3 Replies Latest reply on Aug 4, 2005 9:10 AM by guadiana

Storing encripted password in Database

guadiana Aug 4, 2005 8:04 AM

Hello,
I've the following login-config security configuration:
-----------------------------------
<application-policy name="other">

<login-module code="org.jboss.security.auth.spi.DatabaseServerLoginModule"
flag="required">
<module-option name="dsJndiName">java:guadianaDS</module-option>
<module-option name="principalsQuery">
SELECT PASSWORD FROM USUARIOS WHERE id=?
</module-option>
<module-option name="rolesQuery">
SELECT PERFIL, 'Roles' FROM USUARIOS WHERE id=?
</module-option>
<module-option name="hashAlgorithm">MD5</module-option>
<module-option name="hashEncoding">base64</module-option>
<module-option name="hashCharset">iso-8859-1</module-option>
</login-module>

</application-policy>
------------------------------------------------------------
I don't know why, but i had to use the hint given in
the forum about naming the configuration "other" as a workaround because It allways tried to use the UsersRolesLoginModule.
After done that, the login process worked with plain text password stored in the DB, but my problem now is that I'm not sure the way of generating encoded password is right. As an example I've done this:
------------------------------------------------------------
MessageDigest md = MessageDigest.getInstance("MD5");
byte[] digest = md.digest("jose".getBytes("iso-8859-1"));
ByteArrayOutputStream bas = new ByteArrayOutputStream(digest.length + digest.length / 4 + 1);
OutputStream encodedStream = MimeUtility.encode(bas, "base64");
encodedStream.write(digest);
String newEncryptedString = (String) bas.toString();
System.out.println(newEncryptedString);
------------------------------------------------------------
As a result I obtain the string: "Zi6qRxmUYdAaYjiECAk0" and i store it in the DB as the password for user "jose".
When I try to login i get the following error in server.log after activated the trace:
------------------------------------------------------------
2005-08-04 13:57:01,581 TRACE [org.jboss.security.auth.spi.DatabaseServerLoginModule] initialize
2005-08-04 13:57:01,581 TRACE [org.jboss.security.auth.spi.DatabaseServerLoginModule] Password hashing activated: algorithm = MD5, encoding = base64, charset = iso-8859-1, callback = null
2005-08-04 13:57:01,581 TRACE [org.jboss.security.auth.spi.DatabaseServerLoginModule] DatabaseServerLoginModule, dsJndiName=java:guadianaDS
2005-08-04 13:57:01,581 TRACE [org.jboss.security.auth.spi.DatabaseServerLoginModule] principalsQuery=SELECT PASSWORD FROM USUARIOS WHERE id=?
2005-08-04 13:57:01,581 TRACE [org.jboss.security.auth.spi.DatabaseServerLoginModule] rolesQuery=SELECT PERFIL, 'Roles' FROM USUARIOS WHERE id=?
2005-08-04 13:57:01,581 TRACE [org.jboss.security.auth.spi.DatabaseServerLoginModule] login
2005-08-04 13:57:01,591 TRACE [org.jboss.security.auth.spi.DatabaseServerLoginModule] abort
2005-08-04 13:57:01,591 TRACE [org.jboss.security.plugins.JaasSecurityManager.other] Login failure
javax.security.auth.login.FailedLoginException: No matching username found in Principals
at org.jboss.security.auth.spi.DatabaseServerLoginModule.getUsersPassword(DatabaseServerLoginModule.java:111)
at org.jboss.security.auth.spi.UsernamePasswordLoginModule.login(UsernamePasswordLoginModule.java:162)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
at java.lang.reflect.Method.invoke(Method.java:585)
at javax.security.auth.login.LoginContext.invoke(LoginContext.java:769)
at javax.security.auth.login.LoginContext.access$000(LoginContext.java:186)
at javax.security.auth.login.LoginContext$4.run(LoginContext.java:683)
at java.security.AccessController.doPrivileged(Native Method)
at javax.security.auth.login.LoginContext.invokePriv(LoginContext.java:680)
at javax.security.auth.login.LoginContext.login(LoginContext.java:579)
at org.jboss.security.plugins.JaasSecurityManager.defaultLogin(JaasSecurityManager.java:483)
at org.jboss.security.plugins.JaasSecurityManager.authenticate(JaasSecurityManager.java:425)
at org.jboss.security.plugins.JaasSecurityManager.isValid(JaasSecurityManager.java:251)
at org.jboss.web.tomcat.security.JBossSecurityMgrRealm.authenticate(JBossSecurityMgrRealm.java:230)
at org.apache.catalina.authenticator.BasicAuthenticator.authenticate(BasicAuthenticator.java:181)
at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:446)
at org.jboss.web.tomcat.security.JaccContextValve.invoke(JaccContextValve.java:59)
at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:126)
at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:105)
at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:107)
at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:148)
at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:856)
at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.processConnection(Http11Protocol.java:744)
at org.apache.tomcat.util.net.PoolTcpEndpoint.processSocket(PoolTcpEndpoint.java:527)
at org.apache.tomcat.util.net.MasterSlaveWorkerThread.run(MasterSlaveWorkerThread.java:112)
at java.lang.Thread.run(Thread.java:595)
2005-08-04 13:57:01,591 TRACE [org.jboss.security.plugins.JaasSecurityManager.other] End isValid, false
------------------------------------------------------------
Thanks in advance,
Jose.

1. Re: Storing encripted password in Database

michaelkonietzka Aug 4, 2005 8:27 AM (in response to guadiana)
ps = conn.prepareStatement(principalsQuery); ps.setString(1, username); rs = ps.executeQuery(); if( rs.next() == false ) throw new FailedLoginException("No matching username found in Principals");

Well, it seems it doesnt find the user "jose" in the database.
Try in your SQL-Client:

SELECT PASSWORD FROM USUARIOS WHERE id='jose'
Actions
2. Re: Storing encripted password in Database

guadiana Aug 4, 2005 8:27 AM (in response to guadiana)

OK, the right way to generate the password is using:

java -classpath ./jbosssx.jar org.jboss.security.Base64Encoder jose MD5

Now I get:
Zi6qRxmUYdAaYjiECAk0qw==
instead of
Zi6qRxmUYdAaYjiECAk0

With the new digest of the password the login works fine!!

Any clue of why my Java code generated a too short digest???
Thanks to everybody.
Jose.
Actions
3. Re: Storing encripted password in Database

guadiana Aug 4, 2005 9:10 AM (in response to guadiana)

I've answered myself again.
If it helps here comes the java code to generate passwords:
---------------------------------------------------------------
import java.util.ArrayList;
import org.jboss.security.Base64Encoder;

public class GenerarPasswords {

public static void main(String[] args) {

ArrayList usuarios = new ArrayList();

String algoritmo = "MD5";

usuarios.add("jose");
usuarios.add("silvia");
usuarios.add("ruben");
usuarios.add("javier");
usuarios.add("frufru");
usuarios.add("saul");

try {
for (String i : usuarios) {
byte[] hash = java.security.MessageDigest.getInstance(algoritmo).digest(i.getBytes());
String password = Base64Encoder.encode(hash);
System.out.println("update usuarios set password='"+password+"' where id='"+i+"';");
}
} catch (Exception e) {
e.printStackTrace();
}
}
}
Actions

Go to original post