-
1. Re: Login encryption not working
starksm64 Dec 9, 2006 11:33 AM (in response to ewade)There is no automatic encoding of login page passwords. That would require client side javascript or server side filter.
-
2. Re: Login encryption not working
ewade Dec 11, 2006 11:03 AM (in response to ewade)Gee, then what are the module options hashAlgorithm and hashEncoding for?
In the user's guide you sayThis module supports password stacking, password hashing and unathenticated identity.
Looking up password hashing, I see the manual says,These modules generally work with plain text passwords, but can also be configured to support hashed passwords to prevent plain text passwords from being stored on the server side.
Again, we're trying to use your database module for login and specify hashing and encoding of plaintext passwords.
If you don't support that, perhaps you need to change your documentation. So its just a bit more clear how and what these options are intended to do. -
3. Re: Login encryption not working
starksm64 Dec 11, 2006 2:50 PM (in response to ewade)Its for taking a clear-text password from a user interface and matching it to a hashed database password. You have not given enough info to indicate where this is failing. Details of what is encoded, what is not, and the debugging logging are needed if you want better feedback.
http://wiki.jboss.org/wiki/Wiki.jsp?page=JBossHelp -
4. Re: Login encryption not working
ewade Dec 11, 2006 5:32 PM (in response to ewade)Ok. Then perhaps I am not being clear. That is precisely what I am trying to do.
I have (correctly) encrypted and encoded passwords stored in my database.
We are using the database server login module. It works fine for clear text passwords -- that is passwords stored and entered as plain text. However, when we try to turn on the encryption/encoding it does not work any differently than it did when we did not have these options enabled.
You can see my config set up in the first post.
Here is what happens. For purposes of this test, I have stored one user with a plain text password.
Scenario 1:
User has plain text (clear) password stored.
Logon with correct plain text password works.
It should not work with encryption turned on.
(I can provide a excerpt of the server log file if you need it, but it is lengthy.)
Scenario 2:
User has plain text password stored.
Logon with incorrect password.
It fails, which is the expected outcome.
Here is an excerpt from the server log.
2006-12-11 15:58:13,656 DEBUG [org.jboss.security.auth.spi.DatabaseServerLoginModule] Bad password for username=E0andre
2006-12-11 15:58:13,656 DEBUG [org.jboss.seam.contexts.Lifecycle] >>> Begin web request
2006-12-11 15:58:13,656 DEBUG [org.jboss.seam.Component] instantiating Seam component: org.jboss.seam.core.manager
2006-12-11 15:58:13,656 DEBUG [org.jboss.seam.core.Manager] No stored conversation
2006-12-11 15:58:13,656 DEBUG [org.jboss.seam.contexts.Contexts] found in application context: org.jboss.seam.core.init
2006-12-11 15:58:13,656 DEBUG [org.jboss.seam.jsf.AbstractSeamPhaseListener] After restoring conversation context: ConversationContext(5)
2006-12-11 15:58:13,656 DEBUG [org.jboss.seam.Component] instantiating Seam component: facesMessages
2006-12-11 15:58:13,687 DEBUG [org.jboss.seam.core.Manager] Discarding conversation state: 5
2006-12-11 15:58:13,687 DEBUG [org.jboss.seam.contexts.Lifecycle] flushing page context
2006-12-11 15:58:13,687 DEBUG [org.jboss.seam.core.Manager] Discarding conversation state: 5
2006-12-11 15:58:13,687 DEBUG [org.jboss.seam.contexts.Lifecycle] flushing page context
2006-12-11 15:58:13,703 DEBUG [org.jboss.seam.contexts.Lifecycle] After render response, destroying contexts
2006-12-11 15:58:13,703 DEBUG [org.jboss.seam.contexts.Lifecycle] destroying event context
2006-12-11 15:58:13,703 DEBUG [org.jboss.seam.contexts.Contexts] destroying: javax.servlet.forward.request_uri
2006-12-11 15:58:13,703 DEBUG [org.jboss.seam.contexts.Contexts] destroying: javax.servlet.forward.context_path
2006-12-11 15:58:13,703 DEBUG [org.jboss.seam.contexts.Contexts] destroying: javax.servlet.forward.servlet_path
2006-12-11 15:58:13,703 DEBUG [org.jboss.seam.contexts.Contexts] destroying: org.jboss.seam.core.manager
2006-12-11 15:58:13,703 DEBUG [org.jboss.seam.contexts.Contexts] destroying: class org.apache.myfaces.renderkit.html.util.JavascriptUtils.OLD_VIEW_ID
2006-12-11 15:58:13,703 DEBUG [org.jboss.seam.contexts.Contexts] destroying: org.apache.myfaces.application.jsp.JspStateManagerImpl.SERIALIZED_VIEW
2006-12-11 15:58:13,703 DEBUG [org.jboss.seam.contexts.Contexts] destroying: com.sun.facelets.legacy.ELCONTEXT
2006-12-11 15:58:13,703 DEBUG [org.jboss.seam.contexts.Lifecycle] destroying conversation context
2006-12-11 15:58:13,703 DEBUG [org.jboss.seam.contexts.Contexts] destroying: facesMessages
2006-12-11 15:58:13,703 DEBUG [org.jboss.seam.contexts.Lifecycle] flushing server-side conversation context
2006-12-11 15:58:13,703 DEBUG [org.jboss.seam.contexts.Lifecycle] <<< End web request
Scenario 3.
