Shiro 2.X doesn't allow plain text password in user section of shiro.ini

[OyvindLGjesdal]

Version

5.1

What happened?

https://shiro.apache.org/configuration.html#Configuration-INIConfiguration

The examples provided for shiro.ini contains plain text passwords, which I don't think works since shiro was bumped to 2.0 in 4.10. I stumbled onto it when reading the docs, trying to configure a custom shino.ini.

Since Shiro 2.0, the [users] section cannot contain plain-text passwords. You can encrypt them using key derivation functions. Shiro provides implementations for bcrypt and argon2. If unsure, use argon2 derived passwords.

https://shiro.apache.org/configuration.html#Configuration-INIConfiguration

[users]

user1 = $shiro1$SHA-256$500000$eWpVX2tGX7WCP2J+jMCNqw==$it/NRclMOHrfOvhAEFZ0mxIZRdbcfqIBdwdwdDXW2dM=

There is a section with how to do it, which supplies a shiro cli-tool for creating the required password string to paste.

https://shiro.apache.org/command-line-hasher.html

I suggest updating the ini file with a working commented example, maybe using the same password and username as today, but with the password encrypted using the cli-tool and with a comment stating the change to plain-text passwords.

Haven't confirmed that plain text passwords fails yet in practice, but will try.

Relevant output and stacktrace

No response

Are you interested in making a pull request?

Yes

[afs]

It seems to work -- possibly because the example default file is setting the credentialsMatcher.

[main]
plainMatcher=org.apache.shiro.authc.credential.SimpleCredentialsMatcher
iniRealm.credentialsMatcher = $plainMatcher

[users]
user99=password99

[urls]
/** = authcBasic,user[user99]

It would be better to update the documentation and default file to use argon2 as suggested.

[OyvindLGjesdal]

This is a working example:

using command line hasher: (https://shiro.apache.org/command-line-hasher.html)

# change shiro version to current version in case of  updated/improved defaults 
export SHIRO_VERSION=2.0.1
# download shiro-tools-hasher to local repository
mvn dependency:get -DgroupId=org.apache.shiro.tools -DartifactId=shiro-tools-hasher -Dclassifier=cli -Dversion=$SHIRO_VERSION

# output
[INFO] Scanning for projects...
[INFO] 
[INFO] ------------------< org.apache.maven:standalone-pom >-------------------
[INFO] Building Maven Stub Project (No POM) 1
[INFO] --------------------------------[ pom ]---------------------------------
[INFO] 
[INFO] --- dependency:3.7.0:get (default-cli) @ standalone-pom ---
[INFO] Resolving org.apache.shiro.tools:shiro-tools-hasher:jar:cli:2.0.1 with transitive dependencies
[INFO] ------------------------------------------------------------------------
[INFO] BUILD SUCCESS
[INFO] ------------------------------------------------------------------------
[INFO] Total time:  1.802 s
[INFO] Finished at: 2024-08-10T13:25:46+02:00
[INFO] ------------------------------------------------------------------------

# for more fine-grained control of configuring consult the shiro-tools-hasher docs, or run it with no parameters to list options
# run shiro-tools-hasher from local repository
java -jar ~/.m2/repository/org/apache/shiro/tools/shiro-tools-hasher/${SHIRO_VERSION}/shiro-tools-hasher-{SHIRO_VERSION}-cli.jar -p

# cli prompts for password using the default configurations
# "pw" used as input in this example
*Password to hash: *
*Password to hash (confirm): *

# output
*$shiro2$argon2id$v=19$t=1,m=65536,p=4$Wr/2XKxWeYZt8JE5HCONQw$yev4bLiGzbeIZ8qDWrIY7J2msL2vRO/aYksb4RMeX7Y*

shiro.ini

[main]
passwordMatcher = org.apache.shiro.authc.credential.PasswordMatcher
iniRealm.credentialsMatcher = $passwordMatcher

[users]
# quote is required around the supplied string for shiro to properly parse parameters
example="$shiro2$argon2id$v=19$t=1,m=65536,p=4$Wr/2XKxWeYZt8JE5HCONQw$yev4bLiGzbeIZ8qDWrIY7J2msL2vRO/aYksb4RMeX7Y"

[urls]
/** = authcBasic,user[example]

Since unencrypted still works, should both versions be present and commented in the ini files and the docs, or should the current configuration be replaced?