We are migrating an application that was built on Sling 6 & Jackrabbit to Sling 10 & Oak. We are using Oak 1.6.8 which is the version used in the example sling 10 application. We had previously built our own authenticators & login plugins to use CryptedSimpleCredentials and keep passwords encrypted in the JCR. It looks like that is now the standard in Oak using CredentialsImpl. I'm trying to decide if we can drop our custom code and just configure oak properly. I've set the UserConfigurationImpl.config with the following values:
passwordHashAlgorithm="PBKDF2WithHmacSHA256"
passwordHashIterations="1000"
passwordSaltSize="20"
I took the HashAlgorithm key from a comment in org.apache.jackrabbit.oak.spi.security.user.util.PasswordUtil.generatePBKDF2(...). Following the code in PasswordUtil, the PBKDF2 prefix will generate the digest using a secret key.
Stepping through the code, I can see that during org.apache.jackrabbit.oak.security.user.UserInitializer.Initialize(...) the admin user is created (:139). The hash created for the password uses above mentioned methods and produces a hash with salt & iterations :
{PBKDF2WithHmacSHA256}b7dab4b06ad4be41-1000-8675468f4239a321b3dc8b9989a2fae0
However, when trying to login with the admin user, it is not able to authenticate the user. PasswordUtil.isSame() fails to recognize the algorithm when calling extractAlgorithm(hashedPwd) because message.digest("PBKDF2WithHmacSHA256") is invalid.
I have not been able to find any other people looking for help with this topic, which leads me to believe that maybe I have a fundamental misunderstanding that I can't see. Any and all help would be appreciated.
It looks like this was a bug fixed by OAK-7778.