[jira] [Commented] (SHIRO-445) Mechanism needed to secure passwords in shiro.ini

Mon, 04 Jan 2021 11:01:19 -0800 


    [ 
https://issues.apache.org/jira/browse/SHIRO-445?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17258430#comment-17258430
 ] 

Suchit gupta commented on SHIRO-445:
------------------------------------

[~bmarwell] thanks!!

I am only looking for a way to avoid plain text `{{dataSource.password          
 = Password123`}}

Can I provide an encrypted password? 

```

{{[main]}}

{{dataSource                    = org.postgresql.ds.PGPoolingDataSource}}

{{dataSource.serverName         = localhost}}

{{dataSource.databaseName       = dp}}

{{dataSource.user               = dp_test}}

{{dataSource.password           = Password123}}

{{}}

{{ps = org.apache.shiro.authc.credential.DefaultPasswordService}}

{{pm = org.apache.shiro.authc.credential.PasswordMatcher}}

{{pm.passwordService = $ps}}

{{jdbcRealm = org.apache.shiro.realm.jdbc.JdbcRealm}}{{}}

{{```}}

> Mechanism needed to secure passwords in shiro.ini
> -------------------------------------------------
>
>                 Key: SHIRO-445
>                 URL: https://issues.apache.org/jira/browse/SHIRO-445
>             Project: Shiro
>          Issue Type: New Feature
>          Components: Authentication (log-in), Specification API
>    Affects Versions: 1.2.2
>         Environment: Any.
>            Reporter: Richard J. Barbalace
>            Assignee: Brian Demers
>            Priority: Major
>              Labels: patch
>         Attachments: mypatch.txt, mypatch2.txt
>
>   Original Estimate: 24h
>  Remaining Estimate: 24h
>
> There should be a mechanism to secure passwords stored in shiro.ini for 
> accessing databases or other data sources, as described in this Shiro user 
> forum post:
> http://shiro-user.582556.n2.nabble.com/How-to-secure-database-password-in-shiro-ini-td7578763.html
> A flexible and extensible approach should allow for passwords to be stored in 
> other INI or properties files, JNDI resources, databases, key stores, key 
> servers, or other data sources.  Passwords might be encrypted using a master 
> key, which could likewise be stored in various data sources.
> I already have an initial patch prepared that allows for passwords to be 
> stored (plaintext or encrypted with a master key) in other INI files, similar 
> to a shadow password file.  This can be further extended to use other data 
> sources as needs arise.



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

Reply via email to