问题
We intend to change the digest properties of our user-mgt.xml file to make changes to how our passwords are stored (WSO2IS 5.3.0)
...
<Property name="PasswordDigest">SHA</Property>
<Property name="passwordHashMethod">SHA</Property>
<Property name="StoreSaltedPassword">false</Property>
...
I'm curious if WSO2IS will automatically handle upgrading existing users, or if I need to follow a process similar to the one outlined here.
EDIT: I will also note that we are going to start salting passwords as well. So far my approach (again, assuming that wso2 does not automatically handle this), will be to add a new local authenticator that will come before the basic authenticator to update passwords without salts.
回答1:
Writing a custom local authenticator may not be the best solution for you but you have below options for given requirement.
- Configure secondary user store with new PasswordDigest, passwordHashMethod values. New users need to be added to secondary user store. During the authentication old users will be authenticated against Primary user store and new users will be authenticated against Secondary user store.
Please note PasswordDigest will be affected in JDBC user store and passwordHashMethod will be affected on LDAP user store.
- For old users you can initiate forget password or password recovery flow due to authentication failure
- In case of you are using JDBC user store manager you can write simple program to retrieve old password and restore them with new encryption. (Table UM_USER column UM_USER_PASSWORD in store DB)
来源:https://stackoverflow.com/questions/55798122/wso2is-upgrading-passworddigest-property-for-existing-deployment