hi marc IMO that should work
kind regards angela ________________________________ From: Marc Davenport <[email protected]> Sent: Wednesday, February 6, 2019 6:40 PM To: [email protected] Subject: Re: Using Salted Hash prevents admin user from logging in. Thanks for the response Angela, it looks like I am running into OAK-7777. The extractAlgorithm() was updated to handle algorithms that start with PBKDF2 in that version. I'm not sure I can convince my team to make the jump right now considering that core was broke into modules. I wonder if I can use my own duplicate UserAuthentication (and factory) and have it use my own passwordutil. > On Feb 6, 2019, at 1:16 AM, Angela Schreiber <[email protected]> > wrote: > > Hi Marc > > > I create a copy of the existing test (PasswordUtilTest.testPBKDF2With) case > based on your information below and ran it in the latest Oak trunk. That > worked for me. > > > But I found the following issue in the Oak JIRA that looks like the answer to > your question: > OAK-7778<https://urldefense.proofpoint.com/v2/url?u=https-3A__issues.apache.org_jira_browse_OAK-2D7778&d=DwIFAw&c=RoP1YumCXCgaWHvlZYR8PZh8Bv7qIrMUB65eapI_JnE&r=Dnz1hXAxfZ5RSAHBFoHD3f9gHosNNQ1zf8m3dqEWQsA&m=wElK1JPw9GVkMDcgXYpESWSIRVUHlvSLyvuRKwsZUeg&s=CLNBRONZYxrLVjsYTAToBMYkd2hXr_k4heoeKRptY6g&e=>. > > If that addresses what you are experiencing, I would suggest you use the > latest stable Oak release 1.10 instead of using 1.6. > > > Kind regards > > Angela > > > ________________________________ > From: [email protected] <[email protected]> > Sent: Monday, February 4, 2019 7:27 PM > To: [email protected] > Subject: Using Salted Hash prevents admin user from logging in. > > Hello all, > > We are migrating an application that was built on Sling 6 & Jackrabbit > to Sling 10 & Oak. We are using Oak 1.6.8 which is the version used in > the example sling 10 application. We had previously built our own > authenticators & login plugins to use CryptedSimpleCredentials and keep > passwords encrypted in the JCR. It looks like that is now the standard > in Oak using CredentialsImpl. I'm trying to decide if we can drop our > custom code and just configure oak properly. I've set the > UserConfigurationImpl.config with the following values. > > passwordHashAlgorithm="PBKDF2WithHmacSHA256" > passwordHashIterations="1000" > passwordSaltSize="20" > > I took the HashAlgorithm key from a comment in > org.apache.jackrabbit.oak.spi.security.user.util.PasswordUtil.generateHash(...)->generatePBKDF2(...). > Stepping through the code, I can see that during > org.apache.jackrabbit.oak.security.user.UserInitializer.Initialize(...) > the admin user is created (:139). The hash created for the password > uses above mentioned methods and produces a hash with salt & iterations > : > {PBKDF2WithHmacSHA256}b7dab4b06ad4be41-1000-8675468f4239a321b3dc8b9989a2fae0 > > However, when trying to login with the admin user, it is not able to > authenticate the user because the PasswordUtil fails to recognize the > algorithm when calling extractAlgorithm(hashedPwd) because > message.digest("PBKDF2WithHmacSHA256") is invalid. > > I have not been able to find any other people looking for help with this > topic, which leads me to believe that maybe I have a fundamental > misunderstanding that I can't see. Any and all help would be appreciated. > > Regards, > Marc > >
