[
https://issues.apache.org/jira/browse/SHIRO-552?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Richard Bradley updated SHIRO-552:
----------------------------------
Description:
The {{org.apache.shiro.realm.jdbc.JdbcRealm}} class, when configured with
SaltStyle.COLUMN, assumes that password column is Base64 but salt column is
utf8 bytes.
The password is returned as a {{char[]}} (see JdbcRealm.java:241), which
{{org.apache.shiro.authc.credential.HashedCredentialsMatcher}} (see
HashedCredentialsMatcher.java:353):
{code}
if (credentials instanceof String || credentials instanceof char[]) {
//account.credentials were a char[] or String, so
//we need to do text decoding first:
if (isStoredCredentialsHexEncoded()) {
storedBytes = Hex.decode(storedBytes);
} else {
storedBytes = Base64.decode(storedBytes);
}
}
{code}
However, the salt is returned as a {{ByteSource}}, by converting the
DB-returned String into its UTF-8 bytes. See JdbcRealm.java:224:
{code}
if (salt != null) {
info.setCredentialsSalt(ByteSource.Util.bytes(salt));
}
{code}
This is broken and inconsistent.
Not all salt byte[]s are valid UTF8 strings, so the default assumption should
be that the salt column is Base64 encoded.
was:
The {{org.apache.shiro.realm.jdbc.JdbcRealm}} class, when configured with
SaltStyle.COLUMN, assumes that password column is Base64 but salt column is
utf8 bytes.
The password is returned as a {{char[]}} (see JdbcRealm.java:241), which
{{org.apache.shiro.authc.credential.HashedCredentialsMatcher}} (see
HashedCredentialsMatcher.java:353):
{code}
if (credentials instanceof String || credentials instanceof char[]) {
//account.credentials were a char[] or String, so
//we need to do text decoding first:
if (isStoredCredentialsHexEncoded()) {
storedBytes = Hex.decode(storedBytes);
} else {
storedBytes = Base64.decode(storedBytes);
}
}
{code}
However, the salt is returned as a {{ByteSource}}, by converting the
DB-returned String into its UTF-8 bytes. See JdbcRealm.java:224:
{code}
if (salt != null) {
info.setCredentialsSalt(ByteSource.Util.bytes(salt));
}
{code}
This is broken and inconsistent.
> JdbcRealm in SaltStyle.COLUMN assumes that password column is Base64 but salt
> column is utf8 bytes
> --------------------------------------------------------------------------------------------------
>
> Key: SHIRO-552
> URL: https://issues.apache.org/jira/browse/SHIRO-552
> Project: Shiro
> Issue Type: Bug
> Affects Versions: 1.2.4
> Reporter: Richard Bradley
>
> The {{org.apache.shiro.realm.jdbc.JdbcRealm}} class, when configured with
> SaltStyle.COLUMN, assumes that password column is Base64 but salt column is
> utf8 bytes.
> The password is returned as a {{char[]}} (see JdbcRealm.java:241), which
> {{org.apache.shiro.authc.credential.HashedCredentialsMatcher}} (see
> HashedCredentialsMatcher.java:353):
> {code}
> if (credentials instanceof String || credentials instanceof char[]) {
> //account.credentials were a char[] or String, so
> //we need to do text decoding first:
> if (isStoredCredentialsHexEncoded()) {
> storedBytes = Hex.decode(storedBytes);
> } else {
> storedBytes = Base64.decode(storedBytes);
> }
> }
> {code}
> However, the salt is returned as a {{ByteSource}}, by converting the
> DB-returned String into its UTF-8 bytes. See JdbcRealm.java:224:
> {code}
> if (salt != null) {
> info.setCredentialsSalt(ByteSource.Util.bytes(salt));
> }
> {code}
> This is broken and inconsistent.
> Not all salt byte[]s are valid UTF8 strings, so the default assumption should
> be that the salt column is Base64 encoded.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
