I'm new to Shiro and have been working through the tutorials and documentation but I'm left with a question.
I'd like to use ini configuration for my application and I see information about configuring password hashing: [main] ... sha256Matcher = org.apache.shiro.authc.credential.Sha256CredentialsMatcher ... iniRealm.credentialsMatcher = $sha256Matcher ... [users] # user1 = sha256-hashed-hex-encoded password, role1, role2, ... user1 = 2bb80d537b1da3e38bd30361aa855686bde0eacd7162fef6a25fe97bf527a25b, role1, role2, ... I must be missing something, how can this be secure? Can't users simply edit the ini file and add roles to their account, thus giving them unauthorized access? -- View this message in context: http://shiro-user.582556.n2.nabble.com/Is-password-hashing-enough-tp7577522.html Sent from the Shiro User mailing list archive at Nabble.com.
