3 Replies Latest reply on Mar 7, 2012 3:10 AM by sebbay

    Encoded username & password in custom server login module JBoss 7.1 CR1 (Picketbox 4.0.6)

    snelders

      I'm migrating a client-server application from JBoss 6.1 to JBoss 7.1 CR1 and run into some problems when trying to get my custom server login module to work.

       

      (JBoss7.1 CR1 uses PicketBox 4.0.6 Beta2)

       

      On the client side I use the org.jboss.security.ClientLoginModule. On the server side I have a custom login module which extends org.jboss.security.auth.spi.UsernamePasswordLoginModule. My implementation is similar to how org.jboss.security.auth.spi.LdapLoginModule is implemented and extends the UsernamePasswordLoginModule.

       

      The problem I run into is that once I call getUsername() (from UsernamePasswordLoginModule) I don't get the username which was used to login. It seems to be encoded/encrypted. The same happens to my password.

       

      They look like "db80497a-0e75-4d7b-8261-4bb6faf7c9b4" (username) & "d89e062f-4740-4529-a3c9-beb84d73589" (password).

       

      Further more they change every time I try to login, so if my guess about the encoding is correct there also seems to be an random challenge involved.

       

      The problem is that I don't know why this happens and more important: how to decode this back to my original username & password.

        • 1. Re: Encoded username & password in custom server login module JBoss 7.1 CR1 (Picketbox 4.0.6)
          sebbay

          Hello Jan,

           

          Have you found a solution for this? I'm facing the same problem.

           

          Regards,

          Sebastian

          • 2. Re: Encoded username & password in custom server login module JBoss 7.1 CR1 (Picketbox 4.0.6)
            snelders

            No unfortunately I havent seen an answer for a solution to this problem.

             

            I concluded that this just wasn't implemented yet and waited for a fix for bug AS7-2999. Although the JIRA reports that this should be fixed in JBoss 7.1 Final it still doesn't work for me.

            I posted the same problem on the JBoss forum which showed some activity yesterday: https://community.jboss.org/message/721598#721598 Hopefully someone will tell us all soon how this exactly works.

             

            Best regards,

             

            Jan Snelders

            • 3. Re: Encoded username & password in custom server login module JBoss 7.1 CR1 (Picketbox 4.0.6)
              sebbay

              This is the code I'm using. In the client I implemented a LoginContext to pass the username/password to the context:

               

              final Properties jndiProperties = new Properties();

               

              jndiProperties.put(Context.URL_PKG_PREFIXES, "org.jboss.ejb.client.naming");

              jndiProperties.put(Context.INITIAL_CONTEXT_FACTORY, "org.jboss.naming.remote.client.InitialContextFactory");

              jndiProperties.put(Context.PROVIDER_URL, "remote://localhost:4447");

               

              jndiProperties.put("jboss.naming.client.ejb.context", true);

              jndiProperties.put("jboss.naming.client.connect.options.org.xnio.Options.SASL_POLICY_NOPLAINTEXT", "false");     

               

              InitialContext context = null;

               

              try

              {

                        Configuration.setConfiguration ( new LoginConfiguration ());

                        Class<?> cb = Class.forName ( "org.jboss.security.auth.callback.UsernamePasswordHandler" );

                        Constructor<?> c = cb.getConstructor ( new Class[] { String.class, char[].class });

                        LoginContext lc = new LoginContext ( "other", ( CallbackHandler ) c.newInstance ( new Object[] { "fapiuser", "guest".toCharArray() }));

                        lc.login();

               

                        context = new InitialContext(jndiProperties);

               

                        EJBObject ejbObject = (EJBObject) context.lookup("ejb:" + appName + "/" + moduleName + "/" + distinctName + "/" + beanName + "!" + viewClassName);

                        System.out.println("remote: " + ejbObject);

               

                        ...

               

              On server-side I use a custom login module:

               

              public class CustomLoginModule extends UsernamePasswordLoginModule {

               

                protected String getUsersPassword() throws LoginException

                {

                  final String username = super.getUsername();

                  log.info( ">>> username: '" + username + "'" );

                                  ...

                }

              }

               

              In JBoss logfile I also see the user name as a random UUID.

               

              Regards,

              Sebastian