Configuration of userrepository

Fri, 17 Oct 2025 19:42:50 -0700 

Good evening,

I have two questions regarding the configuration in userrepository.xml.

1. All examples contain the setting `enableForwarding` but I do not find any 
references to it. What's the purpose of the setting?
2. What is the difference between configuring password salting via the 
`algorithm` or `hashingMode` setting (more below)?


I would like to configure my james instance with postgres user backend to use 
password salts. For this, I have the following userrepository.xml:
<usersrepository name="LocalUsers">
    <algorithm>PBKDF2-SHA512</algorithm>
    <hashingMode>salted</hashingMode>
    <enableVirtualHosting>true</enableVirtualHosting>
</usersrepository>

Based on the documentation 
(docs/modules/servers/partials/configure/usersrepository.adoc), I would have 
expected the algorithm in the database to be `PBKDF2-SHA512/salted` but it is 
`PBKDF2-SHA512/plain`.
When I use the following userrepository.xml, the algorithm in the database is 
`PBKDF2-SHA512/salted` as expected:
<usersrepository name="LocalUsers">
    <algorithm>PBKDF2-SHA512/salted</algorithm>
    <enableVirtualHosting>true</enableVirtualHosting>
</usersrepository>

If I understand the code path correctly, the hash mode is read from the config 
in 
server/data/data-postgres/src/main/java/org/apache/james/user/postgres/PostgresUsersRepositoryConfiguration.java.
The algorithm and hashing mode are then used in 
server/data/data-postgres/src/main/java/org/apache/james/user/postgres/PostgresUsersDAO.java.
 However, the hashing mode is only used once as a fallback when retrieving a 
user and does not make it into the database.

Still, in both configurations, the password is salted with the username. It 
would be nice if the difference would be mentioned in the documentation.


Best regards,
Felix


---
Gesellschaft für interkulturelles
Zusammenleben gGmbH (GIZ)
Felix Auringer
IT
Reformationsplatz 2
13597 Berlin

Tel: 030/513 0100 00; Fax: 030/513 0100 09 
www.giz.berlin; [email protected]

Amtsgericht Charlottenburg HRB 200872 B
Geschäftsführerin: Dr. Britta Marschke

---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to