Update the wiki with your results:
http://wiki.jboss.org/wiki/Wiki.jsp?page=LdapExtLoginModule

The JaasSecurityDomain position is a function of its dependencies. Since it depends on the JaasSecurityManager, it either needs to be after that service, or use a dependency statement:

 <mbean code="org.jboss.security.plugins.JaasSecurityDomain"
 name="jboss.security:service=JaasSecurityDomain,domain=LdapPassword">
 <constructor>
 <arg type="java.lang.String" value="ServerMasterPassword"/>
 </constructor>
 <!-- The opaque master password file used to decrypt the encrypted
 database password key -->
 <attribute name="KeyStorePass">{CLASS}org.jboss.security.plugins.FilePassword:${jboss.server.home.dir}/conf/server.password</attribute>
 <attribute name="Salt">twsalt12</attribute>
 <attribute name="IterationCount">13</attribute>
 <depends optional-attribute-name="ManagerServiceName">jboss.security:service=JaasSecurityManager</depends>
 </mbean>

Many thanks to cmiles123 for this post.

Most helpful.

Hello People,

I have  tried to encrypt my bindCredential on Jboss 5.1 following the  instructions of Chris  Miles. But unfortunately I can not get  it yet.

First of  all, I integrated the LdapExtLoginModule through the plainTextPassword  satisfactorily. After finished the first step, I configured my  jboss-service.xml and my login-config.xml to encrypt the bindCredential.  But, when my application tries to authenticate I have this message “Bad  Password for usernme=...”.

I have followed exactly this procedure:

a) I generate the server.password file, as shown:

C:\jboss-5.1.0.GA\server\default\conf> java  -cp ../../../common/lib/jbosssx.jar   org.jboss.security.plugins.FilePassword 12345678 17 master server.password

b) I generate the encrypt bindCredential, as shown:

C:\jboss-5.1.0.GA\server\default\conf> java  -cp ../../../common/lib/jbosssx.jar org.jboss.security.plugins.PBEUtils 12345678 17 master theLDAPPassword

Encoded password: 1iiUbPJv1Cwo77b2SigBpa

c) Added the following into jboss-service.xml:

<mbean code="org.jboss.security.plugins.JaasSecurityDomain"
name="jboss.security:service=JaasSecurityDomain,domain=ServerMasterPassword">
<constructor>
<arg type="java.lang.String" value="ServerMasterPassword"/>
</constructor>          
<attribute name="KeyStorePass">{CLASS}org.jboss.security.plugins.FilePassword:${jboss.server.home.dir}/conf/server.password</attribute>
<attribute name="Salt">12345678</attribute>
<attribute name="IterationCount">17</attribute>
<depends optional-attribute-name="ManagerServiceName">jboss.security:service=JaasSecurityManager</depends>
</mbean>

d) And This is my config on login-config.xml:

<application-policy name="myProject-domain">
<authentication>
<login-module code="org.jboss.security.auth.spi.LdapExtLoginModule" flag="required">
<module-option name="java.naming.provider.url">ldap://<LdapServer>:389/</module-option>
<module-option name="java.naming.security.authentication">simple</module-option>
<module-option name="bindDN">CN=LdapUser,OU=Usuarios,OU=Sistemas,OU=OU Sectores,OU=OU Administracion,OU=OU General,DC=<myCompany>,DC=com</module-option>                    
<module-option name="jaasSecurityDomain">jboss.security:service=JaasSecurityDomain,domain=ServerMasterPassword</module-option>                     
<module-option name="bindCredential">1iiUbPJv1Cwo77b2SigBpa</module-option>
<module-option name="baseCtxDN">OU=OU General,DC=ad-fravega,DC=com</module-option>
<module-option name="baseFilter">(sAMAccountName={0})</module-option>                     
<module-option name="rolesCtxDN">OU=Grupos MyApplication,OU=Grupos,DC=<myCompany>,DC=com</module-option>
<module-option name="roleFilter">(member={1})</module-option>
<module-option name="roleAttributeID">CN</module-option>
<module-option name="roleRecursion">-1</module-option>
</login-module>                    
</authentication>
</application-policy>

Additionally, they commented that:

• I used the functionality of the jmx-console code64  and I obtained the same encryption from the command line.

• But, when I used the  decode64 funcionality, I can  not get the original password.

I really would appreciate your help with this issue.

This is a really old post, but it might be helpful to others. I got it to work with JBOSS 4.0.5.GA using the above instructions provided by Chris Miles.  However, there were some key important differences.

1. In the mbean, the value for the constructor argument needs to be the same as the domain= value.  So in the Chris' example, I would expect that

<arg type="java.lang.String" value="ServerMasterPassword"/>

would instead be

<arg type="java.lang.String" value="LdapPassword"/>

This value also needs to be what is specified as the domain in the login-config.xml

2. When running the java commands, the org.jboss.security.plugins.FilePassword "password" parameter needs to be the same as the org.jboss.security.plugins.PBEUtils "domain-password" parameter.  And the org.jboss.security.plugins.PBEUtils "data-source-password" parameter needs to be the Active Directory Bind DN password.

