I'm trying to figuring out how to decrypt a Shiro rememberMe cookie using
javascript running in a node.js/express.js server app. If anyone has been
down this path or has any advice of any sort, please let me know!
I'd like to extract identity principals from the rememberMe cookie once I'm
able to decrypt it. I assume this is available, but what exactly is stored
in the rememberMe cookie?
How is the rememberMe cookie encrypted? Does it use an AES cipher and then
Base64 encode it? Is padding used, what type? What about string encoding
('utf8', ascii', etc)? There seem to be lots of combinations and figuring
out the right one is daunting.
I'm currently using Shiro 1.1.0. I've been looking at the following
resources but don't haven't solved it yet:
http://stackoverflow.com/questions/10548973/encrypting-and-decrypting-with-python-and-nodejs
http://stackoverflow.com/questions/12685475/encrypt-in-java-decrypt-in-node-js
http://stackoverflow.com/questions/11477175/encrypting-and-decrypting-data-through-transport-through-java-to-node-js
Here's some config info if it helps:
<bean id="securityManager"
class="org.apache.shiro.web.mgt.DefaultWebSecurityManager">
<property name="cacheManager" ref="cacheManager"/>
<property name="realm" ref="myRealm"/>
<property name="sessionMode" value="native"/>
<property name="rememberMeManager" ref="myRememberMeManager"/>
</bean>
<bean name="myRememberMeManager"
class="com.myapp.security.MyRememberMeManager">
<property name="cipherKey" ref="cipherKeyBytes"/>
<property name="cookie.domain" value="${global.cookieDomain}"/>
<property name="cookie.path" value="/"/>
</bean>
<bean id="cipherKeyBytes"
class="org.springframework.beans.factory.config.MethodInvokingFactoryBean">
<property name="targetClass" value="org.apache.shiro.codec.Base64"/>
<property name="targetMethod" value="decode"/>
<property name="arguments">
<list>
<value>mySecretValue</value>
</list>
</property>
</bean>
Thanks!
Tauren
