[jira] [Commented] (SHIRO-552) JdbcRealm in SaltStyle.COLUMN assumes that password column is Base64 but salt column is utf8 bytes

Sat, 17 Jun 2017 05:13:37 -0700 

    [ 
https://issues.apache.org/jira/browse/SHIRO-552?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16052811#comment-16052811
 ] 

Steinar Bang commented on SHIRO-552:
------------------------------------

This one bit me today.

I'm trying to use salt from a password table used by my own custom realm 
[UkelonnRealm|https://github.com/steinarb/ukelonn/blob/master/ukelonn.bundle/src/main/java/no/priv/bang/ukelonn/impl/UkelonnRealm.java#L60]
 from a JdbcRealm, but that breaks because the base64 encoded salt value from 
the DB is interpreted as UTF-8 when converting the salt into a byte array.

I've been looking for a way to configure the encoding of the salt in JdbcRealm, 
but there doesn't seem to be any way to do this?

> JdbcRealm in SaltStyle.COLUMN assumes that password column is Base64 but salt 
> column is utf8 bytes
> --------------------------------------------------------------------------------------------------
>
>                 Key: SHIRO-552
>                 URL: https://issues.apache.org/jira/browse/SHIRO-552
>             Project: Shiro
>          Issue Type: Bug
>    Affects Versions: 1.2.4
>            Reporter: Richard Bradley
>
> The {{org.apache.shiro.realm.jdbc.JdbcRealm}} class, when configured with 
> SaltStyle.COLUMN, assumes that password column is Base64 but salt column is 
> utf8 bytes.
> The password is returned as a {{char[]}} (see JdbcRealm.java:241), which 
> {{org.apache.shiro.authc.credential.HashedCredentialsMatcher}} (see 
> HashedCredentialsMatcher.java:353):
> {code}
>         if (credentials instanceof String || credentials instanceof char[]) {
>             //account.credentials were a char[] or String, so
>             //we need to do text decoding first:
>             if (isStoredCredentialsHexEncoded()) {
>                 storedBytes = Hex.decode(storedBytes);
>             } else {
>                 storedBytes = Base64.decode(storedBytes);
>             }
>         }
> {code}
> However, the salt is returned as a {{ByteSource}}, by converting the 
> DB-returned String into its UTF-8 bytes. See JdbcRealm.java:224:
> {code}
>             if (salt != null) {
>                 info.setCredentialsSalt(ByteSource.Util.bytes(salt));
>             }
> {code}
> This is broken and inconsistent.
> Not all salt byte[]s are valid UTF8 strings, so the default assumption should 
> be that the salt column is Base64 encoded.



--
This message was sent by Atlassian JIRA
(v6.4.14#64029)

Reply via email to