Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

Optimize the password encryption and password change logic for the admin user

See original GitHub issue

Task

Currently, We use the AES algorithm to encrypt the password and provide the password back to the front end. I think It’s not safe.

I suggest the following optimization:

The API does not return the password field. See org.apache.shenyu.admin.controller.DashboardUserController#detailDashboardUser
Consider Using sha512 algorithm to encrypt the password (Need to discuss)

Please read the Contribution Guideline before submitting the PR

Issue Analytics

State:
Created 2 years ago
Comments:13 (13 by maintainers)

Top GitHub Comments

1reaction

erdengkcommented, Feb 22, 2022

After testing, the problem is that the apache protocol is not added.

After adding, the above errors will appear. But maven builds successfully

2022-02-23 02:13:23 [main] ERROR org.apache.shenyu.admin.exception.ExceptionHandlers - null pointer exception 
java.lang.NullPointerException: null
[INFO] Tests run: 10, Failures: 0, Errors: 0, Skipped: 0, Time elapsed: 11.718 s - in org.apache.shenyu.admin.exception.ExceptionHandlersTest
[INFO] Running org.apache.shenyu.admin.spring.ShenyuApplicationContextAwareTest
[INFO] Tests run: 1, Failures: 0, Errors: 0, Skipped: 0, Time elapsed: 0.07 s - in org.apache.shenyu.admin.spring.ShenyuApplicationContextAwareTest
[INFO] Running org.apache.shenyu.admin.spring.SpringBeanUtilsTest
[INFO] Tests run: 3, Failures: 0, Errors: 0, Skipped: 0, Time elapsed: 0.042 s - in org.apache.shenyu.admin.spring.SpringBeanUtilsTest
[INFO] Running org.apache.shenyu.admin.shiro.config.ShiroRealmTest
2022-02-23 02:13:29 [main] INFO  org.apache.shenyu.admin.utils.JwtUtils - jwt decode fail, token: eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwidXNlck5hbWUiOiJKb2huIERvZSIsImlhdCI6MTUxNjIzOTAyMn0.vZiLpzbncmNC5KL1idgfapCOTsRC0h_5XnqxaGfcLlM 
com.auth0.jwt.exceptions.SignatureVerificationException: The Token's Signature resulted invalid when verified using the Algorithm: HmacSHA256
        at com.auth0.jwt.algorithms.HMACAlgorithm.verify(HMACAlgorithm.java:56)
        at com.auth0.jwt.JWTVerifier.verify(JWTVerifier.java:287)
        at com.auth0.jwt.JWTVerifier.verify(JWTVerifier.java:271)
        at org.apache.shenyu.admin.utils.JwtUtils.verifyToken(JwtUtils.java:98)
        at org.apache.shenyu.admin.shiro.config.ShiroRealm.doGetAuthenticationInfo(ShiroRealm.java:91)
        at org.apache.shenyu.admin.shiro.config.ShiroRealmTest.lambda$testDoGetAuthenticationInfo$2(ShiroRealmTest.java:121)
        at org.junit.jupiter.api.AssertThrows.assertThrows(AssertThrows.java:55)
        at org.junit.jupiter.api.AssertThrows.assertThrows(AssertThrows.java:37)

1reaction

HessTina-YuIcommented, Feb 22, 2022

The new class is lack of apache protocol.

Top Results From Across the Web

Optimize the password encryption and password change logic for ...

Task Currently, We use the AES algorithm to encrypt the password and provide the password back to the front end. I think It's...

How Do Password Encryption Methods Work? - Okta

Password encryption is one of the most popular data security methodologies. Discover password encryption types and how a password algorithm works.

Optimize security by enhancing password encryption - IBM

11, the encryption of administrator, node, server, database backup, and Lightweight Directory Access Protocol (LDAP) authentication passwords is enhanced.

How to securely store passwords in database - Vaadata

We can merge the three methods (salt, pepper and number of iterations) to have one method to store passwords more securely than a...

EPM Automate Encrypt, How to encrypt EPM Cloud password

Encrypting the secrets allows Service Administrators to share their encrypted password file with developers who write EPM Automate scripts so that they can ......