Uploaded image for project: 'SET - Setups'
  1. SET - Setups
  2. SET-115

Password hashing should be activated by default

    XMLWordPrintable

Details

    • Feature
    • Status: Released (View Workflow)
    • Minor
    • Resolution: Fixed
    • 1.11.4
    • 1.11.5, 1.12
    • None

    Description

      Current Situation

      • Clear-text Passwords are provided in the shiro.ini file for the default User Accounts (root, administrator, etc).
      • Password hashing has to be manually activated by uncommenting two lines in the [ main ] section of the shiro.ini / shiro.ini-example files.

      Desired Behaviour

      The shiro.ini-example file should be modified:

      • Hashed Passwords ('root' for the 'root' User Account & 'secret' for the six other inactive example Accounts) should be provided instead of the current clear-text ones. This involves replacing the current users block with the following: 
        root = $shiro1$SHA-512$500000$W0oNBkZY9LRrRIGyc4z2Ug==$NcoU+ZFM9vsM0MeHJ3P5NJ0NdvJrK38qVnl7v7YG7p9o5ZJfMccugJsA9myJsTNx2BF5rbvA696UhTGdUtSnOg==,all
# administrator = $shiro1$SHA-512$500000$BZASvbCtiECiM9kwjqI1ow==$IKfbskqi5VGUm/Ysr0BFS8fMYQQcV78GIDcbV2N1T9Q1os99oVXWd7RZWzWbnqY3OZAjd4EFtbwhTVvxZS++aw==,administrator
# api_user = $shiro1$SHA-512$500000$ZACYLMkDOsIO0aEtznZyig==$md8wSi3b+VTwepBM9fcLoAW6OLfwRpYvlkgm/bHCs7tIri331L4taf1AK3wGYUBreFkNM8vFgWDLdidlppLB4w==,api_user
# application_manager = $shiro1$SHA-512$500000$JELbPBXwYbItkAEkW1bI+A==$JFDIkrjyA/kRrg9cJSESokisYX25HH5fJCW/MAXOAoPHYY0kFJZRrDtRlMA2MwzcofMMIgIwy+SEHF6nQXTZMA==,application_manager
# business_user = $shiro1$SHA-512$500000$75St1KFDgHLxonvHF3X2kQ==$59fl1CMUUyS3qRHbfgLCAeS/nLQqxsXB3jiKT29WIr0q9wmdGC+Vgqs20X3QqKJew1vvJRI/2RnvEqYF6pnpsw==,business_user
# incident_manager = $shiro1$SHA-512$500000$/DVMuadHBMqkAWiSIhyXrA==$brIx90gKCzvz6BTW+nSeBeewZUDCG26RElTAegYWYhmJwCRAAZM4q0PMk5Y+k/wLT7TTKqm6PGJWNzBbrlAObA==,incident_manager
# it_operator = $shiro1$SHA-512$500000$PqETLFA6uhYwtx/1+wLJzg==$PRe/axzjoeCbt/a68wxoHL1e/YrkY+KKTdn5LxJYjIlaUtDtdRpssGTz6z/vxAK+wyo9IT1aZpuwvBVGLQreNA==,it_operator
      • Password Hashing should be active by default.
        This means that the following lines should be included in the main block of the shiro.ini / shiro.ini-example files: 
        passwordMatcher = org.apache.shiro.authc.credential.PasswordMatcher
iniRealm.credentialsMatcher = $passwordMatcher

      An activation procedure for users currently using plain text passwords (e.g. users of 1.11 to 1.11.4 that have updated to 1.11.5) should be described in the Authentication and Authorization Configuration Article in the Knowledge Base.

      Attachments

        Issue Links

          is related to

          Fix - JOC-270 JOC should support hashed passwords in shiro.ini

          • Minor - Minor loss of function, or other problem where easy workaround is present.
          • Released

          Activity

            People

              oh Oliver Haufe
              aa Alan Amos
              Alan Amos Alan Amos
              Votes:
              0 Vote for this issue
              Watchers:
              3 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: