[#185] update documentation on shiro2 #186
Conversation
|
-1 Francois, we wanted to use a separate path in the URL. |
I'm not sure to follow the separate path thing, can you explain? |
|
I published this PR at https://shiro.staged.apache.org |
|
I have tested the |
|
Sorry about my earlier comments about SHA256 being deprecated. I confused Honestly I think we are close to beta now! |
bmarwell
force-pushed
the
#185_update_crypto_docs
branch
from
eed51e8
to
45b0c5f
Compare
|
So, updated the structure but have not yet copied everything over. We can do it now or later, two new macros should help with this. Later fixes:
|
| @@ -439,40 +439,33 @@ Each line in the [users] section must conform to the following format: | |||
| [#Configuration-INIConfiguration-Sections-users-EncryptingPasswords] | |||
| ===== Encrypting Passwords | |||
|
|
|||
| If you don't want the [users] section passwords to be in plain-text, you can encrypt them using your favorite hash algorithm (MD5, Sha1, Sha256, etc.) however you like and use the resulting string as the password value. By default, the password string is expected to be Hex encoded, but can be configured to be Base64 encoded instead (see below). | |||
| Since Shiro 2.0, the `[users]` section cannot contain plain-text passwords. | |||
There was a problem hiding this comment.
Is this actually true? I seem to remember this plain-text passwords work in shiro 2 at the moment
| If unsure, use argon2 derived passwords. | ||
|
|
||
| The algorithms from Shiro 1 (e.g. md5, SHA1, SHA256, etc.) are long deemed insecure and not supported anymore. | ||
| There is neither a direct migration path nor backward compatibility. |
There was a problem hiding this comment.
This is technically not true since Shiro 2 can encrypt / decrypt Shiro 1.x passwords. There is forward-and-backward path for compatibility as I tested this recently. This is a good thing IMHO.
Currently, it takes some "finagling" to get working which I think is a good thing, it makes compatibility possibly but use Argon2 by default.
fixes #185
Looking at this, does the ini parser even work now? We need to investigate before we can release Shiro 2.
Especially:
I cannot recall if we tested this properly (commas...).
Edit: Added two macros to link to the v2 page (if available) or "soft-warn" about this being a v2 page.
See Screenshots, please help with the wording.
The broken icons can be fixed at a later time in another PR.
v1 page without the new tag
:shiro-hasv2: trueor set tofalse:v1 page with the new tag
:shiro-hasv2: true:v2 page:
Does not link back to v1. Should it?