7 Replies Latest reply on Mar 20, 2003 10:42 AM by jfair

    DatabaseServerLoginModule - Password Encryption

    jfair

      I am using Jboss 3.0.4 and tomcat 4.1.12. I am using form based authentication for my web application and it runs on the embedded tomcat service in JBoss. The DatabaseServerLoginModule works great but now I want to have encrypted passwords in the mySQL database. Has anyone used the DatabaseServerLoginModule in conjunction with encrypted passwords? I'd be interested in knowing how and if this is possible.

      Thanks,

      John

        • 1. Re: DatabaseServerLoginModule - Password Encryption
          jfair

          Got it working. I read through the Getting Started Guide and added the hashCodeAlgorithm and hashEncoding options to the DatabaseServerLoginModule I had defined in login-config.xml.

          See this link for more details: http://www.mail-archive.com/jboss-user@lists.sourceforge.net/msg22966.html//www.mail-archive.com/jboss-user@lists.sourceforge.net/msg22966.html

          Here is a snippet from my login-config.xml:

          <application-policy name="blah">

          <login-module code = "org.jboss.security.auth.spi.DatabaseServerLoginModule"
          flag = "required">
          <module-option name = "dsJndiName">java:/MySqlDS</module-option>
          <module-option name = "principalsQuery">select password from user_profile where user_id=?</module-option>
          <module-option name = "rolesQuery">select role_name, 'Roles' from user_role where user_id=?</module-option>
          <module-option name = "hashAlgorithm">MD5</module-option>
          <module-option name = "hashEncoding">HEX</module-option>
          </login-module>

          </application-policy>


          • 2. Re: DatabaseServerLoginModule - Password Encryption
            studenik

            jfair:

            I have identical settings in my login-config.xml.
            ...
            <module-option name = "hashAlgorithm">MD5</module-option>
            <module-option name = "hashEncoding">HEX</module-option>
            ...

            I manually created a user with encrypted password, using MD5 function (i.e set Password=MD5("passwordvalue") ). I manually checked that MySQL returns correct record when I say: SELECT * FROM myTable WHERE Password=MD5("passwordvalue");

            In my web.xml I configured to use DIGEST.

            Everything looks alright, the correct (DIGEST) dialog pops up. The only problem, it does not let the user login.

            My BASIC authentication is working fine.

            I turned debugging on in log4j.xml, this did not help to see the problem.

            I checked what MySQL is logging (--log=...), it did not show anything.

            I use JBoss-3.0.4/Tomcat-4.1.x

            What could I possibly be missing?

            • 3. Re: DatabaseServerLoginModule - Password Encryption
              jfair

              Maybe you're missing the jboss-web.xml file...

              Your web application needs to to know what login module to use so you need to include the jboss-web.xml file to the WEB-INF/ directory of your web application.

              Here is my sample jboss-web.xml file:

              <?xml version="1.0" encoding="UTF-8"?>
              <jboss-web>
              <!-- Use the JaasSecurityMgr other security domain for authentication
              and authorization of secured web content.
              -->
              <security-domain>java:/jaas/blah</security-domain>
              </jboss-web>

              where blah is the name of your login module.

              John

              • 4. Re: DatabaseServerLoginModule - Password Encryption
                studenik

                John:

                Thank you very much for your reply.

                I checked jboss-web.xml and the line '<security-domain>java:/jaas/blah</security-domain>' was there. I also found that if I remove this line, my BASIC authentication won't work either, complaining that principal is null.

                When I run BASIC login, the login queries are logged by MySQL. When I switch to DIGEST, no query is logged my MySQL. Could this be a clue?

                I deploy my application as an *.ear file, maybe there must be an entry in jboss-app.xml or application.xml?

                As I deploy the application I have in console:
                ...
                00:30:09,068 INFO [Engine] ContextConfig[/ee]: Added certificates -> request attribute Valve
                00:30:09,098 INFO [Engine] ContextConfig[/ee]: Configured an authenticator for method DIGEST
                ...

                As I try to login a correct DIGEST like dialog is produced by the browser. After three unsuccessful attempts, I have an 'HTTP Status 401 - Unauthorized' from Tomcat.

                The point is that no query arrives to MySQL, while login dialog repeatedly pops up, so I cannot check if the password was encrypted correctly.

                What else could there be to it?

                Yevgeny.

                • 5. Re: DatabaseServerLoginModule - Password Encryption
                  studenik

                  John:

                  Thank you very much for your reply.

                  I checked jboss-web.xml and the line '<security-domain>java:/jaas/blah</security-domain>' was there. I also found that if I remove this line, my BASIC authentication won't work either, complaining that principal is null.

                  When I run BASIC login, the login queries are logged by MySQL. When I switch to DIGEST, no query is logged my MySQL. Could this be a clue?

                  I deploy my application as an *.ear file, maybe there must be an entry in jboss-app.xml or application.xml?

                  As I deploy the application I have in console:
                  ...
                  00:30:09,068 INFO [Engine] ContextConfig[/ee]: Added certificates -> request attribute Valve
                  00:30:09,098 INFO [Engine] ContextConfig[/ee]: Configured an authenticator for method DIGEST
                  ...

                  As I try to login a correct DIGEST like dialog is produced by the browser. After three unsuccessful attempts, I have an 'HTTP Status 401 - Unauthorized' from Tomcat.

                  The point is that no query arrives to MySQL, while login dialog repeatedly pops up, so I cannot check if the password was encrypted correctly.

                  What else could there be to it?

                  Yevgeny.

                  • 6. Re: DatabaseServerLoginModule - Password Encryption
                    studenik

                    John:

                    Thank you very much for your reply.

                    I checked jboss-web.xml and the line '<security-domain>java:/jaas/blah</security-domain>' was there. I also found that if I remove this line, my BASIC authentication won't work either, complaining that principal is null.

                    When I run BASIC login, the login queries are logged by MySQL. When I switch to DIGEST, no query is logged my MySQL. Could this be a clue?

                    I deploy my application as an *.ear file, maybe there must be an entry in jboss-app.xml or application.xml?

                    As I deploy the application I have in console:
                    ...
                    00:30:09,068 INFO [Engine] ContextConfig[/ee]: Added certificates -> request attribute Valve
                    00:30:09,098 INFO [Engine] ContextConfig[/ee]: Configured an authenticator for method DIGEST
                    ...

                    As I try to login a correct DIGEST like dialog is produced by the browser. After three unsuccessful attempts, I have an 'HTTP Status 401 - Unauthorized' from Tomcat.

                    The point is that no query arrives to MySQL, while login dialog repeatedly pops up, so I cannot check if the password was encrypted correctly.

                    What else could there be to it?

                    Yevgeny.

                    • 7. Re: DatabaseServerLoginModule - Password Encryption
                      jfair


                      I am using FORM based authentication not DIGEST. I have not tried DIGEST authentication. You mentioned you had switched to DEBUG mode in log4j-config.xml.
                      This link (http://www.mail-archive.com/jboss-user@lists.sourceforge.net/msg22966.html//www.mail-archive.com/jboss-user@lists.sourceforge.net/msg22966.html) states the following:

                      "Turn on DEBUG level messages by editing the conf/lo4j.xml file and
                      removing the from the FILE
                      appender and then look of the following msgs:

                      Binding security/securityMgr to NullSecurityManager
                      Linking security/securityMgr to JNDI name: x

                      Most likely the war/WEB-INF/jboss-web.xml file is not being seen."

                      Hopefully, this is of some help.