[ https://issues.apache.org/jira/browse/SHIRO-552?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16052811#comment-16052811 ]
Steinar Bang commented on SHIRO-552: ------------------------------------ This one bit me today. I'm trying to use salt from a password table used by my own custom realm [UkelonnRealm|https://github.com/steinarb/ukelonn/blob/master/ukelonn.bundle/src/main/java/no/priv/bang/ukelonn/impl/UkelonnRealm.java#L60] from a JdbcRealm, but that breaks because the base64 encoded salt value from the DB is interpreted as UTF-8 when converting the salt into a byte array. I've been looking for a way to configure the encoding of the salt in JdbcRealm, but there doesn't seem to be any way to do this? > JdbcRealm in SaltStyle.COLUMN assumes that password column is Base64 but salt > column is utf8 bytes > -------------------------------------------------------------------------------------------------- > > Key: SHIRO-552 > URL: https://issues.apache.org/jira/browse/SHIRO-552 > Project: Shiro > Issue Type: Bug > Affects Versions: 1.2.4 > Reporter: Richard Bradley > > The {{org.apache.shiro.realm.jdbc.JdbcRealm}} class, when configured with > SaltStyle.COLUMN, assumes that password column is Base64 but salt column is > utf8 bytes. > The password is returned as a {{char[]}} (see JdbcRealm.java:241), which > {{org.apache.shiro.authc.credential.HashedCredentialsMatcher}} (see > HashedCredentialsMatcher.java:353): > {code} > if (credentials instanceof String || credentials instanceof char[]) { > //account.credentials were a char[] or String, so > //we need to do text decoding first: > if (isStoredCredentialsHexEncoded()) { > storedBytes = Hex.decode(storedBytes); > } else { > storedBytes = Base64.decode(storedBytes); > } > } > {code} > However, the salt is returned as a {{ByteSource}}, by converting the > DB-returned String into its UTF-8 bytes. See JdbcRealm.java:224: > {code} > if (salt != null) { > info.setCredentialsSalt(ByteSource.Util.bytes(salt)); > } > {code} > This is broken and inconsistent. > Not all salt byte[]s are valid UTF8 strings, so the default assumption should > be that the salt column is Base64 encoded. -- This message was sent by Atlassian JIRA (v6.4.14#64029)