[jira] [Commented] (SHIRO-445) Mechanism needed to secure passwords in shiro.ini

Mon, 04 Jan 2021 10:48:36 -0800 


    [ 
https://issues.apache.org/jira/browse/SHIRO-445?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17258416#comment-17258416
 ] 

Benjamin Marwell commented on SHIRO-445:
----------------------------------------

Hi, I can take a look at it after password shading (SHIRO-290, adding argon2 
and scrypt).

The best way would be to use a container DS, because most containers (or app 
servers) already have such functionality.

Other than that, loading a key from the file system may ve a viable option. But 
as mentioned by Brian, this bis just obfuscation. App servers do nothing 
different here. Pidgin (an IM client) even droooed support for password 
obfuscation because of this reason.

 

I'm doing changes to the Password Factory implementations in Shiro-290. So 
let's see where it gets us.

> Mechanism needed to secure passwords in shiro.ini
> -------------------------------------------------
>
>                 Key: SHIRO-445
>                 URL: https://issues.apache.org/jira/browse/SHIRO-445
>             Project: Shiro
>          Issue Type: New Feature
>          Components: Authentication (log-in), Specification API
>    Affects Versions: 1.2.2
>         Environment: Any.
>            Reporter: Richard J. Barbalace
>            Assignee: Brian Demers
>            Priority: Major
>              Labels: patch
>         Attachments: mypatch.txt, mypatch2.txt
>
>   Original Estimate: 24h
>  Remaining Estimate: 24h
>
> There should be a mechanism to secure passwords stored in shiro.ini for 
> accessing databases or other data sources, as described in this Shiro user 
> forum post:
> http://shiro-user.582556.n2.nabble.com/How-to-secure-database-password-in-shiro-ini-td7578763.html
> A flexible and extensible approach should allow for passwords to be stored in 
> other INI or properties files, JNDI resources, databases, key stores, key 
> servers, or other data sources.  Passwords might be encrypted using a master 
> key, which could likewise be stored in various data sources.
> I already have an initial patch prepared that allows for passwords to be 
> stored (plaintext or encrypted with a master key) in other INI files, similar 
> to a shadow password file.  This can be further extended to use other data 
> sources as needs arise.



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

Reply via email to