Details
-
Fix
-
Status: Released (View Workflow)
-
Minor
-
Resolution: Fixed
-
1.11
-
None
Description
Current Situation
The JOC account management writes the passwords in plain text into the shiro.ini.
Desired Behaviour
JOC should support the hashing of passwords.
- The default after the installation is "use_password_hashing"
- The shiro.ini will contain
passwordMatcher = org.apache.shiro.authc.credential.PasswordMatcher iniRealm.credentialsMatcher = $passwordMatcher
These values for the passwordMatcher are depricated. Therefore they are not supported by the JOC Account Manager.
org.apache.shiro.authc.credential.Sha1CredentialsMatcher org.apache.shiro.authc.credential.Sha256CredentialsMatcher org.apache.shiro.authc.credential.Sha384CredentialsMatcher org.apache.shiro.authc.credential.Sha512CredentialsMatcher org.apache.shiro.authc.credential.Md2CredentialsMatcher org.apache.shiro.authc.credential.Md5CredentialsMatcher
- The default user root:root will have the hash for the password root
When changing the account with the Account Manager in JOC the password should be stored with the hash when an iniRealm.credentialsMatcher is set and assigned to a passwordMatcher with the value org.apache.shiro.authc.credential.PasswordMatcher
Changing the default hashAlgorithm or the hashIterations
For this you have to define a hashService and and a passwordService. The hashService must be assigned to the passwordService and passwordService is to be assigned to the passwordMatcher.
The hashService is org.apache.shiro.crypto.hash.DefaultHashService
The passwordService is org.apache.shiro.authc.credential.DefaultPasswordService
See example below
You can name passwordService or hashService as you want.
[main] securityManager.sessionManager.globalSessionTimeout = 12000000 passwordService = org.apache.shiro.authc.credential.DefaultPasswordService hashService = org.apache.shiro.crypto.hash.DefaultHashService hashService.hashIterations = 25 hashService.hashAlgorithmName = md5 passwordService.hashService = $hashService passwordMatcher = org.apache.shiro.authc.credential.PasswordMatcher passwordMatcher.passwordService = $passwordService iniRealm.credentialsMatcher = $passwordMatcher
Possible algorithm names are:
- SHA-1
- SHA-384
- SHA-256
- SHA-512
- MD5
- MD2
The default is SHA-512
The default for hashIterations is the default coming from org.apache.shiro.authc.credential.DefaultPasswordService=500000
Setting the private salt
When using the Shiro1CryptFormat (what is the default, you can set a private salt value.
The public salt is a random value. The random value can be combined with a private salt.
Example setting private salt with algorithm is md5 and 25 iterations are used.
Please note that value for the private salt must be Base64 Encoded. In this example the value is "sos".
[main] securityManager.sessionManager.globalSessionTimeout = 12000000 passwordService = org.apache.shiro.authc.credential.DefaultPasswordService hashService = org.apache.shiro.crypto.hash.DefaultHashService hashService.hashIterations = 25 hashService.hashAlgorithmName = md5 hashService.privateSalt = c29z passwordService.hashService = $hashService hashFormatFactory = org.apache.shiro.crypto.hash.format.DefaultHashFormatFactory passwordService.hashFormatFactory = $hashFormatFactory passwordMatcher = org.apache.shiro.authc.credential.PasswordMatcher passwordMatcher.passwordService = $passwordService iniRealm.credentialsMatcher = $passwordMatcher
Setting the format
The default format is org.apache.shiro.crypto.hash.format.Shiro1CryptFormat. But you can change to format to HEX or BASE64. Please note that in this case you can not specify a private salt or set generatePublicSalt to true. The reason for this is, that shiro always adds a random public salt when a private salt is given.
Example setting Hex-Format, using default Algorithm SHA-512 and the default value for iterations=1
Please note, that default for iterations is 500000 when using the format {{ org.apache.shiro.crypto.hash.format.Shiro1CryptFormat}}
[main] securityManager.sessionManager.globalSessionTimeout = 12000000 passwordService = org.apache.shiro.authc.credential.DefaultPasswordService hashService = org.apache.shiro.crypto.hash.DefaultHashService passwordService.hashService = $hashService #hashFormat = org.apache.shiro.crypto.hash.format.Base64Format #hashFormat = org.apache.shiro.crypto.hash.format.Shiro1CryptFormat hashFormat = org.apache.shiro.crypto.hash.format.HexFormat passwordService.hashFormat = $hashFormat hashFormatFactory = org.apache.shiro.crypto.hash.format.DefaultHashFormatFactory passwordService.hashFormatFactory = $hashFormatFactory passwordMatcher = org.apache.shiro.authc.credential.PasswordMatcher passwordMatcher.passwordService = $passwordService iniRealm.credentialsMatcher = $passwordMatcher
Using SHA512 passwords in shiro.ini with 1.11.4
- Download the CLI tool for hashing passwords from the shiro download page
- Create the password with
- \shiro-tools-hasher\1.3.2> java -jar shiro-tools-hasher-1.3.2-cli.jar --algorithm SHA-512 -p
- Open the file shiro.ini and save the password there in the [users] section (instead of the plain text password)
- Add in the [main] section
passwordMatcher = org.apache.shiro.authc.credential.PasswordMatcher iniRealm.credentialsMatcher = $passwordMatcher
- Please note that the JOC Account Manager does not support hashed passwords and will overwrite the password with the plain text password if you change the password. As a consequence you can not use the JOC Account Manager to change the password using a plain text password to be converted to the hashed password.
