Hello all,
We are migrating an application that was built on Sling 6 & Jackrabbit
to Sling 10 & Oak. We are using Oak 1.6.8 which is the version used in
the example sling 10 application. We had previously built our own
authenticators & login plugins to use CryptedSimpleCredentials and keep
passwords encrypted in the JCR. It looks like that is now the standard
in Oak using CredentialsImpl. I'm trying to decide if we can drop our
custom code and just configure oak properly. I've set the
UserConfigurationImpl.config with the following values.
passwordHashAlgorithm="PBKDF2WithHmacSHA256"
passwordHashIterations="1000"
passwordSaltSize="20"
I took the HashAlgorithm key from a comment in
org.apache.jackrabbit.oak.spi.security.user.util.PasswordUtil.generateHash(...)->generatePBKDF2(...).
Stepping through the code, I can see that during
org.apache.jackrabbit.oak.security.user.UserInitializer.Initialize(...)
the admin user is created (:139). The hash created for the password
uses above mentioned methods and produces a hash with salt & iterations
:
{PBKDF2WithHmacSHA256}b7dab4b06ad4be41-1000-8675468f4239a321b3dc8b9989a2fae0
However, when trying to login with the admin user, it is not able to
authenticate the user because the PasswordUtil fails to recognize the
algorithm when calling extractAlgorithm(hashedPwd) because
message.digest("PBKDF2WithHmacSHA256") is invalid.
I have not been able to find any other people looking for help with this
topic, which leads me to believe that maybe I have a fundamental
misunderstanding that I can't see. Any and all help would be appreciated.
Regards,
Marc