Hello, We have working password auth with MD5 and a mysql backend and are now trying to use SHA-256 to match our password schema but we cannot seem to get it cut over.
Our setup is on cas 5.0.5 This works cas.authn.jdbc.query[0].healthQuery=SELECT 1 cas.authn.jdbc.query[0].sql=SELECT password FROM users WHERE username=? cas.authn.jdbc.query[0].url=jdbc:mysql://127.0.0.1:3306/castest cas.authn.jdbc.query[0].leakThreshold=10 cas.authn.jdbc.query[0].batchSize=1 cas.authn.jdbc.query[0].user=root cas.authn.jdbc.query[0].maxAgeDays=180 cas.authn.jdbc.query[0].password=Password cas.authn.jdbc.query[0].autocommit=false cas.authn.jdbc.query[0].driverClass=com.mysql.cj.jdbc.Driver cas.authn.jdbc.query[0].idleTimeout=5000 cas.authn.jdbc.query[0].passwordEncoder.type=DEFAULT cas.authn.jdbc.query[0].passwordEncoder.characterEncoding=UTF-8 cas.authn.jdbc.query[0].passwordEncoder.encodingAlgorithm=MD5 When I change the auth setup to use sha-256 (cas.authn.jdbc.query[0].passwordEncoder.encodingAlgorithm=SHA-256) I get - 2017-05-30 17:41:27,473 DEBUG [org.apereo.cas.authentication.RegisteredServiceAuthenticationHandlerResolver] - <Authentication handlers used for this transaction are [org.apereo.cas.adaptors.gauth.GoogleAuthenticatorAuthenticationHandler@4e0c5518, org.apereo.cas.adaptors.jdbc.QueryDatabaseAuthenticationHandler@597bf18e, org.apereo.cas.authentication.handler.support.HttpBasedServiceCredentialsAuthenticationHandler@394b66d0, org.apereo.cas.support.openid.authentication.handler.support.OpenIdCredentialsAuthenticationHandler@6c696197]> 2017-05-30 17:41:27,484 WARN [org.apereo.cas.configuration.support.DefaultPasswordEncoder] - <Using UTF-8 as the character encoding algorithm to update the digest> 2017-05-30 17:41:27,854 DEBUG [org.apereo.cas.configuration.support.DefaultPasswordEncoder] - <Encoded password via algorithm SHA-256 and character-encoding UTF-8 is 5110c4d7158296352949f281d560d0a867351dbc6762a5826c6dc37a970e332d> 2017-05-30 17:41:27,891 WARN [com.zaxxer.hikari.HikariConfig] - <HikariPool-1 - idleTimeout is less than 10000ms, setting to default 600000ms.> 2017-05-30 17:41:27,902 WARN [com.zaxxer.hikari.HikariConfig] - <HikariPool-1 - leakDetectionThreshold is less than 2000ms or more than maxLifetime, disabling it.> 2017-05-30 17:41:30,947 WARN [org.apereo.cas.configuration.support.DefaultPasswordEncoder] - <Using UTF-8 as the character encoding algorithm to update the digest> 2017-05-30 17:41:30,948 DEBUG [org.apereo.cas.configuration.support.DefaultPasswordEncoder] - <Encoded password via algorithm SHA-256 and character-encoding UTF-8 is 5110c4d7158296352949f281d560d0a867351dbc6762a5826c6dc37a970e332d> 2017-05-30 17:41:30,949 DEBUG [org.apereo.cas.configuration.support.DefaultPasswordEncoder] - <Provided password does not match the encoded password> 2017-05-30 17:41:30,951 INFO [org.apereo.cas.authentication.PolicyBasedAuthenticationManager] - <QueryDatabaseAuthenticationHandler failed authenticating shatest> 2017-05-30 17:41:30,958 DEBUG [org.apereo.cas.authentication.PolicyBasedAuthenticationManager] - <QueryDatabaseAuthenticationHandler exception details: Password does not match value on record.> 2017-05-30 17:41:30,964 WARN [org.apereo.cas.authentication.PolicyBasedAuthenticationManager] - <Authentication has failed. Credentials may be incorrect or CAS cannot find authentication handler that supports [shatest] of type [UsernamePasswordCredential], which suggests a configuration problem.> That is the correct sha-256 hash from the db which is showing in the logs. 5110c4d7158296352949f281d560d0a867351dbc6762a5826c6dc37a970e332d I have also tried, with and without salt (we are not using static salt and iterations = 0) the conf below but end up with the same error as above. # CAS Authentication # #cas.authn.jdbc.encode[0].numberOfIterations=0 # cas.authn.jdbc.encode[0].numberOfIterationsFieldName=hash_iteration cas.authn.jdbc.encode[0].saltFieldName=salt cas.authn.jdbc.encode[0].staticSalt= cas.authn.jdbc.encode[0].sql=select * from users where username=? cas.authn.jdbc.encode[0].algorithmName=SHA-256 cas.authn.jdbc.encode[0].passwordFieldName=password cas.authn.jdbc.encode[0].healthQuery=SELECT 1 cas.authn.jdbc.encode[0].isolateInternalQueries=false cas.authn.jdbc.encode[0].url=jdbc:mysql://127.0.0.1:3306/castest cas.authn.jdbc.encode[0].failFast=true cas.authn.jdbc.encode[0].isolationLevelName=ISOLATION_READ_COMMITTED cas.authn.jdbc.encode[0].leakThreshold=10 cas.authn.jdbc.encode[0].propagationBehaviorName=PROPAGATION_REQUIRED cas.authn.jdbc.encode[0].batchSize=1 cas.authn.jdbc.encode[0].user=root cas.authn.jdbc.encode[0].ddlAuto=update cas.authn.jdbc.encode[0].maxAgeDays=180 cas.authn.jdbc.encode[0].password=PW cas.authn.jdbc.encode[0].autocommit=false cas.authn.jdbc.encode[0].driverClass=com.mysql.cj.jdbc.Driver cas.authn.jdbc.encode[0].idleTimeout=5000 cas.authn.jdbc.encode[0].passwordEncoder.type=DEFAULT cas.authn.jdbc.encode[0].passwordEncoder.characterEncoding=UTF-8 cas.authn.jdbc.encode[0].passwordEncoder.encodingAlgorithm=SHA-256 I've been Googling this for days now, to no avail. Any help/hints would be greatly appreciated Thanks for looking. -- - CAS gitter chatroom: https://gitter.im/apereo/cas - CAS mailing list guidelines: https://apereo.github.io/cas/Mailing-Lists.html - CAS documentation website: https://apereo.github.io/cas - CAS project website: https://github.com/apereo/cas --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/51a7f857-b001-4319-9796-84be9ff57f31%40apereo.org.
