diff --git a/connections/jpa-liquibase/src/main/resources/META-INF/jpa-changelog-1.8.0.xml b/connections/jpa-liquibase/src/main/resources/META-INF/jpa-changelog-1.8.0.xml
index 5771c12..5900f8c 100755
--- a/connections/jpa-liquibase/src/main/resources/META-INF/jpa-changelog-1.8.0.xml
+++ b/connections/jpa-liquibase/src/main/resources/META-INF/jpa-changelog-1.8.0.xml
@@ -111,4 +111,14 @@
</update>
</changeSet>
+
+ <changeSet id="1.8.0-2" author="keycloak">
+ <dropDefaultValue tableName="CREDENTIAL" columnName="ALGORITHM" columnDataType="VARCHAR(36)"/>
+
+ <update tableName="CREDENTIAL">
+ <column name="ALGORITHM" type="VARCHAR(36)" value="pbkdf2" />
+ <where>TYPE in ('password-history', 'password') AND ALGORITHM is 'HmacSHA1'</where>
+ </update>
+ </changeSet>
+
</databaseChangeLog>
\ No newline at end of file
diff --git a/model/api/src/main/java/org/keycloak/hash/PasswordHashManager.java b/model/api/src/main/java/org/keycloak/hash/PasswordHashManager.java
index 60effdb..329284f 100644
--- a/model/api/src/main/java/org/keycloak/hash/PasswordHashManager.java
+++ b/model/api/src/main/java/org/keycloak/hash/PasswordHashManager.java
@@ -1,5 +1,6 @@
package org.keycloak.hash;
+import org.jboss.logging.Logger;
import org.keycloak.models.*;
/**
@@ -7,6 +8,8 @@ import org.keycloak.models.*;
*/
public class PasswordHashManager {
+ private static final Logger log = Logger.getLogger(PasswordHashManager.class);
+
public static UserCredentialValueModel encode(KeycloakSession session, RealmModel realm, String rawPassword) {
return encode(session, realm.getPasswordPolicy(), rawPassword);
}
@@ -17,9 +20,10 @@ public class PasswordHashManager {
if (iterations < 1) {
iterations = 1;
}
- PasswordHashProvider provider = session.getProvider(PasswordHashProvider.class, algorithm);
+ PasswordHashProvider provider = session.getProvider(PasswordHashProvider.class, passwordPolicy.getHashAlgorithm());
if (provider == null) {
- throw new RuntimeException("Password hash provider for algorithm " + algorithm + " not found");
+ log.warnv("Could not find hash provider {0} from password policy, using default provider {1}", algorithm, Constants.DEFAULT_HASH_ALGORITHM);
+ provider = session.getProvider(PasswordHashProvider.class, Constants.DEFAULT_HASH_ALGORITHM);
}
return provider.encode(rawPassword, iterations);
}
@@ -31,6 +35,10 @@ public class PasswordHashManager {
public static boolean verify(KeycloakSession session, PasswordPolicy passwordPolicy, String password, UserCredentialValueModel credential) {
String algorithm = credential.getAlgorithm() != null ? credential.getAlgorithm() : passwordPolicy.getHashAlgorithm();
PasswordHashProvider provider = session.getProvider(PasswordHashProvider.class, algorithm);
+ if (provider == null) {
+ log.warnv("Could not find hash provider {0} for password", algorithm);
+ return false;
+ }
return provider.verify(password, credential);
}
