On Mon, 2024-09-02 at 18:31 +0200, Benjamin Marwell wrote:
> Hello Andreas!
>
> Since current Linux and Unix distributions have environment variables
> secured from other users nowadays, one way would be to inject them at
> runtime via ${ENV_VARIABLE_NAME}.
>
> A few examples are in our documentation:
> https://shiro.apache.org/configuration.html
>
> Let us know if that works for you.
You Sir are my hero!
This works perfectly fine for the audit drones because it gets the ball
back into the client's court:
1) if they don't want to hard code passwords of those technical user
accounts, then provide the System properties when starting the Web
Application (which will be so much fun)
2) otherwise accept that the password has to be somewhere and secure
your server properly against unauthorised access
Btw, those servers holding this shiro.ini files have SSH password only
access with accounts like "admin/admin" 😄
What a time to be alive.
Thank you so much for prompt round turn and cheers!
Andreas
