Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

CAMEL-15619 camel-shiro: allow custom implementation of serialization #4361

Merged
merged 1 commit into from
Oct 6, 2020
Merged

CAMEL-15619 camel-shiro: allow custom implementation of serialization #4361

merged 1 commit into from
Oct 6, 2020

Conversation

JiriOndrusek
Copy link
Contributor

Issue: https://issues.apache.org/jira/browse/CAMEL-15619

I'm replacing serialization of ShiroSecurityToken with custom written serialization. (without ObjectOutputStream.writeObject()).
This change allows creation of camel-quarkus extension for this component (because serialization is not possible in native, see oracle/graal#460)

  • Make sure there is a JIRA issue filed for the change (usually before you start working on it). Trivial changes like typos do not require a JIRA issue. Your pull request should address just this issue, without pulling in other changes.
  • Each commit in the pull request should have a meaningful subject line and body.
  • If you're unsure, you can format the pull request title like [CAMEL-XXX] Fixes bug in camel-file component, where you replace CAMEL-XXX with the appropriate JIRA issue.
  • Write a pull request description that is detailed enough to understand what the pull request does, how, and why.
  • Run mvn clean install -Psourcecheck in your module with source check enabled to make sure basic checks pass and there are no checkstyle violations. A more thorough check will be performed on your pull request automatically.
    Below are the contribution guidelines:
    https://github.com/apache/camel/blob/master/CONTRIBUTING.md

@davsclaus
Copy link
Contributor

Hmm maybe the serialization of text based is a bit to unsecure, as its shown in plain sight. A base64 encoding would help a little bit.

@JiriOndrusek
Copy link
Contributor Author

@davsclaus Yes, I thought so also. But then I've realized that right after serialization (which is not public and used only in the helper) there is an encryption executed by shiro - https://github.com/apache/camel/pull/4361/files#diff-59c23bcaba4eb76a764b9ffa34575a0aR35 From that perspective it doesn't seem necessary to encrypt it once more...
WDYT?

(original code was sending string like this: ����sr�<org.apache.camel.component.shiro.security.ShiroSecurityTokenoE��6�%M���L��passwordt��Ljava/lang/String;L��usernameq�~��xpt��starrt��ringo - so it was also possible to see username/password in plain text)

@davsclaus
Copy link
Contributor

Yeah serialized java objects are possible to de-serialize and grab the content.

So okay if shiro does something afterwards then its fine with me.

@davsclaus davsclaus merged commit 61a12b1 into apache:master Oct 6, 2020
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@oscerd oscerd oscerd approved these changes

@davsclaus davsclaus davsclaus approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@JiriOndrusek @davsclaus @oscerd