1 Reply Latest reply on Oct 4, 2012 7:26 AM by michajil_tigrow

How to configure DatabaseLoginModule for DIGEST authentication?

michajil_tigrow Oct 3, 2012 6:09 AM

I'm having problems to set up DatabaseLoginModule for DIGEST authentication.

Passwords in my db are hashed.

What I managed to do so far, is to set the DatabaseLoginModule to work with BASIC auth.

Working configuration:

web.xml

{code:xml}
...
 <login-config>
      <auth-method>BASIC</auth-method>
      <realm-name>JbossProductionSecurity</realm-name>
   </login-config>
...
{code}

jboss-web.xml

{code:xml}
<jboss-web>
     <security-domain>JbossProductionSecurity</security-domain>
</jboss-web>
{code}

standalone.xml

{code:xml}
<security-domain name="JbossProductionSecurity" cache-type="default">
                    <authentication>
                        <login-module code="Database" flag="required">
                            <module-option name="dsJndiName" value="java:jboss/ProductionDS"/>
                            <module-option name="principalsQuery" value="SELECT password ..."/>
                            <module-option name="rolesQuery" value="SELECT role.name as Role,         'Roles' FROM ..."/>
                            <module-option name="hashAlgorithm" value="MD5"/>
                            <module-option name="hashEncoding" value="base64"/>
                            <module-option name="ignorePasswordCase" value="false"/>
                        </login-module>
                    </authentication>
                </security-domain>
{code}

Now, the above works fine.

When I change BASIC to DIGEST in the web.xml it fails.

I tried to add a digest callback to the standalone.xml

{code:xml} <module-option name="digestCallback" value="org.jboss.security.auth.callback.RFC2617Digest"/>{code}

but it does not help.

What I'm missing?

1. Re: How to configure DatabaseLoginModule for DIGEST authentication?

michajil_tigrow Oct 4, 2012 7:26 AM (in response to michajil_tigrow)

Ok, I've manage to solve my problem partially.

At first I switched to the different login module just to understand how this should be done, and this thread helped me a lot https://community.jboss.org/message/744521

So, I had to change the way I encrypt passwords in my db - now they're encrypted the same way RFC2617Digest does it. After that it was simple, I just reused the solution from the above thread with little modifications just to use the db login module.

{code:xml}
<login-module code="Database" flag="required">
                            <module-option name="dsJndiName" value="..." />
                            <module-option name="principalsQuery"
                                value="SELECT password FROM .." />
                            <module-option name="rolesQuery"
                                value="SELECT role.name as Role,         'Roles' FROM ..." />
                            <module-option name="hashAlgorithm" value="MD5"/>
                            <module-option name="hashEncoding" value="RFC2617"/>
                            <module-option name="hashUserPassword" value="false"/>
                            <module-option name="hashStorePassword" value="true"/>
                            <module-option name="passwordIsA1Hash" value="true"/>
                            <module-option name="storeDigestCallback" value="org.jboss.security.auth.callback.RFC2617Digest"/>
                        </login-module>
{code}