Richard Bradley commented on SHIRO-552:

> I've been trying to convert my existing salt to a form understood by the 
> JdbcRealm but so far I've failed:
> ...
> But trying to figure out what the correct way of encoding the salt should be 
> has so far evaded me...

Those salt bytes are not a valid UTF-8 byte sequence, so any sensible database 
/ database client will not allow you to store them as a UTF-8 string.
There is no way of configuring or encoding JdbcRealm to fix this; the code 
needs changing so that either a) the salt is stored Base64 encoded in a String 
column or b) the salt is stored in a binary column.

You can either fork Shiro and make this change (please submit this change 
upstream for the benefit of all if you do), or you could write your own Realm 
which includes this change.



> JdbcRealm in SaltStyle.COLUMN assumes that password column is Base64 but salt 
> column is utf8 bytes
> --------------------------------------------------------------------------------------------------
>                 Key: SHIRO-552
>                 URL: https://issues.apache.org/jira/browse/SHIRO-552
>             Project: Shiro
>          Issue Type: Bug
>    Affects Versions: 1.2.4
>            Reporter: Richard Bradley
> The {{org.apache.shiro.realm.jdbc.JdbcRealm}} class, when configured with 
> SaltStyle.COLUMN, assumes that password column is Base64 but salt column is 
> utf8 bytes.
> The password is returned as a {{char[]}} (see JdbcRealm.java:241), which 
> {{org.apache.shiro.authc.credential.HashedCredentialsMatcher}} (see 
> HashedCredentialsMatcher.java:353):
> {code}
>         if (credentials instanceof String || credentials instanceof char[]) {
>             //account.credentials were a char[] or String, so
>             //we need to do text decoding first:
>             if (isStoredCredentialsHexEncoded()) {
>                 storedBytes = Hex.decode(storedBytes);
>             } else {
>                 storedBytes = Base64.decode(storedBytes);
>             }
>         }
> {code}
> However, the salt is returned as a {{ByteSource}}, by converting the 
> DB-returned String into its UTF-8 bytes. See JdbcRealm.java:224:
> {code}
>             if (salt != null) {
>                 info.setCredentialsSalt(ByteSource.Util.bytes(salt));
>             }
> {code}
> This is broken and inconsistent.
> Not all salt byte[]s are valid UTF8 strings, so the default assumption should 
> be that the salt column is Base64 encoded.

This message was sent by Atlassian JIRA

Reply via email to