and commented in the ini files and the docs, or should the current configuration be replaced?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
enhancement Incrementally add new feature
Projects
None yet
Development

No branches or pull requests

2 participants