This site is for tech Q&A. Please keep your posts focused on the subject at hand.

Ask one question at a time. Don't conflate multiple problems into a single question.

Make sure to include all relevant information in your posts. Try to avoid linking to external sites.

Links to documentation are fine, but in addition you should also quote the relevant parts in your posts.

1 vote

I have one question calculating the sha256 (of password + salt) hash in security.json in Apache Solr. The hash of password changes with each run of the file (because the salt is randomly generated). If I supply the password as

fQfWaUyrgXoHPT9OiubY5zh8A4fL0D+r8592Eo1+Gbo= M7Vz0pRkjliKbPKHfP0qcMiALD16ujPQYPOu7SVG6Z8=

(hash for SolrRocks in one run)

How will Apache Solr authenticate it? I mean a different salt is used for each run of the code, right? I am not able to understand how the matching will take place.

in General by (5) 1
edited by

Your answer


Privacy: Your email address will only be used for sending these notifications.
Anti-spam verification:
By submitting this post you agree to our Terms & Conditions.
To avoid this verification in future, please log in or register.

1 Answer

0 votes
Best answer

The string is not one hash, but actually two base64-encoded values. If you take a closer look at the code you'll see that the output is generated as

System.out.println(Base64.encodeBase64String(btPass) + " " +

Base64.encodeBase64String(btPass) creates a base64-encoded string from the password hash, and Base64.encodeBase64String(salt) creates a base64-encoded string from the salt.

fQfWaUyrgXoHPT9OiubY5zh8A4fL0D+r8592Eo1+Gbo= M7Vz0pRkjliKbPKHfP0qcMiALD16ujPQYPOu7SVG6Z8=
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
base64-encoded password hash                 base64-encoded salt

By design and definition a salt doesn't need to be secret (it just exists to thwart attacks on a password hash via rainbow tables), so the salt can be transmitted in clear text. The base64-encoding is just to make handling easier (text is usually easier to handle than binary values).

The server only has to decode the second string to get the salt. Then it can calculate a hash from the salt and the password entered by the user at login and compare the result to the decoded first string to see if the two hashes match (i.e. if the user entered the correct password).

Addendum: To avoid confusion, you calculate and upload the hash and salt to the server only once. These are not the values you provide when you log into Solr, they're the values to which Solr compares the password you entered at login.

by (15) 4
edited by
@Ansgar Wiechers Thank you so much!