OyvindLGjesdal opened a new issue, #2617: URL: https://github.com/apache/jena/issues/2617
### Version 5.1 ### What happened? https://shiro.apache.org/configuration.html#Configuration-INIConfiguration The examples provided for shiro.ini contains plain text passwords, which I don't think works since shiro was bumped to 2.0 in 5.1? I stumbled onto it when reading the docs, trying to configure a custom shino.ini. > Since Shiro 2.0, the [users] section cannot contain plain-text passwords. You can encrypt them using [key derivation functions](https://en.wikipedia.org/wiki/Key_derivation_function). Shiro provides implementations for bcrypt and argon2. If unsure, use argon2 derived passwords. > The algorithms from Shiro 1 (e.g. md5, SHA1, SHA256, etc.) are long deemed insecure and not supported anymore. There is neither a direct migration path nor backward compatibility. https://shiro.apache.org/configuration.html#Configuration-INIConfiguration ``` [users] user1 = $shiro1$SHA-256$500000$eWpVX2tGX7WCP2J+jMCNqw==$it/NRclMOHrfOvhAEFZ0mxIZRdbcfqIBdwdwdDXW2dM= ```` There is a section with how to do it, which supplies a shiro cli-tool for creating the required https://shiro.apache.org/command-line-hasher.html I suggest updating the ini file with a working commented example, maybe using the same password and username as today, but with the password encrypted using the cli-tool and with a comment stating the change to plain-text passwords. Haven't confirmed that plain text passwords fails yet in practice, but will try. ### Relevant output and stacktrace _No response_ ### Are you interested in making a pull request? Yes -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected] --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