I added logging to the decoder action class

http://www.docjar.com/html/api/org/jboss/security/auth/spi/DecodeAction.java.html

This is the exception.

package access decode caught an exception
java.security.PrivilegedActionException:
java.security.NoSuchAlgorithmException: No transformation given
       at java.security.AccessController.doPrivileged(Native Method)
       at org.jboss.security.auth.spi.DecodeAction.decode(DecodeAction.java:84)
       at org.jboss.security.auth.spi.LdapExtLoginModule.createLdapInitContext(LdapExtLoginModule.java:326)
       at org.jboss.security.auth.spi.LdapExtLoginModule.validatePassword(LdapExtLoginModule.java:276)
       at org.jboss.security.auth.spi.UsernamePasswordLoginModule.login(UsernamePasswordLoginModule.java:249)
       at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
       at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
       at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
       at java.lang.reflect.Method.invoke(Method.java:597)
       at javax.security.auth.login.LoginContext.invoke(LoginContext.java:769)
       at javax.security.auth.login.LoginContext.access$000(LoginContext.java:186)
       at javax.security.auth.login.LoginContext$4.run(LoginContext.java:683)
       at java.security.AccessController.doPrivileged(Native Method)
       at javax.security.auth.login.LoginContext.invokePriv(LoginContext.java:680)
       at javax.security.auth.login.LoginContext.login(LoginContext.java:579)
       at org.jboss.security.plugins.auth.JaasSecurityManagerBase.defaultLogin(JaasSecurityManagerBase.java:552)
       at org.jboss.security.plugins.auth.JaasSecurityManagerBase.authenticate(JaasSecurityManagerBase.java:486)
       at org.jboss.security.plugins.auth.JaasSecurityManagerBase.isValid(JaasSecurityManagerBase.java:365)
       at org.jboss.security.plugins.JaasSecurityManager.isValid(JaasSecurityManager.java:160)
       at org.jboss.web.tomcat.security.JBossWebRealm.authenticate(JBossWebRealm.java:384)
       at org.apache.catalina.authenticator.FormAuthenticator.authenticate(FormAuthenticator.java:258)
       at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:417)
       at org.jboss.web.tomcat.security.JaccContextValve.invoke(JaccContextValve.java:92)
       at org.jboss.web.tomcat.security.SecurityContextEstablishmentValve.process(SecurityContextEstablishmentValve.java:126)
       at org.jboss.web.tomcat.security.SecurityContextEstablishmentValve.invoke(SecurityContextEstablishmentValve.java:70)
       at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:127)
       at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102)
       at org.jboss.web.tomcat.service.jca.CachedConnectionValve.invoke(CachedConnectionValve.java:158)
       at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109)
       at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:330)
       at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:829)
       at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:598)
       at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:447)
       at java.lang.Thread.run(Thread.java:619)
Caused by: java.security.NoSuchAlgorithmException: No transformation given
       at javax.crypto.Cipher.a(DashoA13*..)
       at javax.crypto.Cipher.b(DashoA13*..)
       at javax.crypto.Cipher.getInstance(DashoA13*..)
       at org.jboss.security.auth.spi.DecodeAction.decode(DecodeAction.java:72)
       at org.jboss.security.auth.spi.DecodeAction.decode64(DecodeAction.java:54)
       at org.jboss.security.auth.spi.DecodeAction.run(DecodeAction.java:43)
       ... 34 more

The problem was with

The DecodeAction class that is called by both the LdapExtLoginModule and the LdapLoginModule classes

The original code can be found here

http://www.docjar.com/docs/api/org/jboss/security/auth/spi/DecodeAction.html

I rewrote parts of it to make it look like this. I tried it on JBoss 5.1GA with both the LdapLoginModule and the LdapExtLoginModule and it now works

package org.jboss.security.auth.spi;

import java.security.AccessController;
import java.security.PrivilegedActionException;
import java.security.PrivilegedExceptionAction;

import javax.management.MBeanServer;
import javax.management.ObjectName;

import org.apache.log4j.Logger;
import org.jboss.mx.util.MBeanServerLocator;

class DecodeAction implements PrivilegedExceptionAction<Object> {
    protected static Logger _logger = Logger.getLogger(DecodeAction.class);
   

    String password;
    ObjectName serviceName;

    DecodeAction(String password, ObjectName serviceName) {
        _logger.debug("DecodeAction password " + password + " serviceName " +serviceName);
        this.password = password;
        this.serviceName = serviceName;

    }

    /**
     *
     * @return
     * @throws Exception
     */
    public Object run() throws Exception {
        _logger.debug("DecodeAction run fixedDecode64 " + password );

        // Invoke the decodeb64 op
        byte[] secret = decode64(password);

        // Convert to UTF-8 base char array
        String secretPassword = new String(secret, "UTF-8");
       
        //_logger.debug( " secretPassword " +secretPassword);
        return secretPassword.toCharArray();
    }

    private byte[] decode64(String secret) throws Exception {

       
        MBeanServer server = MBeanServerLocator.locateJBoss();
        Object[] params = {secret};
        String[] signature = {"java.lang.String"};
         byte[] decoded = ( byte[]) server.invoke(serviceName, "decode64",
                                          params, signature);

         return decoded;
    }

    static char[] decode(String password, ObjectName serviceName)

            throws Exception {
        DecodeAction action = new DecodeAction(password, serviceName);
        try {
            char[] decode = (char[]) AccessController.doPrivileged(action);
            return decode;
        } catch (PrivilegedActionException e) {
            _logger.debug("package access decode caught an exception ",e );
            throw e.getException();
        }
    }
}

Good day,

how can I migrate this solution on jboss 7 (if it's possible). Thanks for reply.

Has anyone found a solution for JBoss 5.1? I tried Nikos's solution but I can't get the code to compile.

Hello Gavin,

I am uploading the file that works in our workspace with JBoss 5.1GA. What problem do you have with the compilation?

Nikos