Hi Richard, Shiro's ini config doesn't have such functionality out of the box for objects configured in the [main] section. (It does however support encrypted passwords in the [users] section to ensure those never need to be in plain text).
However, a good solution I think is to implement the Factory interface, e.g. PasswordFactory. For example: dbPassword = com.foo.shiro.PasswordFactory dbPassword.credentialsFile = <url or file path> db.password = $dbPassword This works because, when evaluating an assignment, Shiro's ini config checks to see if the value on the right of the equals sign is a Factory, and if so, uses the value returned from the Factory's getInstance() method call, not the factory itself. So if your PasswordFactory#getInstance() return value is the password obtained from the file, you'll be good. Finally, if you'd like this functionality to be in Shiro by default, please open a feature request (and if you implement this, a patch would be much appreciated!). HTH, -- Les Hazlewood | @lhazlewood CTO, Stormpath | http://stormpath.com | @goStormpath | 888.391.5282 On Wed, May 22, 2013 at 2:59 PM, [email protected] <[email protected]> wrote: > Hi. > > Following some examples I found in the forum here along with the Shiro > documentation, I have successfully set up a JdbcRealm in my shiro.ini as > follows: > > # User realm configuration. > userRealm=org.apache.shiro.realm.jdbc.JdbcRealm > userRealm.authenticationQuery = SELECT password FROM users WHERE username = > ? > userRealm.userRolesQuery = SELECT role FROM roles WHERE username = ? > userRealm.permissionsQuery = SELECT permission FROM permissions WHERE role = > ? > > # User database configuration. > ds = com.mysql.jdbc.jdbc2.optional.MysqlDataSource > ds.serverName = localhost > ds.user = shiro > ds.password = *[redacted]* > ds.databaseName = shiro_schema > userRealm.dataSource = $ds > > # Realm configuration. > securityManager.realms = $userRealm > > That much seems straightforward, but notice that the plaintext password for > the database would appear in the shiro.ini file. I would prefer not to > store the password there, for obvious reasons including not wanting to check > a password into version control. > > Is there a way to specify that the password should be looked up from a > separate file or, even better, a keystore? Or is there a better way to > accomplish the same goal of securing the database password? > > Sorry if this ends up being more of a JDBC question that a strictly Shiro > one, but I was having difficulty finding anything relevant in the > documentation. > > Thanks for any help. > > > > > -- > View this message in context: > http://shiro-user.582556.n2.nabble.com/How-to-secure-database-password-in-shiro-ini-tp7578763.html > Sent from the Shiro User mailing list archive at Nabble.com.
