5 Replies Latest reply on Nov 15, 2005 7:29 AM by edgar.silva

    Extending DatabaseServerLoginModule

    edgar.silva

      Hi Folks...

      I have a particular issue for my application, I am storing the passwords using MD5 Algoritm for improve security issues.

      As I am doing it, I created a new class extending DataBaseServerLoginModule, and I just changed the login method.

      My change is not working, I just get the plain password sent thrugh BASIC HTTP and I apply MD5 and I´ve comparing one with other, and it does not working.

      Somebody could help with some trick to solve it?

      The Following code is part of my implementations to that scenario:

      public class MD5DatabaseServerLoginModule extends DatabaseServerLoginModule
      {
      /** The login identity */
      private Principal identity;
      /** The proof of login identity */
      private char[] credential;



      /** Perform the authentication of the username and password.
      */
      public boolean login() throws LoginException
      {
      //log to test only here
      Logger log = Logger.getLogger(MD5DatabaseServerLoginModule.class);

      // See if shared credentials exist
      if( super.login() == true )
      {
      // Setup our view of the user
      Object username =
      sharedState.get("javax.security.auth.login.name");
      if( username instanceof Principal )
      identity = (Principal) username;
      else
      {
      String name = username.toString();
      identity = new SimplePrincipal(name);
      }
      Object password =
      sharedState.get("javax.security.auth.login.password");
      if( password instanceof char[] )
      credential = (char[]) password;
      else if( password != null )
      {
      String tmp = password.toString();
      credential = tmp.toCharArray();
      }
      return true;
      }

      super.loginOk = false;
      String[] info = getUsernameAndPassword();
      String username = info[0];
      String password = info[1];
      log.debug("Senha informada vindo do INFO"+ password);
      if( username == null && password == null )
      {
      identity = unauthenticatedIdentity;
      //super.log.trace("Authenticating as
      unauthenticatedIdentity="+identity);
      }

      if( identity == null )
      {
      identity = new SimplePrincipal(username);
      // Hash the user entered password if password hashing is in use

      // Validate the password supplied by the subclass

      String expectedPassword = getUsersPassword();

      log.debug("Senha vindo do banco :" + expectedPassword);

      password =MD5Cripto.getInstance().criptografar(password);
      log.debug("Senha criptografada:"+ password);

      log.debug(password+"=="+expectedPassword);
      log.info(password+"=="+expectedPassword);

      if( validatePassword(password,expectedPassword) == false )
      {
      throw new FailedLoginException("Password Incorrect/Password
      Required");
      }
      }

      if( getUseFirstPass() == true )
      { // Add the username and password to the shared state map
      sharedState.put("javax.security.auth.login.name", username);
      sharedState.put("javax.security.auth.login.password", credential);
      }
      loginOk = true;
      log.debug("Login?" + loginOk);
      return true;
      }

      }


      My class to Apply MD5 is the following :

      /**
      * Classe Utilitaria para MD5
      * @author Edgar Silva
      */
      public class MD5Util {
      static private final MessageDigest MD5 = getMessageDigest();
      static private final char[] INT_TO_CHAR = {'0', '1', '2', '3', '4', '5',
      '6',
      '7', '8', '9', 'a', 'b', 'c',
      'd',
      'e', 'f'};
      /** Creates a new instance of MD5Util */
      private MD5Util() {
      }

      private static MessageDigest getMessageDigest() {
      try {
      return MessageDigest.getInstance("MD5");
      } catch (NoSuchAlgorithmException nsae) {
      throw new ExceptionInInitializerError(nsae);
      }
      }

      public static String encrypt(String senha) {
      final StringBuffer ret = new StringBuffer(32);

      try {
      final byte[] digest = ((MessageDigest)MD5.clone()).digest(
      senha.getBytes()
      );

      int b;
      for (int i = 0; i < digest.length; i++) {
      b = (digest < 0) ? -digest + 127 : digest;

      ret.append(INT_TO_CHAR[(b & 0x00F0) >> 4])
      .append(INT_TO_CHAR[b & 0x000F]);
      }

      return ret.toString();
      } catch (CloneNotSupportedException cnse) {
      throw new Error(cnse);
      }
      }


      }



      I hope that I had explained my trouble and situation...Since now, thanks a lot by any help!

