xwiki · michitux · Oct 10, 2025
diff --git a/...latform-oldcore/src/main/java/com/xpn/xwiki/user/impl/xwiki/AbstractXWikiAuthService.java b/...latform-oldcore/src/main/java/com/xpn/xwiki/user/impl/xwiki/AbstractXWikiAuthService.java
@@ -22,6 +22,7 @@
 import java.security.Principal;
 
 import org.apache.commons.lang3.StringUtils;
+import org.bouncycastle.crypto.generators.OpenBSDBCrypt;
 import org.securityfilter.realm.SimplePrincipal;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
@@ -86,7 +87,7 @@ protected Principal authenticateSuperAdmin(String password, XWikiContext context
         // Security check: only decide that the passed user is the super admin if the
         // super admin password is configured in XWiki's configuration.
         String superadminpassword = context.getWiki().Param(SUPERADMIN_PASSWORD_CONFIG);
-        if ((superadminpassword != null) && (superadminpassword.equals(password))) {
+        if ((superadminpassword != null) && validateSuperAdminPassword(password, superadminpassword)) {
             if (context.isMainWiki()) {
                 principal = new SimplePrincipal(XWikiRightService.SUPERADMIN_USER_FULLNAME);
             } else {
@@ -100,4 +101,13 @@ protected Principal authenticateSuperAdmin(String password, XWikiContext context
 
         return principal;
     }
+
+    private static boolean validateSuperAdminPassword(String password, String superadminpassword)
+    {
+        if (superadminpassword.startsWith("$2") && superadminpassword.length() == 60) {
+            // The superadmin password is a BCrypt hash.
+            return OpenBSDBCrypt.checkPassword(superadminpassword, password.toCharArray());
+        }
+        return superadminpassword.equals(password);
+    }
 }
diff --git a/...latform-oldcore/src/test/java/com/xpn/xwiki/user/impl/xwiki/XWikiAuthServiceImplTest.java b/...latform-oldcore/src/test/java/com/xpn/xwiki/user/impl/xwiki/XWikiAuthServiceImplTest.java
@@ -129,6 +129,23 @@ void authenticateWithSuperAdminWithDifferentCase() throws Exception
         assertEquals(XWikiRightService.SUPERADMIN_USER_FULLNAME, principal.getName());
     }
 
+    /**
+     * Test the superadmin password can be hashed with bcrypt.
+     */
+    @Test
+    void authenticateWithSuperAdminWithBcryptPassword() throws Exception
+    {
+        // The password is "pass"
+        this.oldcore.getMockXWikiCfg().setProperty("xwiki.superadminpassword",
+            "$2y$08$2Mel30blRQ7E.XievLW00.AltivcBuU1HEl2mPG2qRGrd7FmWIwB6");
+
+        Principal principal = this.authService.authenticate(XWikiRightService.SUPERADMIN_USER, "pass",
+            this.oldcore.getXWikiContext());
+
+        assertNotNull(principal);
+        assertEquals(XWikiRightService.SUPERADMIN_USER_FULLNAME, principal.getName());
+    }
+
     /**
      * Test that SomeUser is correctly authenticated as XWiki.SomeUser when xwiki:SomeUser is entered as username.
      */

diff --git a/...latform-tools/xwiki-platform-tool-configuration-resources/src/main/resources/xwiki.cfg.vm b/...latform-tools/xwiki-platform-tool-configuration-resources/src/main/resources/xwiki.cfg.vm
@@ -302,6 +302,8 @@ xwiki.inactiveuser.allowedpages=
 #-# Enable to allow superadmin. It is disabled by default as this could be a
 #-# security breach if it were set and you forgot about it. Should only be enabled
 #-# for recovering the Wiki when the rights are completely messed.
+#-# [Since 17.9.0RC1] Instead of plain text password, you can use a bcrypt-hashed password string that starts with $2,
+#-# e.g., generated using htpasswd -bnBC 10 "" yourpassword | tr -d ':\n'
 #if ($xwikiCfgSuperadminPassword)
 xwiki.superadminpassword=$xwikiCfgSuperadminPassword
 #else