[
https://issues.apache.org/jira/browse/SHIRO-445?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Brian Demers updated SHIRO-445:
-------------------------------
Fix Version/s: (was: 1.3.0)
I'm not sure about this one.
The result of this is more of an obfuscation, as anyone with access to the
shadow file, could decrypt all of the passwords contained within it (as they
have the master password and the individual encoded passwords)
Other thoughts ?
> Mechanism needed to secure passwords in shiro.ini
> -------------------------------------------------
>
> Key: SHIRO-445
> URL: https://issues.apache.org/jira/browse/SHIRO-445
> Project: Shiro
> Issue Type: New Feature
> Components: Authentication (log-in), Specification API
> Affects Versions: 1.2.2
> Environment: Any.
> Reporter: Richard J. Barbalace
> Labels: patch
> Attachments: mypatch.txt, mypatch2.txt
>
> Original Estimate: 24h
> Remaining Estimate: 24h
>
> There should be a mechanism to secure passwords stored in shiro.ini for
> accessing databases or other data sources, as described in this Shiro user
> forum post:
> http://shiro-user.582556.n2.nabble.com/How-to-secure-database-password-in-shiro-ini-td7578763.html
> A flexible and extensible approach should allow for passwords to be stored in
> other INI or properties files, JNDI resources, databases, key stores, key
> servers, or other data sources. Passwords might be encrypted using a master
> key, which could likewise be stored in various data sources.
> I already have an initial patch prepared that allows for passwords to be
> stored (plaintext or encrypted with a master key) in other INI files, similar
> to a shadow password file. This can be further extended to use other data
> sources as needs arise.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
