Creating new admin user within database with encrypted password

Openfire version 4.6.3
Database: Microsoft SQL Server

I have been trying to research converting plain text passwords directly into the database but didn’t really find a clear answer for Openfire version 4.6.3 (or articles are too old).

Questions:

  • It seems that there is no straight method on encrypting passwords for users. Should Blowfish.java/StringUser.java classes still be referenced to have a custom workflow?
  • Is it possible to modify the openfire.xml file to create an admin user with encrypted password? It seems that you add the following tag to add new users:
    <authorizedUsernames>joe,sally</authorizedUsernames>
    How do you add passwords to the respective users?
  • Please correct me if I’m wrong but I think I’ve seen somewhere where if you add the user into ofUser table with plain text password, it would automatically convert it into encrypted password once you start the service (by setting some property)?

Would anyone be able to lead me into the right direction or resources on this matter?

Whether or not Openfire stores encrypted or plain text passwords when a user is created or updated is controlled by the user.usePlainPassword configuration option (by default, this is set to false). However, toggling this setting will not cause passwords to be migrated, I think (this might be a nice improvement). There is a third option to use hashed passwords (see below) that might confuse matters a bit.

The <authorizedUsernames> tag controls what (pre-existing) users will have administrative privileges, but it does not cause users with those names to be created.

I think you’re referring to the system property user.scramHashedPasswordOnly (which is the same as what is controlled by the “Only Hashed Passwords / Store only non-reversible hashes of passwords in the database. This only supports PLAIN and SCRAM-SHA-1 capable clients.” option during setup. When this is set, then any plain-text passwords in the database will be migrated to a salted password. I believe that this migration only happens when the user logs in the first time after that configuration change has been applied.