Sorry, your interpretation is incorrect. The default behavior is to have a new cipher key, this is why you get this error. Cipher key needs to be “fixed”, i.e. the same between application starts.
Is *not* base64 encoding. This is exactly the hex string openssl command gives you. No “0x” in front or anything else. % openssl enc -aes-128-cbc -k secret -P -md sha256 *** WARNING : deprecated key derivation used. Using -iter or -pbkdf2 would be better. salt=51F8F0583B98F93F *** USE THIS VALUE *** key=5AA466288411D3ABE5F03BF57CB14C4A iv =365E61874A97ED0281234E6933CB049D You need to use the “key” value: “5AA466288411D3ABE5F03BF57CB14C4A” (without quotes) a. No. It’s a Hex string with no prefix or encoding b. No. There is no encoding of the key in the URL, otherwise it’ll be insecure. CipherKey is used to decrypt the rememberMe cookie. c. Yes *** DO NOT *** put the cipher key into shiro.ini. This is horribly insecure. You have to guard the cipher key with your “life” because if it gets out, all rememberMe sessions are vulnerable to hijack attack. Best practice is to put it into environment variable, and make sure that no one gets to it. In my example, https://github.com/lprimak/apps/blob/549f2926233ea3da52126103dc4960090fe95157/emailmanager/src/main/java/com/flowlogix/website/ui/Constants.java#L53 injects the cipherKey via Microprofile Config from environment variable, while https://github.com/lprimak/apps/blob/main/emailmanager/src/main/java/com/flowlogix/website/security/CipherKeySource.java is the Shiro integration that provides it to Shiro itself. Hope this helps! > On Apr 8, 2025, at 12:18 PM, Steinar Bang <s...@dod.no> wrote: > >>>>>> lenny-5o6p1tln9c5dpfhejli...@public.gmane.org: > >> The only thing I can think of is to give you some examples from my >> application: >> https://github.com/lprimak/apps/blob/main/emailmanager/src/main/java/com/flowlogix/website/security/CipherKeySource.java > > Just seeing if I'm interpreting this correctly: this is base64-encoding > of the cipher key that's autogenerated every time the app starts? > >> https://github.com/lprimak/apps/blob/main/emailmanager/hope-website/WEB-INF/shiro.ini > > Hm... I see no setting of the cipherkey in here? > > What I tried to do was > 1. to take the openssl command you sent me and run it > 2. that created several hex values > 3. I took the "key" value and prefixed it with "0x" and used it as the > value of the remembermeManager.cipherKey property in shiro.ini > > I wasn't sure what the exact problem was: > a. That the cipherKey was a binary value stored as a string, without > being base64 encoded or 0x prefix on a hex encoding of the value? > b. That I did reloads of the server which caused a new AES chipher key > (the one you base64 encode in the first URL?) to be generated, and > not match the chipherKey used to encode the rememberme cookies? > c. That I used the same Realm and Session across multiple applications, > and thus needed the same cipherKey for all of them? > d. Something completely unrelated to the above? > > I tried to cure all of a., b. and c., by adding the same constant value > to all shiro.ini files. I haven't pushed any of the commits (since they > didn't get rid of the error in the logs), but here is one of the > shiro.ini files with the setting added: > https://gist.github.com/steinarb/d16acbdc6cc35e5cb599f9b4121f6af1#file-shiro-ini-L5 > > Of course if the reason for the problem is "d." then I have been barking > up the wrong tree...? :-) > >
