-
1. Re: DatabaseServerLoginModule - Password Encryption
jfair Mar 17, 2003 1:09 PM (in response to jfair)Got it working. I read through the Getting Started Guide and added the hashCodeAlgorithm and hashEncoding options to the DatabaseServerLoginModule I had defined in login-config.xml.
See this link for more details: http://www.mail-archive.com/jboss-user@lists.sourceforge.net/msg22966.html//www.mail-archive.com/jboss-user@lists.sourceforge.net/msg22966.html
Here is a snippet from my login-config.xml:
<application-policy name="blah">
<login-module code = "org.jboss.security.auth.spi.DatabaseServerLoginModule"
flag = "required">
<module-option name = "dsJndiName">java:/MySqlDS</module-option>
<module-option name = "principalsQuery">select password from user_profile where user_id=?</module-option>
<module-option name = "rolesQuery">select role_name, 'Roles' from user_role where user_id=?</module-option>
<module-option name = "hashAlgorithm">MD5</module-option>
<module-option name = "hashEncoding">HEX</module-option>
</login-module>
</application-policy> -
2. Re: DatabaseServerLoginModule - Password Encryption
studenik Mar 19, 2003 1:40 AM (in response to jfair)jfair:
I have identical settings in my login-config.xml.
...
<module-option name = "hashAlgorithm">MD5</module-option>
<module-option name = "hashEncoding">HEX</module-option>
...
I manually created a user with encrypted password, using MD5 function (i.e set Password=MD5("passwordvalue") ). I manually checked that MySQL returns correct record when I say: SELECT * FROM myTable WHERE Password=MD5("passwordvalue");
In my web.xml I configured to use DIGEST.
Everything looks alright, the correct (DIGEST) dialog pops up. The only problem, it does not let the user login.
My BASIC authentication is working fine.
I turned debugging on in log4j.xml, this did not help to see the problem.
I checked what MySQL is logging (--log=...), it did not show anything.
I use JBoss-3.0.4/Tomcat-4.1.x
What could I possibly be missing? -
3. Re: DatabaseServerLoginModule - Password Encryption
jfair Mar 19, 2003 2:22 PM (in response to jfair)Maybe you're missing the jboss-web.xml file...
Your web application needs to to know what login module to use so you need to include the jboss-web.xml file to the WEB-INF/ directory of your web application.
Here is my sample jboss-web.xml file:
<?xml version="1.0" encoding="UTF-8"?>
<jboss-web>
<!-- Use the JaasSecurityMgr other security domain for authentication
and authorization of secured web content.
-->
<security-domain>java:/jaas/blah</security-domain>
</jboss-web>
where blah is the name of your login module.
John -
4. Re: DatabaseServerLoginModule - Password Encryption
studenik Mar 20, 2003 12:41 AM (in response to jfair)John:
Thank you very much for your reply.
I checked jboss-web.xml and the line '<security-domain>java:/jaas/blah</security-domain>' was there. I also found that if I remove this line, my BASIC authentication won't work either, complaining that principal is null.
When I run BASIC login, the login queries are logged by MySQL. When I switch to DIGEST, no query is logged my MySQL. Could this be a clue?
I deploy my application as an *.ear file, maybe there must be an entry in jboss-app.xml or application.xml?
As I deploy the application I have in console:
...
00:30:09,068 INFO [Engine] ContextConfig[/ee]: Added certificates -> request attribute Valve
00:30:09,098 INFO [Engine] ContextConfig[/ee]: Configured an authenticator for method DIGEST
...
As I try to login a correct DIGEST like dialog is produced by the browser. After three unsuccessful attempts, I have an 'HTTP Status 401 - Unauthorized' from Tomcat.
The point is that no query arrives to MySQL, while login dialog repeatedly pops up, so I cannot check if the password was encrypted correctly.
What else could there be to it?
Yevgeny. -
5. Re: DatabaseServerLoginModule - Password Encryption
studenik Mar 20, 2003 12:43 AM (in response to jfair)John:
Thank you very much for your reply.
I checked jboss-web.xml and the line '<security-domain>java:/jaas/blah</security-domain>' was there. I also found that if I remove this line, my BASIC authentication won't work either, complaining that principal is null.
When I run BASIC login, the login queries are logged by MySQL. When I switch to DIGEST, no query is logged my MySQL. Could this be a clue?
I deploy my application as an *.ear file, maybe there must be an entry in jboss-app.xml or application.xml?
As I deploy the application I have in console:
...
00:30:09,068 INFO [Engine] ContextConfig[/ee]: Added certificates -> request attribute Valve
00:30:09,098 INFO [Engine] ContextConfig[/ee]: Configured an authenticator for method DIGEST
...
As I try to login a correct DIGEST like dialog is produced by the browser. After three unsuccessful attempts, I have an 'HTTP Status 401 - Unauthorized' from Tomcat.
The point is that no query arrives to MySQL, while login dialog repeatedly pops up, so I cannot check if the password was encrypted correctly.
What else could there be to it?
Yevgeny. -
6. Re: DatabaseServerLoginModule - Password Encryption
studenik Mar 20, 2003 12:49 AM (in response to jfair)John:
Thank you very much for your reply.
I checked jboss-web.xml and the line '<security-domain>java:/jaas/blah</security-domain>' was there. I also found that if I remove this line, my BASIC authentication won't work either, complaining that principal is null.
When I run BASIC login, the login queries are logged by MySQL. When I switch to DIGEST, no query is logged my MySQL. Could this be a clue?
I deploy my application as an *.ear file, maybe there must be an entry in jboss-app.xml or application.xml?
As I deploy the application I have in console:
...
00:30:09,068 INFO [Engine] ContextConfig[/ee]: Added certificates -> request attribute Valve
00:30:09,098 INFO [Engine] ContextConfig[/ee]: Configured an authenticator for method DIGEST
...
As I try to login a correct DIGEST like dialog is produced by the browser. After three unsuccessful attempts, I have an 'HTTP Status 401 - Unauthorized' from Tomcat.
The point is that no query arrives to MySQL, while login dialog repeatedly pops up, so I cannot check if the password was encrypted correctly.
What else could there be to it?
Yevgeny. -
7. Re: DatabaseServerLoginModule - Password Encryption
jfair Mar 20, 2003 10:42 AM (in response to jfair)
I am using FORM based authentication not DIGEST. I have not tried DIGEST authentication. You mentioned you had switched to DEBUG mode in log4j-config.xml.
This link (http://www.mail-archive.com/jboss-user@lists.sourceforge.net/msg22966.html//www.mail-archive.com/jboss-user@lists.sourceforge.net/msg22966.html) states the following:
"Turn on DEBUG level messages by editing the conf/lo4j.xml file and
removing the from the FILE
appender and then look of the following msgs:
Binding security/securityMgr to NullSecurityManager
Linking security/securityMgr to JNDI name: x
Most likely the war/WEB-INF/jboss-web.xml file is not being seen."
Hopefully, this is of some help.