We are migrating an application that was built on Sling 6 & Jackrabbit to Sling 10 & Oak. We are using Oak 1.6.8 which is the version used in the example sling 10 application. We had previously built our own authenticators & login plugins to use CryptedSimpleCredentials and keep passwords encrypted in the JCR. It looks like that is now the standard in Oak using CredentialsImpl. I'm trying to decide if we can drop our custom code and just configure oak properly. I've set the UserConfigurationImpl.config with the following values:
passwordHashAlgorithm="PBKDF2WithHmacSHA256"
passwordHashIterations="1000"
passwordSaltSize="20"
I took the HashAlgorithm key from a comment in org.apache.jackrabbit.oak.spi.security.user.util.PasswordUtil.generatePBKDF2(...). Following the code in PasswordUtil, the PBKDF2 prefix will generate the digest using a secret key.
Stepping through the code, I can see that during org.apache.jackrabbit.oak.security.user.UserInitializer.Initialize(...) the admin user is created (:139). The hash created for the password uses above mentioned methods and produces a hash with salt & iterations :
{PBKDF2WithHmacSHA256}b7dab4b06ad4be41-1000-8675468f4239a321b3dc8b9989a2fae0
However, when trying to login with the admin user, it is not able to authenticate the user. PasswordUtil.isSame() fails to recognize the algorithm when calling extractAlgorithm(hashedPwd) because message.digest("PBKDF2WithHmacSHA256") is invalid.
I have not been able to find any other people looking for help with this topic, which leads me to believe that maybe I have a fundamental misunderstanding that I can't see. Any and all help would be appreciated.
It looks like this was a bug fixed by OAK-7778.
Related
I've verified my API in RStudio after hours of trying and now I've reached another error while trying to translate a sentence. Would be grateful for any help!
I'm just trying to translate "hello" to french using googleLanguageR package -
> gl_translate("Hello", "fr")
The result I get is this -
2021-01-21 17:15:36 -- Translating text: 5 characters -
i 2021-01-21 17:15:36 > Request Status Code: 403
Error: API returned: Request had insufficient authentication scopes.
I'm a literal beginner in the field of computing and do not understand what scopes mean here.
Thanks for the help!
Scopes are permissions that you give to apps you use to access an API. For example, one App might have permission to read the private messages of a users, whereas another doesn't. It's similar to when an app on your phone asks for permission to use the camera, or access your contacts.
Your app is trying to do something that it doesn't have permission to do. You'll need to add the relevant scopes in whatever setting that it is where you're generating keys etc. Presumably Google Data Studio?
Okay, I found an answer.
I needed to download a json version of my key and authorize it using the code -
gl_auth("filename.json")
After doing this, I needed to make sure my API is enabled. Now, it is working perfectly!
I'm trying to perform user authentication against a wordpress/Mysql database in ktor. As far as I know, passwords are stored in the wp_users table after a hashing transformation, performed with phpass framework.
Starting from a plain text password, my aim is to compare this password with the hash stored in the database, to understand if I have to authenticate the user or not.
Is there any support between ktor and mysql/wordpress?
Obviously, Ktor itself knows nothing about Wordpress or any other PHP techonology.
Actually, it doesn't know about databases either. There is an Exposed ORM-framework, which is often used in Ktor projects for that. It supports MySQL databases, so it will be suitable in this case too.
But I believe you will have to write this integration by yourself, cause this is a rather exotic combination of technologies (Ktor+Wordpress), and highly unlikely someone else did it before.
I finally made it!
I found out from the documentation that wordpress uses a password hashing function called bcrypt. Then I searched github for a java implementation and I got into this repository by Wolf480pl.
By copying BCrypt.java and PHPass.java files into my project, I just wrote this simple kotlin function to check the match between the hash stored into the database (I used Exposed to connect to the mySQL db) and the plain text password:
fun passwordMatch(password: String, storedHash: String): Boolean {
val checker = PHPass(8)
return checker.checkPassword(password, storedHash)
}
Just that, it works!
I have relatively less idea about encryption but i have done research on encryption in spring boot in application.properties file but i have not found any material based on multiple password encryption.If someone could provide some material or some direction as to how i would proceed will be helpful
Basically you got to do 3 things.
1. Encrypt your password using jasypt.This can be done using command line tool as indicated here or using a simple java program as indicated here. You need a password along with the string you need to encrypt. password is something like a secret key(or salt) which is used to encrypt the string you want to encrypt.
2. Add this to your application properties or yml jasypt.encryptor.password=password_used_in_the_previous_step
3. And add the encrypted password you got from step 1 like this ENC(Your_Encrypted_Password)
Add the necessary dependencies.
Here is a good example.
https://github.com/ulisesbocchio/jasypt-spring-boot.
I'm trying to convert beta web-service to live. after removing beta word from the web-service [i.e. in web.config: endpoint address="https://wsbeta.fedex.com:443/web-services/rate"], this web service is not fetching the value. Any suggestions, why this is happening or I'm missing any procedure. Any guidance/suggestions on this.
To move a system from testing to production is not only needed to remove the word beta from the testing URL address:
From:
"https://wsbeta.fedex.com:443/web-services/rate";
To:
"https://ws.fedex.com:443/web-services/rate";
(when doing this change make sure you are replacing ALL occurrences of wsbeta. to ws. in your solution.)
But also you need to change the MeterNumber, include the Password and Key. When you sign up for the Production Key you will get all this information on the email and also you'll get the Key as soon as you sign up (you won't get that key on the email so be careful and write down that information).
With those pieces of information you should be good to go. If you are getting an exception that's a different story, let us know what exception you are getting.
I want to encrypt db.username and db.password written in alfresco-global.properties .
Can anyone please help me in this, where that username & password is used so that i can write decryption code there, so that alfresco can understand.
I am using Alfresco 4.2 Enterprise.
Can't you just change permissions on alfresco-global.properties so only the user running the Alfresco JVM can read it ?
Anyways, that said the values are used in tomcat/webapps/alfresco/WEB-INF/classes/alfresco/core-services-context.xml. Create a custom bean baseDefaultDataSource deriving from org.apache.commons.dbcp.BasicDataSource and handle the decryption in that class. Make sure to pass the decrypted value to the jdbc driver. Also make sure the definition gets processed after the defaults kick in. You might want to drop your spring context into tomcat/shared/classes/alfresco/extension.