User has (correctly) encrypted password stored in the database.
Logon using matching plain text password.
It fails as it should not. Here is the excerpt from the server.log
2006-12-11 16:03:06,343 DEBUG [org.jboss.security.auth.spi.DatabaseServerLoginModule] Bad password for username=E0ewade
2006-12-11 16:03:06,343 DEBUG [org.jboss.seam.contexts.Lifecycle] >>> Begin web request
2006-12-11 16:03:06,343 DEBUG [org.jboss.seam.Component] instantiating Seam component: org.jboss.seam.core.manager
2006-12-11 16:03:06,343 DEBUG [org.jboss.seam.core.Manager] No stored conversation
2006-12-11 16:03:06,343 DEBUG [org.jboss.seam.contexts.Contexts] found in application context: org.jboss.seam.core.init
2006-12-11 16:03:06,343 DEBUG [org.jboss.seam.jsf.AbstractSeamPhaseListener] After restoring conversation context: ConversationContext(14)
2006-12-11 16:03:06,343 DEBUG [org.jboss.seam.Component] instantiating Seam component: facesMessages
2006-12-11 16:03:06,343 DEBUG [org.jboss.seam.core.Manager] Discarding conversation state: 14
2006-12-11 16:03:06,343 DEBUG [org.jboss.seam.contexts.Lifecycle] flushing page context
2006-12-11 16:03:06,359 DEBUG [org.jboss.seam.core.Manager] Discarding conversation state: 14
2006-12-11 16:03:06,359 DEBUG [org.jboss.seam.contexts.Lifecycle] flushing page context
2006-12-11 16:03:06,359 DEBUG [org.jboss.seam.contexts.Lifecycle] After render response, destroying contexts
2006-12-11 16:03:06,359 DEBUG [org.jboss.seam.contexts.Lifecycle] destroying event context
2006-12-11 16:03:06,359 DEBUG [org.jboss.seam.contexts.Contexts] destroying: javax.servlet.forward.request_uri
2006-12-11 16:03:06,359 DEBUG [org.jboss.seam.contexts.Contexts] destroying: javax.servlet.forward.context_path
2006-12-11 16:03:06,359 DEBUG [org.jboss.seam.contexts.Contexts] destroying: javax.servlet.forward.servlet_path
2006-12-11 16:03:06,359 DEBUG [org.jboss.seam.contexts.Contexts] destroying: org.jboss.seam.core.manager
2006-12-11 16:03:06,359 DEBUG [org.jboss.seam.contexts.Contexts] destroying: class org.apache.myfaces.renderkit.html.util.JavascriptUtils.OLD_VIEW_ID
2006-12-11 16:03:06,359 DEBUG [org.jboss.seam.contexts.Contexts] destroying: org.apache.myfaces.application.jsp.JspStateManagerImpl.SERIALIZED_VIEW
2006-12-11 16:03:06,359 DEBUG [org.jboss.seam.contexts.Contexts] destroying: com.sun.facelets.legacy.ELCONTEXT
2006-12-11 16:03:06,359 DEBUG [org.jboss.seam.contexts.Lifecycle] destroying conversation context
2006-12-11 16:03:06,359 DEBUG [org.jboss.seam.contexts.Contexts] destroying: facesMessages
2006-12-11 16:03:06,359 DEBUG [org.jboss.seam.contexts.Lifecycle] flushing server-side conversation context
2006-12-11 16:03:06,359 DEBUG [org.jboss.seam.contexts.Lifecycle] <<< End web request
Scenario 4:
User has encrypted password stored in the database.
Logon is done with the encrypted string.
Result: Logon succeeds when it should fail.
(Again this is a really long log entry. But it is exactly like scenario 1)
In summary, even though I have done my very best to enable ecryption (hashing) and encoding, the login module is behaving as though these things are not turned on. What do I need to do to get it to work?
Elise -
5. Re: Login encryption not working
starksm64 Dec 12, 2006 1:29 PM (in response to ewade)The HsqlDbRealm you show is for connecting to the database as the indicated user. This is not the security-domain you would be using for your web app. Show the configuration for the security domain referenced by your web app.
-
6. Re: Login encryption not working
ewade Dec 12, 2006 3:52 PM (in response to ewade)Never mind. I put the options in the wrong policy. When I put them in the correct policy it works as advertised. I was looking in the wrong places to solve my problem.
Thanks for the help.