3 Replies Latest reply on Nov 6, 2002 11:31 PM by skidvd

DatabaseServerLoginModule

skidvd Nov 2, 2002 10:14 PM

Hello:

I'm trying to configure the DatabaseServerLoginModule to use as an authentication mechanism for a simple JSP with simple FORM based security. I'm sure I am missing something, but have not been able to find my error(s) in the documentation or other related posts. This is with JBoss 3.0.0 with Tomcat 4.0.3.

The problem is as follows: The JSP presents and appears to process the login form correctly and just as expected. The problem is that no matter what I respond to the form with for user and password, I am successfully transferred to the JSP that is supposed to be guarded. This is to say that users/pws that are in the database and any other garbabge that is not both appear to work equally well and result in successful authentication. There are no errors on the console or log that I have found. There are also no errors during startup. There are also no indications that any authentication is ocurring.

I'd appreciate any and all help as I'm not sure what I'm missing at this point.

Here are the relevant sections from the files:

web.xml:
<security-constraint>
<web-resource-collection>
<web-resource-name>BookMarks</web-resource-name>
<url-pattern>/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>PortalUser</role-name>
</auth-constraint>
</security-constraint>

<login-config>
<auth-method>FORM</auth-method>
<realm-name>AbilSoftRealm</realm-name>
<form-login-config>
<form-login-page>/login.html</form-login-page>
<form-error-page>/login-error.html</form-error-page>
</form-login-config>
</login-config>

<security-role>
<role-name>PortalUser</role-name>
</security-role>

jboss-web.xml:

<jboss-web> <security-domain>java:/jaas/AbilSoftRealm</security-domain>
</jboss-web>

login-config.xml:

<application-policy name = "SecurityDbRealm">

<login-module code = "org.jboss.resource.security.ConfiguredIdentityLoginModule" flag = "required">
<module-option name = "principal">testuser</module-option>
<module-option name = "userName">testuser</module-option>
<module-option name = "password">pw</module-option>
<module-option name = "managedConnectionFactoryName">jboss.jca:service=LocalTxCM,name=SecurityDS</module-option>
</login-module>

</application-policy>

<application-policy name = "AbilSoftRealm">

<login-module code = "org.jboss.security.auth.spi.DatabaseServerLoginModule"
flag = "required">
<module-option name = "dsJndiName">java:/SecurityPool</module-option>
<module-option name = "principalsQuery">select password from users
where username = ?</module-option>
<module-option name = "rolesQuery">select role, rolegroup from roles where username = ?</module-option>
<module-option name = "hashAlgorithm">MD5</module-option>
<module-option name = "hashEncoding">base64</module-option>
</login-module>

</application-policy>

Thanks again.

1. Re: DatabaseServerLoginModule

tool Nov 5, 2002 9:17 AM (in response to skidvd)

In your login-config.xml, the application policy using the database server login module needs to match the security-domain element in the jboss-web.xml
AND
the application policy using the configured identity login module needs to match the one declared in the realm-name element in the web.xml

So here is one way it could look:

web.xml:
<security-constraint>
<web-resource-collection>
<web-resource-name>BookMarks</web-resource-name>
<url-pattern>/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>PortalUser</role-name>
</auth-constraint>
</security-constraint>
<login-config>
<auth-method>FORM</auth-method>
<realm-name>SecurityDbRealm</realm-name>
<form-login-config>
<form-login-page>/login.html</form-login-page>
<form-error-page>/login-error.html</form-error-page>
</form-login-config>
</login-config>
<security-role>
<role-name>PortalUser</role-name>
</security-role>
jboss-web.xml:
<jboss-web> <security-domain>java:/jaas/AbilSoftRealm</security-domain>
</jboss-web>
login-config.xml:
<application-policy name = "SecurityDbRealm">

<login-module code = "org.jboss.resource.security.ConfiguredIdentityLoginModule" flag = "required">
<module-option name = "principal">testuser</module-option>
<module-option name = "userName">testuser</module-option>
<module-option name = "password">pw</module-option>
<module-option name = "managedConnectionFactoryName">jboss.jca:service=LocalTxCM,name=SecurityDS</module-option>
</login-module>

</application-policy>

<application-policy name = "AbilSoftRealm">

<login-module code = "org.jboss.security.auth.spi.DatabaseServerLoginModule"
flag = "required">
<module-option name = "dsJndiName">java:/SecurityPool</module-option>
<module-option name = "principalsQuery">select password from users
where username = ?</module-option>
<module-option name = "rolesQuery">select role, rolegroup from roles where username = ?</module-option>
<module-option name = "hashAlgorithm">MD5</module-option>
<module-option name = "hashEncoding">base64</module-option>
</login-module>

</application-policy>

Hope this helps,
Brian
Actions
2. Re: DatabaseServerLoginModule

skidvd Nov 5, 2002 11:57 PM (in response to skidvd)

Brian,

Thanks so much for your response. I am indeed much closer now.

My only remaining problem is with the hashAlgorithm. Everything is working perfectly as long as I do not add the hashAlgorithm and hashEncoding <module-option>s to the following section of my login-config.xml:


<application-policy name = "AbilSoftRealm">

<login-module code = "org.jboss.security.auth.spi.DatabaseServerLoginModule" flag = "requisite">
<module-option name = "dsJndiName">java:/SecurityPool</module-option>
<module-option name = "principalsQuery">select password from users
where username=?</module-option>
<module-option name = "rolesQuery">select role, rolegroup from roles where username=?</module-option>
<module-option name = "hashAlgorithm">MD5</module-option>
<module-option name = "hashEncoding">base64</module-option>
</login-module>

</application-policy>

I am using JBoss 3.0.4 with a MySQL database. The database contains the password in MD5 encrypted format and I have verified the query by hand from a mysql prompt (to verify it returns expected MD5 encrypted password). What else do I need to do to make this encryption work?

By the way, you said:

"In your login-config.xml, the application policy using the database server login module needs to match the security-domain element in the jboss-web.xml
AND
the application policy using the configured identity login module needs to match the one declared in the realm-name element in the web.xml"

The first part of this is indeed true. However, the second part does not appear to be true as I have tried making the <realm-name> in the web.xml to match identity login policy and then making it not match with identical results.

Thanks again.
Actions
3. Re: DatabaseServerLoginModule

skidvd Nov 6, 2002 11:31 PM (in response to skidvd)

Problem solved. After researching the source for the security.auth.spi package (you gotta love open source) and some MySQl docs, I discovered that MySQL returns MD5() encrypted passwords in HEX format. SO I simply changed the to HEX, and all worked just as documented/expected.

Thanks again for your assistance.
Actions

Go to original post