Hi Marc
I create a copy of the existing test (PasswordUtilTest.testPBKDF2With) case based on your information below and ran it in the latest Oak trunk. That worked for me. But I found the following issue in the Oak JIRA that looks like the answer to your question: OAK-7778<https://issues.apache.org/jira/browse/OAK-7778>. If that addresses what you are experiencing, I would suggest you use the latest stable Oak release 1.10 instead of using 1.6. Kind regards Angela ________________________________ From: [email protected] <[email protected]> Sent: Monday, February 4, 2019 7:27 PM To: [email protected] Subject: Using Salted Hash prevents admin user from logging in. Hello all, We are migrating an application that was built on Sling 6 & Jackrabbit to Sling 10 & Oak. We are using Oak 1.6.8 which is the version used in the example sling 10 application. We had previously built our own authenticators & login plugins to use CryptedSimpleCredentials and keep passwords encrypted in the JCR. It looks like that is now the standard in Oak using CredentialsImpl. I'm trying to decide if we can drop our custom code and just configure oak properly. I've set the UserConfigurationImpl.config with the following values. passwordHashAlgorithm="PBKDF2WithHmacSHA256" passwordHashIterations="1000" passwordSaltSize="20" I took the HashAlgorithm key from a comment in org.apache.jackrabbit.oak.spi.security.user.util.PasswordUtil.generateHash(...)->generatePBKDF2(...). Stepping through the code, I can see that during org.apache.jackrabbit.oak.security.user.UserInitializer.Initialize(...) the admin user is created (:139). The hash created for the password uses above mentioned methods and produces a hash with salt & iterations : {PBKDF2WithHmacSHA256}b7dab4b06ad4be41-1000-8675468f4239a321b3dc8b9989a2fae0 However, when trying to login with the admin user, it is not able to authenticate the user because the PasswordUtil fails to recognize the algorithm when calling extractAlgorithm(hashedPwd) because message.digest("PBKDF2WithHmacSHA256") is invalid. I have not been able to find any other people looking for help with this topic, which leads me to believe that maybe I have a fundamental misunderstanding that I can't see. Any and all help would be appreciated. Regards, Marc
