No, no. The cipher key should not be anywhere near your build process, maven, shiro.ini, etc. None of that is secure.
> On Apr 9, 2025, at 12:50 PM, Steinar Bang <s...@dod.no> wrote: > >>>>>> lenny-5o6p1tln9c5dpfhejli...@public.gmane.org: > >> a. No. It’s a Hex string with no prefix or encoding >> b. No. There is no encoding of the key in the URL, otherwise it’ll be >> insecure. CipherKey is used to decrypt the rememberMe cookie. >> c. Yes > > Thanks! > > (Actually, reading through the stuff you wrote above about "must be > fixed", probably "b. Yes." also (I possibly confused things with the > stuff in parentheses) > > I have to think about the best way to set the fixed value. > > I think maybe have it in ~/.m2/settings.xml and expand the value in > shiro.ini files or default with the current behaviour when the maven > property value is missing? >
