Thanks for the input. We are seeing that work on our side also. The next piece of the puzzle is to get sha-256 with salt pulled from a db column.
Currently, these additions are not working cas.authn.jdbc.encode[0].numberOfIterations=0 cas.authn.jdbc.encode[0].numberOfIterationsFieldName=hash_iteration cas.authn.jdbc.encode[0].saltFieldName=salt cas.authn.jdbc.encode[0].staticSalt= Cheers. On Tuesday, May 30, 2017 at 12:52:21 PM UTC-7, sborne wrote: > > Hello, > > We have working password auth with MD5 and a mysql backend and are now > trying to use SHA-256 to match our password schema but we cannot seem to > get it cut over. > > Our setup is on cas 5.0.5 > > This works > cas.authn.jdbc.query[0].healthQuery=SELECT 1 > cas.authn.jdbc.query[0].sql=SELECT password FROM users WHERE username=? > cas.authn.jdbc.query[0].url=jdbc:mysql://127.0.0.1:3306/castest > cas.authn.jdbc.query[0].leakThreshold=10 > cas.authn.jdbc.query[0].batchSize=1 > cas.authn.jdbc.query[0].user=root > cas.authn.jdbc.query[0].maxAgeDays=180 > cas.authn.jdbc.query[0].password=Password > cas.authn.jdbc.query[0].autocommit=false > cas.authn.jdbc.query[0].driverClass=com.mysql.cj.jdbc.Driver > cas.authn.jdbc.query[0].idleTimeout=5000 > cas.authn.jdbc.query[0].passwordEncoder.type=DEFAULT > cas.authn.jdbc.query[0].passwordEncoder.characterEncoding=UTF-8 > cas.authn.jdbc.query[0].passwordEncoder.encodingAlgorithm=MD5 > > When I change the auth setup to use sha-256 > (cas.authn.jdbc.query[0].passwordEncoder.encodingAlgorithm=SHA-256) I get - > > 2017-05-30 17:41:27,473 DEBUG > [org.apereo.cas.authentication.RegisteredServiceAuthenticationHandlerResolver] > > - <Authentication handlers used for this transaction are > [org.apereo.cas.adaptors.gauth.GoogleAuthenticatorAuthenticationHandler@4e0c5518, > > org.apereo.cas.adaptors.jdbc.QueryDatabaseAuthenticationHandler@597bf18e, > org.apereo.cas.authentication.handler.support.HttpBasedServiceCredentialsAuthenticationHandler@394b66d0, > > org.apereo.cas.support.openid.authentication.handler.support.OpenIdCredentialsAuthenticationHandler@6c696197]> > 2017-05-30 17:41:27,484 WARN > [org.apereo.cas.configuration.support.DefaultPasswordEncoder] - <Using > UTF-8 as the character encoding algorithm to update the digest> > 2017-05-30 17:41:27,854 DEBUG > [org.apereo.cas.configuration.support.DefaultPasswordEncoder] - <Encoded > password via algorithm SHA-256 and character-encoding UTF-8 is > 5110c4d7158296352949f281d560d0a867351dbc6762a5826c6dc37a970e332d> > 2017-05-30 17:41:27,891 WARN [com.zaxxer.hikari.HikariConfig] - > <HikariPool-1 - idleTimeout is less than 10000ms, setting to default > 600000ms.> > 2017-05-30 17:41:27,902 WARN [com.zaxxer.hikari.HikariConfig] - > <HikariPool-1 - leakDetectionThreshold is less than 2000ms or more than > maxLifetime, disabling it.> > 2017-05-30 17:41:30,947 WARN > [org.apereo.cas.configuration.support.DefaultPasswordEncoder] - <Using > UTF-8 as the character encoding algorithm to update the digest> > 2017-05-30 17:41:30,948 DEBUG > [org.apereo.cas.configuration.support.DefaultPasswordEncoder] - <Encoded > password via algorithm SHA-256 and character-encoding UTF-8 is > 5110c4d7158296352949f281d560d0a867351dbc6762a5826c6dc37a970e332d> > 2017-05-30 17:41:30,949 DEBUG > [org.apereo.cas.configuration.support.DefaultPasswordEncoder] - <Provided > password does not match the encoded password> > 2017-05-30 17:41:30,951 INFO > [org.apereo.cas.authentication.PolicyBasedAuthenticationManager] - > <QueryDatabaseAuthenticationHandler failed authenticating shatest> > 2017-05-30 17:41:30,958 DEBUG > [org.apereo.cas.authentication.PolicyBasedAuthenticationManager] - > <QueryDatabaseAuthenticationHandler exception details: Password does not > match value on record.> > 2017-05-30 17:41:30,964 WARN > [org.apereo.cas.authentication.PolicyBasedAuthenticationManager] - > <Authentication has failed. Credentials may be incorrect or CAS cannot find > authentication handler that supports [shatest] of type > [UsernamePasswordCredential], which suggests a configuration problem.> > > That is the correct sha-256 hash from the db which is showing in the logs. > > 5110c4d7158296352949f281d560d0a867351dbc6762a5826c6dc37a970e332d > > I have also tried, with and without salt (we are not using static salt and > iterations = 0) the conf below but end up with the same error as above. > > # CAS Authentication > # > #cas.authn.jdbc.encode[0].numberOfIterations=0 > # cas.authn.jdbc.encode[0].numberOfIterationsFieldName=hash_iteration > cas.authn.jdbc.encode[0].saltFieldName=salt > cas.authn.jdbc.encode[0].staticSalt= > cas.authn.jdbc.encode[0].sql=select * from users where username=? > cas.authn.jdbc.encode[0].algorithmName=SHA-256 > cas.authn.jdbc.encode[0].passwordFieldName=password > cas.authn.jdbc.encode[0].healthQuery=SELECT 1 > cas.authn.jdbc.encode[0].isolateInternalQueries=false > cas.authn.jdbc.encode[0].url=jdbc:mysql://127.0.0.1:3306/castest > cas.authn.jdbc.encode[0].failFast=true > cas.authn.jdbc.encode[0].isolationLevelName=ISOLATION_READ_COMMITTED > cas.authn.jdbc.encode[0].leakThreshold=10 > cas.authn.jdbc.encode[0].propagationBehaviorName=PROPAGATION_REQUIRED > cas.authn.jdbc.encode[0].batchSize=1 > cas.authn.jdbc.encode[0].user=root > cas.authn.jdbc.encode[0].ddlAuto=update > cas.authn.jdbc.encode[0].maxAgeDays=180 > cas.authn.jdbc.encode[0].password=PW > cas.authn.jdbc.encode[0].autocommit=false > cas.authn.jdbc.encode[0].driverClass=com.mysql.cj.jdbc.Driver > cas.authn.jdbc.encode[0].idleTimeout=5000 > > cas.authn.jdbc.encode[0].passwordEncoder.type=DEFAULT > cas.authn.jdbc.encode[0].passwordEncoder.characterEncoding=UTF-8 > cas.authn.jdbc.encode[0].passwordEncoder.encodingAlgorithm=SHA-256 > > I've been Googling this for days now, to no avail. > > Any help/hints would be greatly appreciated > > Thanks for looking. > > > -- - CAS gitter chatroom: https://gitter.im/apereo/cas - CAS mailing list guidelines: https://apereo.github.io/cas/Mailing-Lists.html - CAS documentation website: https://apereo.github.io/cas - CAS project website: https://github.com/apereo/cas --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/1031a624-ce19-4a53-ad3c-1b22db1895ac%40apereo.org.
