Re: Randomized key for RememberMe token?

["richard@localmed.com" <ri...@localmed.com>]

So, this proved to be an interesting problem in debugging shiro.ini files. 
My original approach did not work because setting
securityManager.rememberMeManager.cipherKey to a reference fails, with the
reference being treated as an actual value.  I did find a solution in
extending the Remember Me Manager directly.

Since this might help others debug similar issues in the future, I will go
into some details.

First, here is a handy "debugger" that will print out reference vales in the
shiro.ini file:

Feel free to use a logger instead of System.out.println for output.

Here is what did not work.  In shiro.ini:


The debugger correctly prints that the cipher key is a different random
value each time, but securityManager.rememberMeManager.cipherKey uses the
actual string "$cipherKey" as the key, which is not random at all.

RandomKey2 is a simple Factory method to produce a byte[] array:


I also tried a variation that produced a hex-encoded string, with the same
result:


After giving up on setting the key, I decided to set the Remember Me Manager
itself, which does work.  In shiro.ini:


The code for the RandomRememberMeManager is actually even simpler than my
first approach:


I would suggest that Shiro include something like this in its next release,
but I know Les has been too busy to get to the last patch I submitted. :)



--
View this message in context: http://shiro-user.582556.n2.nabble.com/Randomized-key-for-RememberMe-token-tp7579078p7579118.html
Sent from the Shiro User mailing list archive at Nabble.com.

Re: Randomized key for RememberMe token?

[Les Hazlewood <lh...@apache.org>]

Hi Richard,

This is awesome!  I was a bit confused by this thread until I realized that
the ASF mailing lists strip off the code blocks - I have to see them in
Nabble to make sense of it.

And yes, I have been crazy busy, but I'm still happy to help!  I'm back on
track and going through issues as we speak.  Please definitely open a Jira
bug for your issue - it will be forgotten entirely without it!

Best,

--
Les Hazlewood | @lhazlewood
CTO, Stormpath | http://stormpath.com | @goStormpath | 888.391.5282


On Mon, Sep 9, 2013 at 9:09 AM, richard@localmed.com
<ri...@localmed.com>wrote:

> So, this proved to be an interesting problem in debugging shiro.ini files.
> My original approach did not work because setting
> securityManager.rememberMeManager.cipherKey to a reference fails, with the
> reference being treated as an actual value.  I did find a solution in
> extending the Remember Me Manager directly.
>
> Since this might help others debug similar issues in the future, I will go
> into some details.
>
> First, here is a handy "debugger" that will print out reference vales in
> the
> shiro.ini file:
>
> Feel free to use a logger instead of System.out.println for output.
>
> Here is what did not work.  In shiro.ini:
>
>
> The debugger correctly prints that the cipher key is a different random
> value each time, but securityManager.rememberMeManager.cipherKey uses the
> actual string "$cipherKey" as the key, which is not random at all.
>
> RandomKey2 is a simple Factory method to produce a byte[] array:
>
>
> I also tried a variation that produced a hex-encoded string, with the same
> result:
>
>
> After giving up on setting the key, I decided to set the Remember Me
> Manager
> itself, which does work.  In shiro.ini:
>
>
> The code for the RandomRememberMeManager is actually even simpler than my
> first approach:
>
>
> I would suggest that Shiro include something like this in its next release,
> but I know Les has been too busy to get to the last patch I submitted. :)
>
>
>
> --
> View this message in context:
> http://shiro-user.582556.n2.nabble.com/Randomized-key-for-RememberMe-token-tp7579078p7579118.html
> Sent from the Shiro User mailing list archive at Nabble.com.
>