10 Replies Latest reply on Feb 13, 2009 5:19 PM by marcioendo.marcioendo.gmail.com

    Userpassword with hash doesnt seem to work

    cash1981

      Hello all.


      I have a seam application and I have come to the point where I want to start creating my user administration page. I have up until now had the @UserPassword(hash = none) and that has worked fine.
      But then I wanted to create my first user with a password and then copy that password to import.sql.


      However, when I create my user it and persist it, it still persists the password as plain text, and it doesnt hash it. I wonder why.
      I am using the new Seam 2.1 security and I have tried to follow the seam-space example.


      I have created a s:button in my login that just calls my Development class that tries to persist a new user.



             public void createUser() {
                      ProcessUser pu = new ProcessUser();
                      pu.setFirstname("adminFirst");
                      pu.setLastname("adminLast");
                      pu.setUsername("admin");
                      pu.setPasswordHash("admin");
      
                      Role role = (Role) entityManager.createQuery("from Role").getResultList().get(0);
                      Set<Role> roles = new HashSet<Role>();
                      roles.add(role);
                      pu.setRoles(roles);
      
                      entityManager.persist(pu);
                      entityManager.flush();
              }
      


        • 1. Re: Userpassword with hash doesnt seem to work
          mwohlf

          not sure what your pu.setPasswordHash() method is doing, probably it doesn't apply the hashing, I use identityManager to create Users and the hashing is applied to the passwd:


          identityManager.createUser(login,passwd,firstname,lastname)


          You can even implement Your own hash function by extending
          org.jboss.seam.security.management.PasswordHash

          • 2. Re: Userpassword with hash doesnt seem to work
            cash1981

            I didn't know I needed to manually apply hash.


            This is my getter/setter



                   @UserPassword(hash = "md5")
                 public String getPasswordHash() {
                      return passwordHash;
                 }
            
                 public void setPasswordHash(String passwordHash) {
                      this.passwordHash = passwordHash;
                 }



            The setPasswordHash isnt doing anything special, but I thought that would be done automatically for us.
            Is there an annotation I can use? Or do I need to do it programatically?

            • 3. Re: Userpassword with hash doesnt seem to work
              marcioendo.marcioendo.gmail.com

              For automatic hashing to occur you have to go through the IdentityManager interface.


              As Michael pointed out, you HAVE to use the IdentityManager methods to CRUD your users


              identityManager.createUser("login","passwd","firstname","lastname")



              If you just use the


              EntityManager.persist(pu) 



              No hashing will occur.

              • 4. Re: Userpassword with hash doesnt seem to work
                cash1981

                Whatever I do, I get it wrong. I mainly have two problems.
                First of all, I want to create a hash password that I can put in import.sql. However I cannot do that because IdentityManager requires for me to be logged in.


                So I have to change from md5 to none '@UserPassword(hash=none)'
                When I do this, and login, then I go to my user registration form which works fine withouth using identityManager.


                When I try to say identityManager.createUser(...)
                I get a org.jboss.seam.security.AuthorizationException: Authorization check failed for permission seam.user,create


                So there is my current problem...


                If you need to see the ProcessUser entity and my form and action component let me know.

                • 5. Re: Userpassword with hash doesnt seem to work
                  cash1981

                  I changed the debug levels of Seam and found out that jpaIdentityStore component is not found. I wonder why!
                  I have in components.xml written:



                     <security:rule-based-permission-resolver security-rules="#{securityRules}"/> 
                     
                     <!--  using seams jpaIdentity store  -->
                     <security:identity-manager identity-store="#{jpaIdentityStore}"/>
                     <security:jpa-identity-store 
                               user-class="no.saksapp.model.ProcessUser"
                               role-class="no.saksapp.model.Role"/>




                  Here is what log4j said:



                  12 Feb 09 16:58:13, DEBUG  org.jboss.seam.contexts.Contexts:lookupInStatefulContexts:202 found in session context: org.jboss.seam.security.identity 
                  
                  12 Feb 09 16:58:13, DEBUG  org.jboss.seam.Component:getValueToInject:2260 trying to inject with hierarchical context search: identityManager 
                  12 Feb 09 16:58:13, TRACE  org.jboss.seam.Component:newInstance:2079 instantiating Seam component: org.jboss.seam.security.identityManager 
                  12 Feb 09 16:58:13, TRACE  org.jboss.seam.Component:initialize:1487 initializing new instance of: org.jboss.seam.security.identityManager 
                  
                  12 Feb 09 16:58:13, TRACE  org.jboss.seam.core.Events:raiseEvent:62 Processing event:org.jboss.seam.preSetVariable.org.jboss.seam.security.identityManager 
                  12 Feb 09 16:58:13, TRACE  org.jboss.seam.core.Events:raiseEvent:62 Processing event:org.jboss.seam.postSetVariable.org.jboss.seam.security.identityManager 
                  12 Feb 09 16:58:13, TRACE  org.jboss.seam.Component:initialize:1487 initializing new instance of: org.jboss.seam.security.identityManager 
                  12 Feb 09 16:58:13, DEBUG  org.jboss.seam.Component:getInstance:1984 seam component not found: jpaIdentityStore 
                  


                  • 6. Re: Userpassword with hash doesnt seem to work
                    marcioendo.marcioendo.gmail.com

                    When I try to say identityManager.createUser(...)
                    I get a org.jboss.seam.security.AuthorizationException: Authorization check failed for permission seam.user,create


                    That is not an error and is the expected behavior.


                    You need to make sure the user you are logged in with an user which has that kind of permission.


                    You should look here for more info on that.


                    Another option is to hash the password yourself. As from the JpaIdentityStore source code:


                    PasswordHash.instance().generateSaltedHash(password, salt);



                    where salt is the user's username.

                    • 7. Re: Userpassword with hash doesnt seem to work
                      cash1981
                      I see. So IdentityManager is using drools as rules engine?

                      I have thought about hashing my self with the Observer JpaIdentityStore.EVENT_PRE_PERSIST_USER.
                      However I would like a JpaIdentityStore.BEFORE_USER_AUTHENTICATED or something similar, so that I can convert the hash manually. But there is nothing called BEFORE_USER_AUTHENTICATED. I only find JpaIdentityStore.EVENT_USER_AUTHENTICATED. Can I use this Observer?
                      • 8. Re: Userpassword with hash doesnt seem to work
                        cash1981

                        Thank you Marcio. I do the hashing manually now and that worked just great!

                        • 9. Re: Userpassword with hash doesnt seem to work
                          uesker

                          Click HELP for text formatting instructions. Then edit this text and check the preview.


                          Hi!
                          Is There a way to run the method identityManager.createUser(...) that doesn´t required the user to be authenticated?
                          Thanks!

                          • 10. Re: Userpassword with hash doesnt seem to work
                            marcioendo.marcioendo.gmail.com

                            Is There a way to run the method identityManager.createUser(...) that doesn´t required the user to be authenticated?
                            Thanks!


                            I don't think there is. You will have to extend IdentityManager and override the method so it doesn't call checkPermission(...).


                            And you can always create a separate component and call IdentityStore directly or bypass it entirely...


                            Just take a look at the IdentityManager source code.