Good tip, Sergey. I think that you may underestimate our users' digging tendencies though. ;)
The source of truth for Shiro config will of course always be Shiro itself - a pointer to their docs should suffice for most things. I also don't think that we should spend time trying to make this file based approach "more secure" it is not something that we would ever encourage folks to deploy. I continue to believe that our extremely low barrier to entry LDAP server is great. It removes the intimidation factor that setting up an LDAP server can present and makes a much better impression when a developer wants to show something to management because it isn't some file based toy. A major aspect of our charter is to widen the enterprise security integration surface area not to ship our own user store - be that a Shiro feature or not. On Thu, Oct 10, 2013 at 12:04 PM, Sergey Balan CV <[email protected]>wrote: > Regarding password hash. > I think we need at least to mention how to configure it in the sandbox.xml > (users don't like to dig deep). > > <provider> > <role>authentication</role> > <name>ShiroProvider</name> > <enabled>true</enabled> > > > <param><name>main.iniRealm.credentialsMatcher</**name><value>org.apache.shiro.authc.credential.Sha256CredentialsMatcher</**value></param> > > > > <param><name>users.guest</**name><value>2bb80d537b1da3e38bd30361aa855686bde0eacd7162fef6a25fe97bf527a25b</**value></param> > <param><name>urls./**</name><**value>authcBasic</value></**param> > </provider> > > And explain how to create hash: > http://shiro.apache.org/command-line-hasher.html > > > > On Thu, Oct 10, 2013 at 6:31 PM, Kevin Minder > <[email protected]>wrote: > > > I partiuclarly enjoy not having to mess with starting the LDAP server for > > verification testing. > > Note that there are very easy ways to use a hash instead of the clear > text > > password but this defeats the purpose in my mind. > > > > > > On 10/10/13 11:25 AM, larry mccay wrote: > > > >> Nice. > >> Very easy for out of the box testing for adding users without messing > with > >> LDIF and the ApacheDS instance. > >> It will obviously require the redeploy of the toplogy for any change and > >> is > >> not really an example of enterprise security in anyway. It does however > >> allow for easy functional testing for consuming the Hadoop REST services > >> through Knox. > >> > >> To be clear though, it is not consider a good practice to have passwords > >> in > >> clear text inside of an application deployment artifact which is exactly > >> what this ends up doing. The users that are put into a test environment > >> like this should not be actual credentials for anyone. > >> > >> > >> > >> On Thu, Oct 10, 2013 at 10:38 AM, Kevin Minder < > >> [email protected] > >> > >>> wrote: > >>> This uses the deafult Shiro IniRealm implementation. > >>> Obviously not secure but possibly not bad for an out of the box demo. > >>> We would need to make it very clear that this was for demo purposes. > >>> Just to be clear this works with 0.3.0 by changing just the sandbox.xml > >>> topo file. > >>> > >>> <provider> > >>> <role>authentication</role> > >>> <name>ShiroProvider</name> > >>> <enabled>true</enabled> > >>> <param><name>users.guest</****name><value>guest-password</**** > >>> value></param> > >>> <param><name>urls./**</name><****value>authcBasic</value></****param> > >>> </provider> > >>> > >>> > >>> -- > >>> CONFIDENTIALITY NOTICE > >>> NOTICE: This message is intended for the use of the individual or > entity > >>> to which it is addressed and may contain information that is > >>> confidential, > >>> privileged and exempt from disclosure under applicable law. If the > reader > >>> of this message is not the intended recipient, you are hereby notified > >>> that > >>> any printing, copying, dissemination, distribution, disclosure or > >>> forwarding of this communication is strictly prohibited. If you have > >>> received this communication in error, please contact the sender > >>> immediately > >>> and delete it from your system. Thank You. > >>> > >>> > > > > -- > > CONFIDENTIALITY NOTICE > > NOTICE: This message is intended for the use of the individual or entity > > to which it is addressed and may contain information that is > confidential, > > privileged and exempt from disclosure under applicable law. If the reader > > of this message is not the intended recipient, you are hereby notified > that > > any printing, copying, dissemination, distribution, disclosure or > > forwarding of this communication is strictly prohibited. If you have > > received this communication in error, please contact the sender > immediately > > and delete it from your system. Thank You. > > > > -- > CONFIDENTIALITY NOTICE > NOTICE: This message is intended for the use of the individual or entity to > which it is addressed and may contain information that is confidential, > privileged and exempt from disclosure under applicable law. If the reader > of this message is not the intended recipient, you are hereby notified that > any printing, copying, dissemination, distribution, disclosure or > forwarding of this communication is strictly prohibited. If you have > received this communication in error, please contact the sender immediately > and delete it from your system. Thank You. >
