[jira] [Updated] (SHIRO-445) Mechanism needed to secure passwords in shiro.ini

Thu, 06 Jun 2013 14:34:54 -0700 

     [ 
https://issues.apache.org/jira/browse/SHIRO-445?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Richard J. Barbalace updated SHIRO-445:
---------------------------------------

    Attachment: mypatch.txt

Here is my patch to add a new package for configuring shadow INI files to 
secure passwords.

This is a large patch with 6 new classes, so I recommend a thorough review.  
The classes and the package-info.java file have extensive JavaDocs and 
comments.  I have already spent 3 days working on this patch, and can 
contribute more time as needed.

I have not yet developed unit tests for these classes, although I did extensive 
manual end-to-end testing with my web application.  As I have time to review 
how Shiro is doing unit testing, I will look into developing unit tests as well.
                
> Mechanism needed to secure passwords in shiro.ini
> -------------------------------------------------
>
>                 Key: SHIRO-445
>                 URL: https://issues.apache.org/jira/browse/SHIRO-445
>             Project: Shiro
>          Issue Type: New Feature
>          Components: Authentication (log-in), Specification API
>    Affects Versions: 1.2.2
>         Environment: Any.
>            Reporter: Richard J. Barbalace
>             Fix For: 1.2.3
>
>         Attachments: mypatch.txt
>
>   Original Estimate: 24h
>  Remaining Estimate: 24h
>
> There should be a mechanism to secure passwords stored in shiro.ini for 
> accessing databases or other data sources, as described in this Shiro user 
> forum post:
> http://shiro-user.582556.n2.nabble.com/How-to-secure-database-password-in-shiro-ini-td7578763.html
> A flexible and extensible approach should allow for passwords to be stored in 
> other INI or properties files, JNDI resources, databases, key stores, key 
> servers, or other data sources.  Passwords might be encrypted using a master 
> key, which could likewise be stored in various data sources.
> I already have an initial patch prepared that allows for passwords to be 
> stored (plaintext or encrypted with a master key) in other INI files, similar 
> to a shadow password file.  This can be further extended to use other data 
> sources as needs arise.

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira

Reply via email to