[
https://issues.apache.org/jira/browse/SLING-6219?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15623495#comment-15623495
]
Rob Ryan commented on SLING-6219:
---------------------------------
The value in the password field is not *just* SHA-256 BTW, but a configurable
number of passes through an algorithm which includes SHA-256. This algorithm is
technically an implementation detail. This detail is already leaked somewhat in
vault packages of users which includes the rep:password field. Personally I'd
support moving that detail completely in the open as a specified behavior of
Oak, but I'm not an Oak committer.
Since having these password hashes in repo init configurations is potentially
less secure, it might be appropriate to allow only stronger configurations of
the algorithm to be used, e.g. enforce a minimum number of hashes beyond the
default. This would slow down attacks *and* real authentication using the
credentials, but it might be worth it.
> Allow to create users with repoinit
> -----------------------------------
>
> Key: SLING-6219
> URL: https://issues.apache.org/jira/browse/SLING-6219
> Project: Sling
> Issue Type: New Feature
> Components: JCR, Repoinit
> Reporter: Carsten Ziegeler
> Fix For: Repoinit Parser 1.0.4, Repoinit JCR 1.0.4
>
>
> it seems it's not possible to create a user through the repoinit.
> This would be very useful for sample apps and testing. For example, the
> slingshot sample app currently needs an admin user to create the sample
> user accounts. And therefore slingshot needs to be in the whitelist for
> admin usage - which is not a good thing
> I suggest we add:
> create user {name}
> create user {name} {password}
> delete user {name}
> If no pw is provided for create user, we create a random pw
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
