Open OyvindLGjesdal opened 3 months ago
afs
commented
3 months ago It seems to work -- possibly because the example default file is setting the credentialsMatcher.
[main]
plainMatcher=org.apache.shiro.authc.credential.SimpleCredentialsMatcher
iniRealm.credentialsMatcher = $plainMatcher
[users]
user99=password99
[urls]
/** = authcBasic,user[user99]It would be better to update the documentation and default file to use argon2 as suggested.
OyvindLGjesdal
commented
3 months ago This is a working example:
using command line hasher: (https://shiro.apache.org/command-line-hasher.html)
# change shiro version to current version in case of updated/improved defaults
export SHIRO_VERSION=2.0.1
# download shiro-tools-hasher to local repository
mvn dependency:get -DgroupId=org.apache.shiro.tools -DartifactId=shiro-tools-hasher -Dclassifier=cli -Dversion=$SHIRO_VERSION# output
[INFO] Scanning for projects...
[INFO]
[INFO] ------------------< org.apache.maven:standalone-pom >-------------------
[INFO] Building Maven Stub Project (No POM) 1
[INFO] --------------------------------[ pom ]---------------------------------
[INFO]
[INFO] --- dependency:3.7.0:get (default-cli) @ standalone-pom ---
[INFO] Resolving org.apache.shiro.tools:shiro-tools-hasher:jar:cli:2.0.1 with transitive dependencies
[INFO] ------------------------------------------------------------------------
[INFO] BUILD SUCCESS
[INFO] ------------------------------------------------------------------------
[INFO] Total time: 1.802 s
[INFO] Finished at: 2024-08-10T13:25:46+02:00
[INFO] ------------------------------------------------------------------------# for more fine-grained control of configuring consult the shiro-tools-hasher docs, or run it with no parameters to list options
# run shiro-tools-hasher from local repository
java -jar ~/.m2/repository/org/apache/shiro/tools/shiro-tools-hasher/${SHIRO_VERSION}/shiro-tools-hasher-{SHIRO_VERSION}-cli.jar -p# cli prompts for password using the default configurations
# "pw" used as input in this example
*Password to hash: *
*Password to hash (confirm): *# output
*$shiro2$argon2id$v=19$t=1,m=65536,p=4$Wr/2XKxWeYZt8JE5HCONQw$yev4bLiGzbeIZ8qDWrIY7J2msL2vRO/aYksb4RMeX7Y*shiro.ini
[main]
passwordMatcher = org.apache.shiro.authc.credential.PasswordMatcher
iniRealm.credentialsMatcher = $passwordMatcher
[users]
# quote is required around the supplied string for shiro to properly parse parameters
example="$shiro2$argon2id$v=19$t=1,m=65536,p=4$Wr/2XKxWeYZt8JE5HCONQw$yev4bLiGzbeIZ8qDWrIY7J2msL2vRO/aYksb4RMeX7Y"
[urls]
/** = authcBasic,user[example]
Since unencrypted still works, should both versions be present and commented in the ini files and the docs, or should the current configuration be replaced?
Version
5.1
What happened?
https://shiro.apache.org/configuration.html#Configuration-INIConfiguration
The examples provided for shiro.ini contains plain text passwords, which I don't think works since shiro was bumped to 2.0 in 4.10. I stumbled onto it when reading the docs, trying to configure a custom shino.ini.
https://shiro.apache.org/configuration.html#Configuration-INIConfiguration
There is a section with how to do it, which supplies a shiro cli-tool for creating the required password string to paste.
https://shiro.apache.org/command-line-hasher.html
I suggest updating the ini file with a working commented example, maybe using the same password and username as today, but with the password encrypted using the cli-tool and with a comment stating the change to plain-text passwords.
Haven't confirmed that plain text passwords fails yet in practice, but will try.
Relevant output and stacktrace
No response
Are you interested in making a pull request?
Yes