Storing encripted password in Database
guadiana Aug 4, 2005 8:04 AMHello,
I've the following login-config security configuration:
-----------------------------------
<application-policy name="other">
<login-module code="org.jboss.security.auth.spi.DatabaseServerLoginModule"
flag="required">
<module-option name="dsJndiName">java:guadianaDS</module-option>
<module-option name="principalsQuery">
SELECT PASSWORD FROM USUARIOS WHERE id=?
</module-option>
<module-option name="rolesQuery">
SELECT PERFIL, 'Roles' FROM USUARIOS WHERE id=?
</module-option>
<module-option name="hashAlgorithm">MD5</module-option>
<module-option name="hashEncoding">base64</module-option>
<module-option name="hashCharset">iso-8859-1</module-option>
</login-module>
</application-policy>
------------------------------------------------------------
I don't know why, but i had to use the hint given in
the forum about naming the configuration "other" as a workaround because It allways tried to use the UsersRolesLoginModule.
After done that, the login process worked with plain text password stored in the DB, but my problem now is that I'm not sure the way of generating encoded password is right. As an example I've done this:
------------------------------------------------------------
MessageDigest md = MessageDigest.getInstance("MD5");
byte[] digest = md.digest("jose".getBytes("iso-8859-1"));
ByteArrayOutputStream bas = new ByteArrayOutputStream(digest.length + digest.length / 4 + 1);
OutputStream encodedStream = MimeUtility.encode(bas, "base64");
encodedStream.write(digest);
String newEncryptedString = (String) bas.toString();
System.out.println(newEncryptedString);
------------------------------------------------------------
As a result I obtain the string: "Zi6qRxmUYdAaYjiECAk0" and i store it in the DB as the password for user "jose".
When I try to login i get the following error in server.log after activated the trace:
------------------------------------------------------------
2005-08-04 13:57:01,581 TRACE [org.jboss.security.auth.spi.DatabaseServerLoginModule] initialize
2005-08-04 13:57:01,581 TRACE [org.jboss.security.auth.spi.DatabaseServerLoginModule] Password hashing activated: algorithm = MD5, encoding = base64, charset = iso-8859-1, callback = null
2005-08-04 13:57:01,581 TRACE [org.jboss.security.auth.spi.DatabaseServerLoginModule] DatabaseServerLoginModule, dsJndiName=java:guadianaDS
2005-08-04 13:57:01,581 TRACE [org.jboss.security.auth.spi.DatabaseServerLoginModule] principalsQuery=SELECT PASSWORD FROM USUARIOS WHERE id=?
2005-08-04 13:57:01,581 TRACE [org.jboss.security.auth.spi.DatabaseServerLoginModule] rolesQuery=SELECT PERFIL, 'Roles' FROM USUARIOS WHERE id=?
2005-08-04 13:57:01,581 TRACE [org.jboss.security.auth.spi.DatabaseServerLoginModule] login
2005-08-04 13:57:01,591 TRACE [org.jboss.security.auth.spi.DatabaseServerLoginModule] abort
2005-08-04 13:57:01,591 TRACE [org.jboss.security.plugins.JaasSecurityManager.other] Login failure
javax.security.auth.login.FailedLoginException: No matching username found in Principals
at org.jboss.security.auth.spi.DatabaseServerLoginModule.getUsersPassword(DatabaseServerLoginModule.java:111)
at org.jboss.security.auth.spi.UsernamePasswordLoginModule.login(UsernamePasswordLoginModule.java:162)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
at java.lang.reflect.Method.invoke(Method.java:585)
at javax.security.auth.login.LoginContext.invoke(LoginContext.java:769)
at javax.security.auth.login.LoginContext.access$000(LoginContext.java:186)
at javax.security.auth.login.LoginContext$4.run(LoginContext.java:683)
at java.security.AccessController.doPrivileged(Native Method)
at javax.security.auth.login.LoginContext.invokePriv(LoginContext.java:680)
at javax.security.auth.login.LoginContext.login(LoginContext.java:579)
at org.jboss.security.plugins.JaasSecurityManager.defaultLogin(JaasSecurityManager.java:483)
at org.jboss.security.plugins.JaasSecurityManager.authenticate(JaasSecurityManager.java:425)
at org.jboss.security.plugins.JaasSecurityManager.isValid(JaasSecurityManager.java:251)
at org.jboss.web.tomcat.security.JBossSecurityMgrRealm.authenticate(JBossSecurityMgrRealm.java:230)
at org.apache.catalina.authenticator.BasicAuthenticator.authenticate(BasicAuthenticator.java:181)
at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:446)
at org.jboss.web.tomcat.security.JaccContextValve.invoke(JaccContextValve.java:59)
at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:126)
at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:105)
at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:107)
at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:148)
at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:856)
at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.processConnection(Http11Protocol.java:744)
at org.apache.tomcat.util.net.PoolTcpEndpoint.processSocket(PoolTcpEndpoint.java:527)
at org.apache.tomcat.util.net.MasterSlaveWorkerThread.run(MasterSlaveWorkerThread.java:112)
at java.lang.Thread.run(Thread.java:595)
2005-08-04 13:57:01,591 TRACE [org.jboss.security.plugins.JaasSecurityManager.other] End isValid, false
------------------------------------------------------------
Thanks in advance,
Jose.