1 Reply Latest reply on Jun 24, 2012 6:45 AM by suikast42

    Database login module with encrypted password.

    suikast42
    suikast42 Jun 24, 2012 6:04 AM

      Hi Comunity,

       

      I try to login from a JSF application. The user and useruserole should read from database. If I store the no encrypted password in the database then everything works fine. Bur with encrypted password it will not work.

       

      I get this Exception if I try to login:

       

      00:31:45,691 TRACE [org.jboss.security.auth.spi.DatabaseServerLoginModule] (http-localhost-127.0.0.1-8080-2) initialize
00:31:45,691 TRACE [org.jboss.security.auth.spi.DatabaseServerLoginModule] (http-localhost-127.0.0.1-8080-2) Security domain: wmsdomain
00:31:45,691 TRACE [org.jboss.security.auth.spi.DatabaseServerLoginModule] (http-localhost-127.0.0.1-8080-2) Password hashing activated: algorithm = SHA-256, encoding = base64, charset = {default}, callback = null, storeCallback = null
00:31:45,691 TRACE [org.jboss.security.auth.spi.DatabaseServerLoginModule] (http-localhost-127.0.0.1-8080-2) DatabaseServerLoginModule, dsJndiName=java:/datasources/WMSDS
00:31:45,691 TRACE [org.jboss.security.auth.spi.DatabaseServerLoginModule] (http-localhost-127.0.0.1-8080-2) principalsQuery=SELECT PASSWORD FROM WMSUSER WHERE NAME = ?
00:31:45,707 TRACE [org.jboss.security.auth.spi.DatabaseServerLoginModule] (http-localhost-127.0.0.1-8080-2) rolesQuery=select name , 'Roles'  from wmsuserrole where ID in( select WMSUSERROLE_ID from wmsuser where name=?)
00:31:45,707 TRACE [org.jboss.security.auth.spi.DatabaseServerLoginModule] (http-localhost-127.0.0.1-8080-2) suspendResume=true
00:31:45,707 TRACE [org.jboss.security.auth.spi.DatabaseServerLoginModule] (http-localhost-127.0.0.1-8080-2) login
00:31:45,722 TRACE [org.jboss.security.auth.spi.DatabaseServerLoginModule] (http-localhost-127.0.0.1-8080-2) suspendAnyTransaction
00:31:45,722 TRACE [org.jboss.security.auth.spi.DatabaseServerLoginModule] (http-localhost-127.0.0.1-8080-2) Excuting query: SELECT PASSWORD FROM WMSUSER WHERE NAME = ?, with username: wmsuser2
00:31:45,863 TRACE [org.jboss.security.auth.spi.DatabaseServerLoginModule] (http-localhost-127.0.0.1-8080-2) Obtained user password
00:31:45,863 TRACE [org.jboss.security.auth.spi.DatabaseServerLoginModule] (http-localhost-127.0.0.1-8080-2) resumeAnyTransaction
00:31:45,863 DEBUG [org.jboss.security.auth.spi.DatabaseServerLoginModule] (http-localhost-127.0.0.1-8080-2) Bad password for username=wmsuser2
00:31:45,863 TRACE [org.jboss.security.auth.spi.DatabaseServerLoginModule] (http-localhost-127.0.0.1-8080-2) abort
00:31:45,879 ERROR [org.jboss.security.authentication.JBossCachedAuthenticationManager] (http-localhost-127.0.0.1-8080-2) Login failure: javax.security.auth.login.FailedLoginException: Password Incorrect/Password Required

       

      My security domain:

       

      <security-domain name="wmsdomain" cache-type="default">
                    <authentication>
                        <login-module code="Remoting" flag="optional">
                            <module-option name="password-stacking" value="useFirstPass"/>
                        </login-module>
                        <login-module code="Database" flag="required">
                              <module-option name="dsJndiName" value="java:/datasources/WMSDS" />
                            <module-option name="principalsQuery" value="SELECT PASSWORD FROM WMSUSER WHERE NAME = ?"/>
                            <module-option name="rolesQuery" value="select name , 'Roles'  from wmsuserrole where ID in( select WMSUSERROLE_ID from wmsuser where name=?)"/>
                            <module-option name="password-stacking" value="useFirstPass"/>
                            <module-option name="hashAlgorithm" value ="SHA-256"/>
                            <module-option name="hashEncoding" value="base64"/>
                        </login-module>
                    </authentication>
                </security-domain>

       

      My encryption :

       

      MessageDigest mdEnc = null;
      try {
        mdEnc = MessageDigest.getInstance("SHA-256");
      } catch (NoSuchAlgorithmException e) {
        e.printStackTrace();
      }
      // Encryption algorithm
      mdEnc.update(aPassword.getBytes(), 0, aPassword.length());

      String md5 = new BigInteger(1, mdEnc.digest()).toString(16); // Encrypted string

       

      Did I miss something ?

      • 3928 Views
      • Tags:
        • 1. Re: Database login module with encrypted password.
          suikast42
          suikast42 Jun 24, 2012 6:45 AM (in response to suikast42)

          Ok I found this problem.

           

          I add the dependency:

           

          <dependency>

                <groupId>org.picketbox</groupId>

                <artifactId>picketbox</artifactId>

                <version>4.0.7.Final</version>

            </dependency>

           

          to my project and lokk what jboss do. By encrypting my password with  String createPasswordHash = Util.createPasswordHash("MD5", "hex", null, null, aPassword);

          So I have to use for the loginmodule.

                        <module-option name="hashAlgorithm" value ="MD5"/>
                                      <module-option name="hashEncoding" value="hex"/>

           


            • Actions