[
https://issues.apache.org/jira/browse/SHIRO-445?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13677543#comment-13677543
]
Richard J. Barbalace commented on SHIRO-445:
--------------------------------------------
The JavaDoc in the package-info.java file explains the basic approach:
The following is a summary of the class hierarchy:
- PasswordFactory - A simple interface for factories that retrieve passwords
from data sources other than the default shiro.ini configuration file.
- INIPasswordFactory - A base class for factories for retrieving passwords
from an INI file.
- ShadowPasswordFactory - A factory for retrieving plaintext passwords from
a shadow INI file.
- MasterKeyFactory - A factory for retrieving a master key from a master
INI file.
- EncryptedPasswordFactory - A factory for retrieving passwords encrypted
with a master key from a shadow INI file.
- PasswordHelper - A utility to generate hex-encoded master keys and
encrypted passwords.
In general, developers should use EncryptedPasswordFactory with
MasterKeyFactory to secure passwords for services with a master key. The
PasswordHelper utility can generated random hex-encoded master keys and encrypt
passwords using these master keys for such purposes. See each class for details
on the format of the INI configuration files.
> Mechanism needed to secure passwords in shiro.ini
> -------------------------------------------------
>
> Key: SHIRO-445
> URL: https://issues.apache.org/jira/browse/SHIRO-445
> Project: Shiro
> Issue Type: New Feature
> Components: Authentication (log-in), Specification API
> Affects Versions: 1.2.2
> Environment: Any.
> Reporter: Richard J. Barbalace
> Fix For: 1.2.3
>
> Attachments: mypatch.txt
>
> Original Estimate: 24h
> Remaining Estimate: 24h
>
> There should be a mechanism to secure passwords stored in shiro.ini for
> accessing databases or other data sources, as described in this Shiro user
> forum post:
> http://shiro-user.582556.n2.nabble.com/How-to-secure-database-password-in-shiro-ini-td7578763.html
> A flexible and extensible approach should allow for passwords to be stored in
> other INI or properties files, JNDI resources, databases, key stores, key
> servers, or other data sources. Passwords might be encrypted using a master
> key, which could likewise be stored in various data sources.
> I already have an initial patch prepared that allows for passwords to be
> stored (plaintext or encrypted with a master key) in other INI files, similar
> to a shadow password file. This can be further extended to use other data
> sources as needs arise.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira
