You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@shiro.apache.org by "Richard J. Barbalace (JIRA)" <ji...@apache.org> on 2013/06/06 23:34:21 UTC

[jira] [Updated] (SHIRO-445) Mechanism needed to secure passwords in shiro.ini

     [ https://issues.apache.org/jira/browse/SHIRO-445?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Richard J. Barbalace updated SHIRO-445:
---------------------------------------

    Attachment: mypatch.txt

Here is my patch to add a new package for configuring shadow INI files to secure passwords.

This is a large patch with 6 new classes, so I recommend a thorough review.  The classes and the package-info.java file have extensive JavaDocs and comments.  I have already spent 3 days working on this patch, and can contribute more time as needed.

I have not yet developed unit tests for these classes, although I did extensive manual end-to-end testing with my web application.  As I have time to review how Shiro is doing unit testing, I will look into developing unit tests as well.
                
> Mechanism needed to secure passwords in shiro.ini
> -------------------------------------------------
>
>                 Key: SHIRO-445
>                 URL: https://issues.apache.org/jira/browse/SHIRO-445
>             Project: Shiro
>          Issue Type: New Feature
>          Components: Authentication (log-in), Specification API
>    Affects Versions: 1.2.2
>         Environment: Any.
>            Reporter: Richard J. Barbalace
>             Fix For: 1.2.3
>
>         Attachments: mypatch.txt
>
>   Original Estimate: 24h
>  Remaining Estimate: 24h
>
> There should be a mechanism to secure passwords stored in shiro.ini for accessing databases or other data sources, as described in this Shiro user forum post:
> http://shiro-user.582556.n2.nabble.com/How-to-secure-database-password-in-shiro-ini-td7578763.html
> A flexible and extensible approach should allow for passwords to be stored in other INI or properties files, JNDI resources, databases, key stores, key servers, or other data sources.  Passwords might be encrypted using a master key, which could likewise be stored in various data sources.
> I already have an initial patch prepared that allows for passwords to be stored (plaintext or encrypted with a master key) in other INI files, similar to a shadow password file.  This can be further extended to use other data sources as needs arise.

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira