Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Improved: Upgrade Apache Shiro from 1.13.0 to 2.0.0 (OFBIZ-12961)
Summary, TL;DR: the changes are minimal and things work like before. OFBiz uses now Shiro 2.0.0 for AES ciphering instead of Shiro 1.13.0. OFBiz still uses 3-DES and other (older) ciphering methods in case AES would fail facing old data. This also removes now useless "temporary workaround to compile Shiro 2.0.0 without LDAP" component block in dependencies.gradle Details: This uses 'org.apache.shiro:shiro-crypto-cipher:2.0.0' instead of previously wrongly committed org.apache.shiro:shiro-crypto:2.0.0 It re-installs org.apache.shiro:shiro-core:1.13.0 I have still to completely review apache/shiro#1022 According to it, it seems that for now we need to keep shiro-core:1.13.0 http://svn.apache.org/viewvc?view=revision&revision=1814704, and the more complete dev ML discussion referred in the commit message explains why we keep 3-DES and other (older) ciphering methods. I see no problems with that. But, we may want to completely get rid of the old 3-DES and old ways by refactoring this part of code. And maybe offering a way to migrate the data to AES. The Shiro issue referred above may help in this way. Thanks: Lenny from Apache Shiro project for the idea.
- Loading branch information