diff --git a/dependencies.gradle b/dependencies.gradle index 54b468b0916..42cc1c21996 100644 --- a/dependencies.gradle +++ b/dependencies.gradle @@ -53,7 +53,8 @@ dependencies { implementation 'org.apache.logging.log4j:log4j-core:2.20.0' // Somehow needed by Buildbot to compile OFBizDynamicThresholdFilter.java implementation 'org.apache.poi:poi:4.1.2' // poi-ooxml-schemas-5.0.0.pom'. Received status code 401 from server implementation 'org.apache.pdfbox:pdfbox:2.0.29' // 3.0.1 does not compile - implementation 'org.apache.shiro:shiro-crypto:2.0.0' + implementation 'org.apache.shiro:shiro-core:1.13.0' + implementation 'org.apache.shiro:shiro-crypto-cipher:2.0.0' implementation 'org.apache.sshd:sshd-core:2.10.0' implementation 'org.apache.sshd:sshd-sftp:2.10.0' implementation 'org.apache.tika:tika-core:2.5.0' @@ -82,12 +83,6 @@ dependencies { implementation 'xerces:xercesImpl:2.12.2' implementation 'org.mustangproject:library:2.8.0' // 2.10.0 did not work, cf. OFBIZ-12920 (https://github.com/apache/ofbiz-framework/pull/712#issuecomment-1968960963) - // Temporary workaround to compile Shiro 2.0.0 without LDAP - implementation 'org.apereo.cas:cas-server-core-api-authentication:5.0.10' - implementation 'org.apereo.cas:cas-server-core-util:5.0.10' - implementation 'org.apereo.cas:cas-server-support-ldap-core:5.0.10' - - testImplementation 'org.hamcrest:hamcrest-library:2.2' // Enable junit4 to not depend on hamcrest-1.3 testImplementation 'org.mockito:mockito-core:5.10.0' testImplementation 'org.jmockit:jmockit:1.49' diff --git a/framework/base/src/main/java/org/apache/ofbiz/base/crypto/Main.java b/framework/base/src/main/java/org/apache/ofbiz/base/crypto/Main.java index 5ec1f2d2a3b..2f787223257 100644 --- a/framework/base/src/main/java/org/apache/ofbiz/base/crypto/Main.java +++ b/framework/base/src/main/java/org/apache/ofbiz/base/crypto/Main.java @@ -20,7 +20,7 @@ import org.apache.commons.codec.binary.Base64; import org.apache.ofbiz.base.util.Debug; -import org.apache.shiro.crypto.AesCipherService; +import org.apache.shiro.crypto.cipher.AesCipherService; public class Main { private static final String MODULE = Main.class.getName(); diff --git a/framework/entity/src/main/java/org/apache/ofbiz/entity/util/EntityCrypto.java b/framework/entity/src/main/java/org/apache/ofbiz/entity/util/EntityCrypto.java index e58b933d1dd..bae17e48a4e 100644 --- a/framework/entity/src/main/java/org/apache/ofbiz/entity/util/EntityCrypto.java +++ b/framework/entity/src/main/java/org/apache/ofbiz/entity/util/EntityCrypto.java @@ -40,9 +40,9 @@ import org.apache.ofbiz.entity.GenericValue; import org.apache.ofbiz.entity.model.ModelField.EncryptMethod; import org.apache.ofbiz.entity.transaction.TransactionUtil; -import org.apache.shiro.crypto.AesCipherService; -import org.apache.shiro.crypto.OperationMode; -import org.apache.shiro.crypto.PaddingScheme; +import org.apache.shiro.crypto.cipher.AesCipherService; +import org.apache.shiro.crypto.cipher.OperationMode; +import org.apache.shiro.crypto.cipher.PaddingScheme; import org.apache.shiro.crypto.hash.DefaultHashService; import org.apache.shiro.crypto.hash.HashRequest; import org.apache.shiro.crypto.hash.HashService; @@ -129,7 +129,7 @@ public Object decrypt(String keyName, EncryptMethod encryptMethod, String encryp } catch (Exception e) { /* When the field is encrypted with the old algorithm (3-DES), the new Shiro code will fail to decrypt it (using AES) and then it will - throw an org.apache.shiro.crypto.CryptoException that is a RuntimeException. + throw an org.apache.shiro.crypto.cipher.CryptoException that is a RuntimeException. For backward compatibility we want instead to catch the exception and decrypt the code using the old algorithm. */ Debug.logInfo("Decrypt with DES key from standard key name hash failed, trying old/funny variety of key name hash", MODULE); @@ -263,7 +263,7 @@ protected String getKeyMapPrefix(String hashedKeyName) { protected byte[] decodeKeyBytes(String keyText) throws GeneralException { byte[] keyBytes = Base64.decodeBase64(keyText); if (kek != null) { - keyBytes = saltedCipherService.decrypt(keyBytes, kek).getBytes(); + keyBytes = saltedCipherService.decrypt(keyBytes, kek).getClonedBytes(); } return keyBytes; } @@ -281,9 +281,9 @@ protected String encodeKey(byte[] key) throws GeneralException { protected byte[] decryptValue(byte[] key, EncryptMethod encryptMethod, String encryptedString) throws GeneralException { switch (encryptMethod) { case SALT: - return saltedCipherService.decrypt(Base64.decodeBase64(encryptedString), key).getBytes(); + return saltedCipherService.decrypt(Base64.decodeBase64(encryptedString), key).getClonedBytes(); default: - return cipherService.decrypt(Base64.decodeBase64(encryptedString), key).getBytes(); + return cipherService.decrypt(Base64.decodeBase64(encryptedString), key).getClonedBytes(); } } diff --git a/framework/entityext/src/main/java/org/apache/ofbiz/entityext/data/EntityDataServices.java b/framework/entityext/src/main/java/org/apache/ofbiz/entityext/data/EntityDataServices.java index 6dd3d49e1a3..38faf2e0248 100644 --- a/framework/entityext/src/main/java/org/apache/ofbiz/entityext/data/EntityDataServices.java +++ b/framework/entityext/src/main/java/org/apache/ofbiz/entityext/data/EntityDataServices.java @@ -56,7 +56,7 @@ import org.apache.ofbiz.service.GenericServiceException; import org.apache.ofbiz.service.LocalDispatcher; import org.apache.ofbiz.service.ServiceUtil; -import org.apache.shiro.crypto.AesCipherService; +import org.apache.shiro.crypto.cipher.AesCipherService; /** * Entity Data Import/Export Services @@ -473,7 +473,7 @@ public static Map reencryptPrivateKeys(DispatchContext dctx, Map if (oldKey != null) { Debug.logInfo("Decrypting with old key: " + oldKey, MODULE); try { - keyBytes = cipherService.decrypt(keyBytes, Base64.decodeBase64(oldKey)).getBytes(); + keyBytes = cipherService.decrypt(keyBytes, Base64.decodeBase64(oldKey)).getClonedBytes(); } catch (Exception e) { Debug.logInfo("Failed to decrypt with Shiro cipher; trying with old cipher", MODULE); try {