dstutz opened a new issue, #1385: URL: https://github.com/apache/shiro/issues/1385
### Search before asking - [X] I had searched in the [issues](https://github.com/apache/shiro/issues?q=is%3Aissue) and found no similar issues. ### Environment JDK 21 ### Shiro version Shiro 2.0.0 jakarta ### What was the actual outcome? I created a hashed password using the command line util as per: https://shiro.apache.org/v2/command-line-hasher.html then I set that as the password in the ini which yields something like (also setting the credentials matcher on the inirealm as mentioned in above page): ``` [users] ... user1 = $shiro2$argon2id$v=19$t=1,m=65536,p=4$H5z81Jpr4ntZr3MVtbOUBw$fJDgZCLZjMC6A2HhnSpxULMmvVdW3su+/GCU3YbxfFQ [main] ... passwordMatcher = org.apache.shiro.authc.credential.PasswordMatcher iniRealm.credentialsMatcher = $passwordMatcher ... ``` As best as I can tell, what is happening is that the commas in the new shiro2 hash format are confusing something along the way because the ini file is supposed to be (https://shiro.apache.org/configuration.html#Configuration-INIConfiguration-Sections-users) `username = password, role1, role2, roleN...` in fact, the example on the above page shows the new style example as: ``` user1 = $shiro2$argon2id$v=19$t=1,m=65536,p=4$H5z81Jpr4ntZr3MVtbOUBw$fJDgZCLZjMC6A2HhnSpxULMmvVdW3su+/GCU3YbxfFQ, role1, role2, ... ``` I used a debugger and confirmed that Shiro2CryptFormat.parse is only getting supplied the string `$shiro2$argon2id$v=19$t=1` which is the content of the password line before the first comma. Below is actual error and trace starting from first shiro item: ``` WARN [org.apa.shi.aut.AbstractAuthenticator] (executor-thread-3) Authentication failed for token submission [org.apache.shiro.authc.UsernamePasswordToken - user, rememberMe=true]. Possible unexpected error? (Typical or expected login exceptions should extend from AuthenticationException).: java.lang.IllegalArgumentException: Did not found memory parameter 'm='. Got: [t=1]. at org.apache.shiro.crypto.support.hashes.argon2.Argon2Hash.lambda$parseMemory$5(Argon2Hash.java:183) at java.base/java.util.Optional.orElseThrow(Optional.java:403) at org.apache.shiro.crypto.support.hashes.argon2.Argon2Hash.parseMemory(Argon2Hash.java:183) at org.apache.shiro.crypto.support.hashes.argon2.Argon2Hash.fromString(Argon2Hash.java:151) at org.apache.shiro.crypto.support.hashes.argon2.Argon2HashProvider.fromString(Argon2HashProvider.java:58) at org.apache.shiro.crypto.support.hashes.argon2.Argon2HashProvider.fromString(Argon2HashProvider.java:47) at org.apache.shiro.crypto.hash.format.Shiro2CryptFormat.parse(Shiro2CryptFormat.java:134) at org.apache.shiro.authc.credential.DefaultPasswordService.passwordsMatch(DefaultPasswordService.java:175) at org.apache.shiro.authc.credential.PasswordMatcher.doCredentialsMatch(PasswordMatcher.java:58) at org.apache.shiro.realm.AuthenticatingRealm.assertCredentialsMatch(AuthenticatingRealm.java:598) at org.apache.shiro.realm.AuthenticatingRealm.getAuthenticationInfo(AuthenticatingRealm.java:579) at org.apache.shiro.authc.pam.ModularRealmAuthenticator.doSingleRealmAuthentication(ModularRealmAuthenticator.java:182) at org.apache.shiro.authc.pam.ModularRealmAuthenticator.doAuthenticate(ModularRealmAuthenticator.java:275) at org.apache.shiro.authc.AbstractAuthenticator.authenticate(AbstractAuthenticator.java:198) at org.apache.shiro.mgt.AuthenticatingSecurityManager.authenticate(AuthenticatingSecurityManager.java:106) at org.apache.shiro.mgt.DefaultSecurityManager.login(DefaultSecurityManager.java:277) at org.apache.shiro.subject.support.DelegatingSubject.login(DelegatingSubject.java:262) ``` I assume I'm missing some small piece of configuration? I'm using Shiro 2.0.0 in another application with a JDBC Realm with the new password format and everything is fine but this application is extremely simple and I only have 2 users I want to support so just wanted to use the ini file configuration. ### What was the expected outcome? Successful login. ### How to reproduce Attempt to login with a Shiro2 hashed password specified in shiro.ini. ### Debug logs _No response_ -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected] --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
