This is an automated email from the ASF dual-hosted git repository.
jleroux pushed a commit to branch trunk
in repository https://gitbox.apache.org/repos/asf/ofbiz-framework.git
The following commit(s) were added to refs/heads/trunk by this push:
new eff3a6a772 Improved: Upgrade Apache Shiro from 1.13.0 to 2.0.0
(OFBIZ-12961)
eff3a6a772 is described below
commit eff3a6a7723507af116d3c4045d83f2e4064c7c9
Author: Jacques Le Roux <jacques.le.r...@les7arts.com>
AuthorDate: Tue Mar 26 09:53:44 2024 +0100
Improved: Upgrade Apache Shiro from 1.13.0 to 2.0.0 (OFBIZ-12961)
Summary, TL;DR: the changes are minimal and things work like before. OFBiz
uses
now Shiro 2.0.0 for AES ciphering instead of Shiro 1.13.0.
OFBiz still uses 3-DES and other (older) ciphering methods in case AES would
fail facing old data.
This also removes now useless
"temporary workaround to compile Shiro 2.0.0 without LDAP"
component block in dependencies.gradle
Details:
This uses
'org.apache.shiro:shiro-crypto-cipher:2.0.0'
instead of previously wrongly committed
org.apache.shiro:shiro-crypto:2.0.0
It re-installs org.apache.shiro:shiro-core:1.13.0
I have still to completely review
https://github.com/apache/shiro/issues/1022
According to it, it seems that for now we need to keep shiro-core:1.13.0
http://svn.apache.org/viewvc?view=revision&revision=1814704, and the more
complete dev ML discussion referred in the commit message explains why we
keep
3-DES and other (older) ciphering methods. I see no problems with that.
But, we may want to completely get rid of the old 3-DES and old ways by
refactoring this part of code. And maybe offering a way to migrate the data
to
AES. The Shiro issue referred above may help in this way.
Thanks: Lenny from Apache Shiro project for the idea.
---
dependencies.gradle | 9 ++-------
.../src/main/java/org/apache/ofbiz/base/crypto/Main.java | 2 +-
.../java/org/apache/ofbiz/entity/util/EntityCrypto.java | 14 +++++++-------
.../apache/ofbiz/entityext/data/EntityDataServices.java | 4 ++--
4 files changed, 12 insertions(+), 17 deletions(-)
diff --git a/dependencies.gradle b/dependencies.gradle
index 54b468b091..42cc1c2199 100644
--- a/dependencies.gradle
+++ b/dependencies.gradle
@@ -53,7 +53,8 @@ dependencies {
implementation 'org.apache.logging.log4j:log4j-core:2.20.0' // Somehow
needed by Buildbot to compile OFBizDynamicThresholdFilter.java
implementation 'org.apache.poi:poi:4.1.2' // poi-ooxml-schemas-5.0.0.pom'.
Received status code 401 from server
implementation 'org.apache.pdfbox:pdfbox:2.0.29' // 3.0.1 does not compile
- implementation 'org.apache.shiro:shiro-crypto:2.0.0'
+ implementation 'org.apache.shiro:shiro-core:1.13.0'
+ implementation 'org.apache.shiro:shiro-crypto-cipher:2.0.0'
implementation 'org.apache.sshd:sshd-core:2.10.0'
implementation 'org.apache.sshd:sshd-sftp:2.10.0'
implementation 'org.apache.tika:tika-core:2.5.0'
@@ -82,12 +83,6 @@ dependencies {
implementation 'xerces:xercesImpl:2.12.2'
implementation 'org.mustangproject:library:2.8.0' // 2.10.0 did not work,
cf. OFBIZ-12920
(https://github.com/apache/ofbiz-framework/pull/712#issuecomment-1968960963)
- // Temporary workaround to compile Shiro 2.0.0 without LDAP
- implementation 'org.apereo.cas:cas-server-core-api-authentication:5.0.10'
- implementation 'org.apereo.cas:cas-server-core-util:5.0.10'
- implementation 'org.apereo.cas:cas-server-support-ldap-core:5.0.10'
-
-
testImplementation 'org.hamcrest:hamcrest-library:2.2' // Enable junit4 to
not depend on hamcrest-1.3
testImplementation 'org.mockito:mockito-core:5.10.0'
testImplementation 'org.jmockit:jmockit:1.49'
diff --git
a/framework/base/src/main/java/org/apache/ofbiz/base/crypto/Main.java
b/framework/base/src/main/java/org/apache/ofbiz/base/crypto/Main.java
index 5ec1f2d2a3..2f78722325 100644
--- a/framework/base/src/main/java/org/apache/ofbiz/base/crypto/Main.java
+++ b/framework/base/src/main/java/org/apache/ofbiz/base/crypto/Main.java
@@ -20,7 +20,7 @@ package org.apache.ofbiz.base.crypto;
import org.apache.commons.codec.binary.Base64;
import org.apache.ofbiz.base.util.Debug;
