-
1. Re: password in custom LoginModule
tcherel Dec 23, 2004 10:58 AM (in response to ashields)
I believe that if the password is encrypted it is the "client" who did it.
The next question is what is your client? Standalone EJB client application, servlet, others?
You need to determine the JAAS configuration of this client in order to figure out who/how the password is encrypted.
If coming through a servlet, it could be that it is simply base64 encoded (default for HTTP basic authentication).
Thomas -
2. Re: password in custom LoginModule
ashields Dec 23, 2004 3:11 PM (in response to ashields)here's my client
package client; import java.io.IOException; import java.util.Hashtable; import java.util.Properties; import javax.naming.InitialContext; import javax.rmi.PortableRemoteObject; import javax.security.auth.Subject; import javax.security.auth.callback.Callback; import javax.security.auth.callback.CallbackHandler; import javax.security.auth.callback.NameCallback; import javax.security.auth.callback.PasswordCallback; import javax.security.auth.callback.UnsupportedCallbackException; import javax.security.auth.login.AppConfigurationEntry; import javax.security.auth.login.Configuration; import javax.security.auth.login.LoginContext; import org.jboss.security.SimplePrincipal; public class TestClient { static InitialContext ctx; public static void main( String args[]) { try{ // jaas login Configuration.setConfiguration(new PasswordConfig()); LoginContext c=new LoginContext("",new TestCallbackHandler()); c.login(); Subject s=c.getSubject(); System.out.println("subject is "+s); // the following gives the same results /* org.jboss.security.SecurityAssociation.setPrincipal(new SimplePrincipal("ALAN")); org.jboss.security.SecurityAssociation.setCredential(new SimplePrincipal("PASSWORD")); */ Properties j = new Properties(); j.setProperty("java.naming.factory.initial","org.jnp.interfaces.NamingContextFactory"); j.setProperty("java.naming.provider.url","jnp://localhost:1099"); j.setProperty("java.naming.factory.url.pkgs","org.jboss.naming:org.jnp.interfaces"); j.setProperty("DISCOVERY_TIMEOUT","1000"); System.out.println("get context"); ctx = new InitialContext( j ); System.out.println("lookup"); Object obj = ctx.lookup("Test"); testing.remote.TestHome testHome = (testing.remote.TestHome) PortableRemoteObject.narrow(obj,testing.remote.TestHome.class); System.out.println("create "); testing.remote.Test test=testHome.create(); System.out.println("call "); System.out.println(test.getWard("K6")); System.out.println("Done "); } catch (Exception e){ e.printStackTrace(); } } public static class PasswordConfig extends Configuration { public PasswordConfig() { } public AppConfigurationEntry[] getAppConfigurationEntry(String applicationName) { AppConfigurationEntry[] loginModules=new AppConfigurationEntry[1]; Hashtable options=new Hashtable(); loginModules[0]=new AppConfigurationEntry("org.jboss.security.ClientLoginModule",AppConfigurationEntry.LoginModuleControlFlag.REQUIRED,options); return loginModules; } public void refresh() { } } private static class TestCallbackHandler implements CallbackHandler { public void handle(Callback[] callbacks) throws IOException, UnsupportedCallbackException { for(int i1=0;i1<callbacks.length;i1++) { System.out.println("call back "+callbacks[i1]); if(callbacks[i1] instanceof NameCallback) { NameCallback nc=(NameCallback)callbacks[i1]; System.out.println(nc.getPrompt()+":"+nc.getName()); nc.setName("ALAN"); } if(callbacks[i1] instanceof PasswordCallback) { PasswordCallback nc=(PasswordCallback)callbacks[i1]; nc.setPassword("PASSWORD".toCharArray()); } } } } }
Thanks -
3. Re: password in custom LoginModule
tcherel Dec 23, 2004 5:11 PM (in response to ashields)This is strange.
Youa re using the standard JBoss client login module in your client. As far as I know this guy does not encrypt anything.
I have a custom JAAS login module with JBoss 3.2.6 and the client aslo uses the standard JBoss client login module and I have no problem getting the password.
Might be a JBoss 4.0.0 specific problem, I am not sure. I looked at quickly the JBoss 4.0.0 sources, and it does not seem that the password gets encrypted either.
Thomas -
4. Re: password in custom LoginModule
starksm64 Dec 23, 2004 5:35 PM (in response to ashields)There is no default encryption so if its showing up, its been configured somewhere. Trace level logging on the org.jboss.security category and eliminating unused login module configs are the way to debug what is happening.
-
5. Re: password in custom LoginModule
ashields Dec 24, 2004 2:03 AM (in response to ashields)Sorry this was all down to me being stupid
I was doing password.toString() rather than new String(password), what I thought was an encrypted password was just the object reference....
Time for some alcohol I think
Merry Christmas