Issue in encrypting the password using MD5
tonyjim May 7, 2009 11:59 PMI am using JBoss 4.2.2GA application server with Struts and EJB.
I am trying to encrypt the password using the message digest - MD5(given below) and store it in the mysql DB.
Using DatabaseServerLoginModule, I am trying to authenticate, but it's failing. Please help on this.
Please help whether any configuration setting needs to be done.
login.config.xml
==================
<application-policy name="testDB"> <authentication> <login-module code="org.jboss.security.auth.spi.DatabaseServerLoginModule" flag="required"> <module-option name="hashAlgorithm">MD5</module-option> <module-option name="hashEncoding">base64</module-option> <module-option name="hashUserPassword">true</module-option> <module-option name="hashStorePassword">true</module-option> <module-option name="dsJndiName">java:/MySqlDS</module-option> <module-option name="principalsQuery"> select passwd from Users username where username=?</module-option> <module-option name="rolesQuery"> select userRoles, 'Roles' from UserRoles where username=?</module-option> </login-module> </authentication> </application-policy>
I am using the below program to encrypt the password using MD5 and storing the encrypted value "5f4dcc3b5aa765d61d8327deb882cf99" in mysql table
import java.security.MessageDigest; import java.security.NoSuchAlgorithmException; public class MainClass { public static void main(String args[]) throws Exception { String sessionid = "password"; byte[] defaultBytes = sessionid.getBytes(); System.out.println("defaultBytes ::"+defaultBytes); try{ MessageDigest algorithm = MessageDigest.getInstance("MD5"); algorithm.reset(); algorithm.update(defaultBytes); byte messageDigest[] = algorithm.digest(); StringBuffer hexString = new StringBuffer(); for (int i=0;i<messageDigest.length;i++) { hexString.append(Integer.toHexString(0xFF & messageDigest)); } String foo = messageDigest.toString(); System.out.println("sessionid "+sessionid+" md5 version is "+hexString.toString()); System.out.println("foo "+foo); sessionid=hexString+""; }catch(NoSuchAlgorithmException nsae){ } } } output: ------- defaultBytes ::[B@192d342 sessionid password md5 version is 5f4dcc3b5aa765d61d8327deb882cf99 foo [B@167d940
my mysql tables
mysql> select * from userroles; +----------+-----------+ | username | userRoles | +----------+-----------+ | ram | admin | | sachin | guest | | tiger | admin | +----------+-----------+ 3 rows in set (0.14 sec) mysql> select * from users; +----------+----------------------------------+ | username | passwd | +----------+----------------------------------+ | ram | passwd | | sachin | passwd | | tiger | 5f4dcc3b5aa765d61d8327deb882cf99 | +----------+----------------------------------+ 3 rows in set (0.17 sec)
Geting the error message:
19:51:29,212 DEBUG [DatabaseServerLoginModule] Bad password for username=tiger
web.xml
==========
<security-constraint> <web-resource-collection> <web-resource-name>Testing</web-resource-name> <url-pattern>/*</url-pattern> <http-method>GET</http-method> <http-method>POST</http-method> </web-resource-collection> <auth-constraint> <role-name>admin</role-name> </auth-constraint> <user-data-constraint> <transport-guarantee>CONFIDENTIAL</transport-guarantee> </user-data-constraint> </security-constraint> <login-config> <auth-method>FORM</auth-method> <form-login-config> <form-login-page>/login.jsp</form-login-page> <form-error-page>/error.jsp</form-error-page> </form-login-config> </login-config> <security-role> <role-name>admin</role-name> </security-role>
But for the userid: ram and passwd, I am able to login. Whereas for the user "tiger" with the encrypted password, I couldn't able to login.
Please throw some light on it. Please help to check the configuration in login-config.xml
And I have an another doubt. If the user is attempting to enter invalid password for more than 5 times, we need to lock his account.
Whether JBoss' DatabaseServerLoginModule or any other loginmodule is providing this functionality? If not, how to achieve?]