10 Replies Latest reply on Jun 2, 2004 3:00 AM by pilhuhn

    Authentication in JBoss (login)

    remowaller

      Is there a good tutorial or website about the authentication in JBoss.
      the aim is, that I've got a table with users and theirs passwords, so that I can be sure, that only the specific user can login and use my application.
      has anybody a hint?

      thanks.

        • 1. Re: Authentication in JBoss (login)
          skyfalke

          Hello remowaller.

          Take the following links as an introduction in J2EE-based security:
          http://www.javapassion.com/j2ee/WebApplicationSecurity_speakernoted.pdf
          http://java.sun.com/j2ee/1.4/docs/tutorial/doc/index.html
          -> chapter 32

          It is not specific for JBoss but it is a first step to understand how to declare security-constraints etc. via web.xml of your web application.

          Currently I am working on a detailed script for my studies. If you are interested in 13,004 (currently) German words... ;o)

          What exactly do you mean with "got a table"? You should provide that piece of information because it depends on your answer which login module to take:

          DatabaseServerLoginModule (http://www.jboss.org/wiki/Wiki.jsp?page=DatabaseServerLoginModule)
          or
          UsersRolesLoginModule (http://www.jboss.org/wiki/Wiki.jsp?page=UsersRolesLoginModule).

          The latter one stores login information in so-called property-files (users.properties, roles.properties in WEB-INF/classes) whereas the DatabaseServerLoginModule uses a database.

          Bye.

          • 2. Re: Authentication in JBoss (login)
            starksm64
            • 3. Re: Authentication in JBoss (login)
              max1

              This link contains a failry thorough description of implementing JAAS support for your application:

              http://www.jbossfaq.com/mvnforum/mvnforum/viewthread?thread=26

              max@jbossfaq.com

              ##############################
              JBoss hosting provided by http://www.theBeanContainer.com
              ##############################

              • 4. Re: Authentication in JBoss (login)
                remowaller

                Oh, thanks very much for your hints.
                It seems as it would work with my application.
                I've solved it with a FORM-based authentication. This authentication I would need to get into my application. This application is a distributed EJB-application. a user can register himself to get access to it. the password, choosen by the user, would be stored encrypted in the Database (mysql).
                Which algorithm should I take to store this password in the DB? The problem is, that it should be automatically decrypted for Form-based login. If the encrypt and decrypt-alg, doesn't match, you can never login, as you know.

                • 5. Re: Authentication in JBoss (login)
                  pilhuhn

                  If it is stored encrypted: who has the key?
                  The server would need the key somewhere in clear text (or protected by a pass phrase that the admin needs to type in everytime the server starts).
                  If the admin has the key, he can read the password.

                  What you can do (and which is supported by JBoss) is to store passwords as cryptographically hashed. The password entered by the user at login time is then also hashed. The two values are compared. I they match, the user can log in.

                  • 6. Re: Authentication in JBoss (login)
                    remowaller

                    do you mean this sequence:
                    <module-option name="hashEncoding">base64</module-option>

                    But this is only for the login-sequence. the password is stored as a hashed value. I understand, that JBoss would compare the stored (and hashed) password with the password filled in by the user to login.

                    But when a new user register himself by the ejb-application, he must enter his password. then, when the user entity is stored in the DB, the password should be encrypted, so that jboss could compare the entered password for login with the stored.
                    Which algorihm do I have to take that this will match?

                    • 7. Re: Authentication in JBoss (login)
                      pilhuhn

                      No, I mean
                      hashAlgorithm=string: The name of the java.security.MessageDigest algorithm to use to hash the password.

                      The API doc also gives an example on how to build the message digest.
                      You can store the digest as base64 encoded later on. Google for base64 encoders.

                      • 8. Re: Authentication in JBoss (login)
                        remowaller

                        Hi pilhuhn,

                        But there's a problem. When a user (scott) creates an account he has to enter a password. this password will be stored in the database, using EJB. Before this password is stored I would like to encrypt it, that the db-admin can't read it (in the ejbStore()-method).
                        When this user (scott) want's to login and fill in the password in the from, then jboss would compare it with the stored password in the database and logicially it doesn't match, beacause it is stored encrypted! so that never matches. But there should surely be a way to say jboss how the password is stored (with wich encryption) in the db, that jboss could match the entered password with the encrypted... isnt't it?

                        thanks a lot for repy

                        • 9. Re: Authentication in JBoss (login)
                          _alex

                          remowaller,
                          try to use some kind of key exchange identification. For example look at SRP in JBoss.

                          Alexander

                          • 10. Re: Authentication in JBoss (login)
                            pilhuhn

                            Remowaller, You get the passwort in plain from the user.
                            Then you do a sha1/md5 (depending on what algorithm you have choosen) and then encode it also as base64 and store it in the user/password table.
                            From now on, JBoss can compare the (hashed) password at login time with the hashed password in the db.

                            The code to hash the password might look like:

                             byte[] pass = password.getBytes();
                             MessageDigest md = MessageDigest.getInstance("SHA");
                             byte[] hash = md.digest(pass);
                             ret = Base64Encoder.encode(hash);
                            

                            with Base64Encoder being in org.jboss.security.