-import org.apache.shiro.crypto.AesCipherService;
+import org.apache.shiro.crypto.cipher.AesCipherService;
public class Main {
private static final String MODULE = Main.class.getName();
diff --git
a/framework/entity/src/main/java/org/apache/ofbiz/entity/util/EntityCrypto.java
b/framework/entity/src/main/java/org/apache/ofbiz/entity/util/EntityCrypto.java
index e58b933d1d..bae17e48a4 100644
---
a/framework/entity/src/main/java/org/apache/ofbiz/entity/util/EntityCrypto.java
+++
b/framework/entity/src/main/java/org/apache/ofbiz/entity/util/EntityCrypto.java
@@ -40,9 +40,9 @@ import org.apache.ofbiz.entity.GenericEntityException;
import org.apache.ofbiz.entity.GenericValue;
import org.apache.ofbiz.entity.model.ModelField.EncryptMethod;
import org.apache.ofbiz.entity.transaction.TransactionUtil;
-import org.apache.shiro.crypto.AesCipherService;
-import org.apache.shiro.crypto.OperationMode;
-import org.apache.shiro.crypto.PaddingScheme;
+import org.apache.shiro.crypto.cipher.AesCipherService;
+import org.apache.shiro.crypto.cipher.OperationMode;
+import org.apache.shiro.crypto.cipher.PaddingScheme;
import org.apache.shiro.crypto.hash.DefaultHashService;
import org.apache.shiro.crypto.hash.HashRequest;
import org.apache.shiro.crypto.hash.HashService;
@@ -129,7 +129,7 @@ public final class EntityCrypto {
} catch (Exception e) {
/*
When the field is encrypted with the old algorithm (3-DES), the
new Shiro code will fail to decrypt it (using AES) and then it will
- throw an org.apache.shiro.crypto.CryptoException that is a
RuntimeException.
+ throw an org.apache.shiro.crypto.cipher.CryptoException that is a
RuntimeException.
For backward compatibility we want instead to catch the exception
and decrypt the code using the old algorithm.
*/
Debug.logInfo("Decrypt with DES key from standard key name hash
failed, trying old/funny variety of key name hash", MODULE);
@@ -263,7 +263,7 @@ public final class EntityCrypto {
protected byte[] decodeKeyBytes(String keyText) throws
GeneralException {
byte[] keyBytes = Base64.decodeBase64(keyText);
if (kek != null) {
- keyBytes = saltedCipherService.decrypt(keyBytes,
kek).getBytes();
+ keyBytes = saltedCipherService.decrypt(keyBytes,
kek).getClonedBytes();
}
return keyBytes;
}
@@ -281,9 +281,9 @@ public final class EntityCrypto {
protected byte[] decryptValue(byte[] key, EncryptMethod encryptMethod,
String encryptedString) throws GeneralException {
switch (encryptMethod) {
case SALT:
- return
saltedCipherService.decrypt(Base64.decodeBase64(encryptedString),
key).getBytes();
+ return
saltedCipherService.decrypt(Base64.decodeBase64(encryptedString),
key).getClonedBytes();
default:
- return
cipherService.decrypt(Base64.decodeBase64(encryptedString), key).getBytes();
+ return
cipherService.decrypt(Base64.decodeBase64(encryptedString),
key).getClonedBytes();
}
}
diff --git
a/framework/entityext/src/main/java/org/apache/ofbiz/entityext/data/EntityDataServices.java
b/framework/entityext/src/main/java/org/apache/ofbiz/entityext/data/EntityDataServices.java
index 6dd3d49e1a..38faf2e024 100644
---
a/framework/entityext/src/main/java/org/apache/ofbiz/entityext/data/EntityDataServices.java
+++
b/framework/entityext/src/main/java/org/apache/ofbiz/entityext/data/EntityDataServices.java
@@ -56,7 +56,7 @@ import org.apache.ofbiz.service.DispatchContext;
import org.apache.ofbiz.service.GenericServiceException;
import org.apache.ofbiz.service.LocalDispatcher;
import org.apache.ofbiz.service.ServiceUtil;
-import org.apache.shiro.crypto.AesCipherService;
+import org.apache.shiro.crypto.cipher.AesCipherService;
/**
* Entity Data Import/Export Services
@@ -473,7 +473,7 @@ public class EntityDataServices {
if (oldKey != null) {
Debug.logInfo("Decrypting with old key: " + oldKey,
MODULE);
try {
- keyBytes = cipherService.decrypt(keyBytes,
Base64.decodeBase64(oldKey)).getBytes();
+ keyBytes = cipherService.decrypt(keyBytes,
Base64.decodeBase64(oldKey)).getClonedBytes();
} catch (Exception e) {
Debug.logInfo("Failed to decrypt with Shiro cipher;
trying with old cipher", MODULE);
try {
