You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@shiro.apache.org by "Richard Bradley (JIRA)" <ji...@apache.org> on 2015/12/17 16:02:46 UTC
[jira] [Created] (SHIRO-552) JdbcRealm in SaltStyle.COLUMN assumes
that password column is Base64 but salt column is utf8 bytes
Richard Bradley created SHIRO-552:
-------------------------------------
Summary: JdbcRealm in SaltStyle.COLUMN assumes that password column is Base64 but salt column is utf8 bytes
Key: SHIRO-552
URL: https://issues.apache.org/jira/browse/SHIRO-552
Project: Shiro
Issue Type: Bug
Affects Versions: 1.2.4
Reporter: Richard Bradley
The {{org.apache.shiro.realm.jdbc.JdbcRealm}} class, when configured with SaltStyle.COLUMN, assumes that password column is Base64 but salt column is utf8 bytes.
The password is returned as a {{char[]}} (see JdbcRealm.java:241), which {{org.apache.shiro.authc.credential.HashedCredentialsMatcher}} (see HashedCredentialsMatcher.java:353):
{code}
if (credentials instanceof String || credentials instanceof char[]) {
//account.credentials were a char[] or String, so
//we need to do text decoding first:
if (isStoredCredentialsHexEncoded()) {
storedBytes = Hex.decode(storedBytes);
} else {
storedBytes = Base64.decode(storedBytes);
}
}
{code}
However, the salt is returned as a {{ByteSource}}, by converting the DB-returned String into its UTF-8 bytes. See JdbcRealm.java:224:
{code}
if (salt != null) {
info.setCredentialsSalt(ByteSource.Util.bytes(salt));
}
{code}
This is broken and inconsistent.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)