I am trying to implement basic authentication for Apache Solr locally. In the screenshot Apache Solr Sample security.json (Source: https://lucene.apache.org/solr/guide/7_2/basic-authentication-plugin.html#basic-authentication-plugin), in 3
, it's given that A user called 'solr', with a password 'SolrRocks' has been defined.
. Also, it's given that the password is added as a sha256(password+salt) hash. But the salt is not specified anywhere (as far as I have checked).
I need the salt to be able to create a new password for security.json. Where is the salt specified? I tried googling the answer but couldn't find anything. It would be great if you could help me. Thank you.
I might be missing something as I am not a cryptography expert. All I know is that salts are random bits concatenated with the passwords so that people with same passwords don't end up with the same hash (if the salts are different for those people).
In this link, the author describes the problem of not being able to find the encryption method in Apache Solr docs. He has looked through Solr code and found that sha256() in Sha256AuthenticationProvider.java is the function that actually calculates the hash.
A downloadable jar file has also been provided in the link which can be used to generate the password as desired by Apache Solr.
But I am still confused about how Solr is matching the password. The given jar file gives different hashes for the same password string in different runs (because it randomly generates the salt). If I set the password as fQfWaUyrgXoHPT9OiubY5zh8A4fL0D+r8592Eo1+Gbo= M7Vz0pRkjliKbPKHfP0qcMiALD16ujPQYPOu7SVG6Z8=
(encrypted version of "SolrRocks" which I got from running the jar file in one run) and after that, I try sending a curl request with password "SolrRocks", how does Solr know it's the same password?
It would be great if someone could explain this. Thanks.
The part before the space is the hashed password, the part after the space is the salt:
System.out.println(Base64.encodeBase64String(btPass) + " " +
This means that Solr can extract the salt from the latter part, add it to the pass as given in the algorithm in your reference, and compare the result to the part stored in the hash part.