[jira] [Commented] (SHIRO-552) JdbcRealm in SaltStyle.COLUMN assumes that password column is Base64 but salt column is utf8 bytes

classic Classic list List threaded Threaded
1 message Options
Reply | Threaded
Open this post in threaded view
|

[jira] [Commented] (SHIRO-552) JdbcRealm in SaltStyle.COLUMN assumes that password column is Base64 but salt column is utf8 bytes

JIRA jira@apache.org

    [ https://issues.apache.org/jira/browse/SHIRO-552?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16053721#comment-16053721 ]

Richard Bradley commented on SHIRO-552:
---------------------------------------

> I've been trying to convert my existing salt to a form understood by the JdbcRealm but so far I've failed:
> ...
> But trying to figure out what the correct way of encoding the salt should be has so far evaded me...

Those salt bytes are not a valid UTF-8 byte sequence, so any sensible database / database client will not allow you to store them as a UTF-8 string.
There is no way of configuring or encoding JdbcRealm to fix this; the code needs changing so that either a) the salt is stored Base64 encoded in a String column or b) the salt is stored in a binary column.

You can either fork Shiro and make this change (please submit this change upstream for the benefit of all if you do), or you could write your own Realm which includes this change.

GL,


Rich

> JdbcRealm in SaltStyle.COLUMN assumes that password column is Base64 but salt column is utf8 bytes
> --------------------------------------------------------------------------------------------------
>
>                 Key: SHIRO-552
>                 URL: https://issues.apache.org/jira/browse/SHIRO-552
>             Project: Shiro
>          Issue Type: Bug
>    Affects Versions: 1.2.4
>            Reporter: Richard Bradley
>
> The {{org.apache.shiro.realm.jdbc.JdbcRealm}} class, when configured with SaltStyle.COLUMN, assumes that password column is Base64 but salt column is utf8 bytes.
> The password is returned as a {{char[]}} (see JdbcRealm.java:241), which {{org.apache.shiro.authc.credential.HashedCredentialsMatcher}} (see HashedCredentialsMatcher.java:353):
> {code}
>         if (credentials instanceof String || credentials instanceof char[]) {
>             //account.credentials were a char[] or String, so
>             //we need to do text decoding first:
>             if (isStoredCredentialsHexEncoded()) {
>                 storedBytes = Hex.decode(storedBytes);
>             } else {
>                 storedBytes = Base64.decode(storedBytes);
>             }
>         }
> {code}
> However, the salt is returned as a {{ByteSource}}, by converting the DB-returned String into its UTF-8 bytes. See JdbcRealm.java:224:
> {code}
>             if (salt != null) {
>                 info.setCredentialsSalt(ByteSource.Util.bytes(salt));
>             }
> {code}
> This is broken and inconsistent.
> Not all salt byte[]s are valid UTF8 strings, so the default assumption should be that the salt column is Base64 encoded.



--
This message was sent by Atlassian JIRA
(v6.4.14#64029)