      Best Regards

      Edgar Silva

        • 1. Re: Extending DatabaseServerLoginModule
          starksm64

          The DatabaseServerLoginModule already supports hashing of passwords by any digest supported by the JDK. I suggest you revist this capability and describe why it does not work for you before extending DatabaseServerLoginModule.

          • 2. Re: Extending DatabaseServerLoginModule
            edgar.silva

            Hi Scott,

            My non-functional requirements says something about number of chars (32 chars) I must to persist in the Database.

            Have you some idea in how to implement it? i have been looked for it in Docs but I haven´t foud.

            As example of some password you can see : 97a65a518cd04a3b134b89c4680a213a

            Ok, If I set my web.xml for DIGEST I think it can't work , As I was reading at JBoss Doc and its Sources, I just need only to change the login method, but if you could haver other technique, I will be glad in to know it!

            Thanks

            Edgar A Silva

            • 3. Re: Extending DatabaseServerLoginModule
              edgar.silva

              I changed my web.xml portion to DIGEST as the following code:

              <security-constraint>
              <web-resource-collection>
              <web-resource-name>action</web-resource-name>
              Aplicacao
              <url-pattern>*.do</url-pattern>
              <http-method>HEAD</http-method>
              <http-method>GET</http-method>
              <http-method>POST</http-method>
              <http-method>PUT</http-method>
              <http-method>DELETE</http-method>
              </web-resource-collection>
              <auth-constraint>
              <role-name>GERENTE</role-name>
              </auth-constraint>
              <user-data-constraint>
              no description
              <transport-guarantee>NONE</transport-guarantee>
              </user-data-constraint>
              </security-constraint>
              <login-config>
              <auth-method>DIGEST</auth-method>
              <realm-name>Q2 Realm</realm-name>
              </login-config>



              And I changed my login-config to:

              <application-policy name="q2security">

              <login-module code="org.jboss.security.auth.spi.DatabaseServerLoginModule" flag="required">
              <module-option name="dsJndiName">java:/CorporativoDS</module-option>
              <module-option name="principalsQuery">

              .............



              I wanna do this, but I wanna hide the password from any malicious access. So I am using MD5 hashing... I could to use LDAP, but my customer wants to use it.... I think it too simple, and an appropriate scenario to override login method in DatabaseServerLoginModule class. Am I wrong???

              Thanks

              Edgar

              • 4. Re: Extending DatabaseServerLoginModule
                starksm64

                DIGEST auth has nothing to do with MD5 hashed passwords. Its an alternative web authentication mechanism that uses a challenge/response mechanism to has the input password. MD5 is a 32 byte digest, so what is the problem with configuring DatabaseServerLoginModule like:

                <policy>
                 <application-policy name="someRole">
                 <authentication>
                 <login-module code="org.jboss.security.auth.spi.DatabaseServerLoginModule" flag="required">
                ...
                 <module-option name="hashAlgorithm">MD5</module-option>
                 <module-option name="hashEncoding">base64</module-option>
                 </login-module>
                 </application-policy>
                </policy>
                



                • 5. Re: Extending DatabaseServerLoginModule
                  edgar.silva

                  Hi Scott...

                  I am moving the implementation to use LDAP, so I will use standard jboss login module, and I am sure it works fine, cause I did it in the past.

                  The foudantion of that question is too simple, I dont wanna keep plain passwords in some column in the Database, is there available an util jboss class to crypt the passwords? and then with this to promote a real secure login based on database ?

                  I dont wanna store my user name as edgar, pass edgarsilva, however I would like to store edgar and pass abobora547454@wewdSD, anb based on some loginmodule I can to process it approprietally, doesn't matter if I will use BASIC or FORM autentication, it could be a nice feature inside Application Server´s login module.

                  Some final idea?

                  Best Regards

                  Edgar Silva