8 Replies Latest reply on Nov 29, 2012 8:16 AM by ybxiang.china

    JBoss AS 7.1.1Final - Digest authentication sending incorrect password

    matthieus

      Hi,

       

      I am trying to use digest authentication for my webapp. BASIC is working fine but I can't make the DIGEST version work.

      https://community.jboss.org/message/744521 seems to address exactly that, but the configuration described didn't work for me.

       

      The error I get (standard incorrect password stacktrace), using Chrome or Firefox if that matters:

       

      11:49:17,753 ERROR [org.jboss.security.authentication.JBossCachedAuthenticationManager] (http--0.0.0.0-8080-3) Login failure: javax.security.auth.login.FailedLoginException: Password Incorrect/Password Required
              at org.jboss.security.auth.spi.UsernamePasswordLoginModule.login(UsernamePasswordLoginModule.java:270) [picketbox-4.0.7.Final.jar:4.0.7.Final]
              at org.jboss.security.auth.spi.UsersRolesLoginModule.login(UsersRolesLoginModule.java:155) [picketbox-4.0.7.Final.jar:4.0.7.Final]
              at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) [rt.jar:1.6.0_31]
              at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39) [rt.jar:1.6.0_31]
              at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25) [rt.jar:1.6.0_31]
              at java.lang.reflect.Method.invoke(Method.java:597) [rt.jar:1.6.0_31]
              at javax.security.auth.login.LoginContext.invoke(LoginContext.java:769) [rt.jar:1.6.0_31]
              at javax.security.auth.login.LoginContext.access$000(LoginContext.java:186) [rt.jar:1.6.0_31]
              at javax.security.auth.login.LoginContext$4.run(LoginContext.java:683) [rt.jar:1.6.0_31]
              at java.security.AccessController.doPrivileged(Native Method) [rt.jar:1.6.0_31]
              at javax.security.auth.login.LoginContext.invokePriv(LoginContext.java:680) [rt.jar:1.6.0_31]
              at javax.security.auth.login.LoginContext.login(LoginContext.java:579) [rt.jar:1.6.0_31]
              at org.jboss.security.authentication.JBossCachedAuthenticationManager.defaultLogin(JBossCachedAuthenticationManager.java:449) [picketbox-infinispan-4.0.7.Final.jar:4.0.7.Final]
              at org.jboss.security.authentication.JBossCachedAuthenticationManager.proceedWithJaasLogin(JBossCachedAuthenticationManager.java:383) [picketbox-infinispan-4.0.7.Final.jar:4.0.7.Final]
              at org.jboss.security.authentication.JBossCachedAuthenticationManager.authenticate(JBossCachedAuthenticationManager.java:371) [picketbox-infinispan-4.0.7.Final.jar:4.0.7.Final]
              at org.jboss.security.authentication.JBossCachedAuthenticationManager.isValid(JBossCachedAuthenticationManager.java:160) [picketbox-infinispan-4.0.7.Final.jar:4.0.7.Final]
              at org.jboss.as.web.security.JBossWebRealm.authenticate(JBossWebRealm.java:367) [jboss-as-web-7.1.1.Final.jar:7.1.1.Final]
              at org.apache.catalina.authenticator.DigestAuthenticator$DigestInfo.authenticate(DigestAuthenticator.java:697) [jbossweb-7.0.13.Final.jar:]
              at org.apache.catalina.authenticator.DigestAuthenticator.authenticate(DigestAuthenticator.java:270) [jbossweb-7.0.13.Final.jar:]
              at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:455) [jbossweb-7.0.13.Final.jar:]
              at org.jboss.as.web.security.SecurityContextAssociationValve.invoke(SecurityContextAssociationValve.java:153) [jboss-as-web-7.1.1.Final.jar:7.1.1.Final]
              at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:155) [jbossweb-7.0.13.Final.jar:]
              at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102) [jbossweb-7.0.13.Final.jar:]
              at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109) [jbossweb-7.0.13.Final.jar:]
              at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:368) [jbossweb-7.0.13.Final.jar:]
              at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:877) [jbossweb-7.0.13.Final.jar:]
              at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:671) [jbossweb-7.0.13.Final.jar:]
              at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:930) [jbossweb-7.0.13.Final.jar:]
              at java.lang.Thread.run(Thread.java:662) [rt.jar:1.6.0_31]
      
      

       

      My last attempted configuration:

       

      web.xml (security related content):

       

       <security-constraint>
                <auth-constraint>
                          <role-name>ROLE_USER</role-name>
                </auth-constraint>
                <web-resource-collection>
                          <url-pattern>/*</url-pattern>
                </web-resource-collection>
      </security-constraint>
      
      <security-role>
                <role-name>ROLE_USER</role-name>
      </security-role>
      <security-role>
                <role-name>ROLE_ADMIN</role-name>
      </security-role>
      
      <login-config>
                <auth-method>DIGEST</auth-method>
      </login-config>
      
      

       

      standalone.xml (security related content):

       

       <!-- below is reminiscent from my tentative of using RealmDirect -->
      <security-realms>
                <security-realm name="ManagementRealm">
                          <authentication>
                                    <properties path="mgmt-users.properties" relative-to="jboss.server.config.dir" />
                          </authentication>
                </security-realm>
                <security-realm name="ApplicationRealm">
                          <authentication>
                                    <properties path="application-users.properties"
                                              relative-to="jboss.server.config.dir" />
                          </authentication>
                          <authorization>
                                    <properties path="application-roles.properties"
                                              relative-to="jboss.server.config.dir" />
                          </authorization>
                </security-realm>
      </security-realms>
      
      (...) 
      
      <security-domain name="other" cache-type="default">
                <authentication>
                          <login-module code="Remoting" flag="optional">
                                    <module-option name="password-stacking" value="useFirstPass" />
                          </login-module>
                          <login-module code="RealmUsersRoles" flag="required">
                                    <module-option name="usersProperties"
                                              value="${jboss.server.config.dir}/application-users.properties" />
                                    <module-option name="rolesProperties"
                                              value="${jboss.server.config.dir}/application-roles.properties" />
                                      <module-option name="hashAlgorithm" value="MD5"/>
                                      <module-option name="hashEncoding" value="RFC2617"/>
                                      <module-option name="hashUserPassword" value="false"/>
                                      <module-option name="hashStorePassword" value="true"/>
                                      <module-option name="passwordIsA1Hash" value="true"/>
                                    <module-option name="realm" value="ApplicationRealm" />
                                    <module-option name="password-stacking" value="useFirstPass" />
                          </login-module>
                </authentication>
      </security-domain>
      

       

      I tried with and without jboss-web.xml to define the security-domain.

       

      To define the users/password I used the utility add-user with the following trace:

       

      +>add-user
      
      
      What type of user do you wish to add?
       a) Management User (mgmt-users.properties)
       b) Application User (application-users.properties)
      (a): b
      
      Enter the details of the new user to add.
      Realm (ApplicationRealm) :
      Username : dev
      Password :
      Re-enter Password :
      What roles do you want this user to belong to? (Please enter a comma separated list, or leave blank for none) : ROLE_USER
      About to add user 'dev' for realm 'ApplicationRealm'
      Is this correct yes/no? yes
      Added user 'dev' to file 'C:\jboss-7.1.1.final\standalone\configuration\application-users.properties'
      Added user 'dev' to file 'C:\jboss-7.1.1.final\domain\configuration\application-users.properties'
      Added user 'dev' with roles ROLE_USER to file 'C:\jboss-7.1.1.final\standalone\configuration\application-roles.properties'
      Added user 'dev' with roles ROLE_USER to file 'C:\jboss-7.1.1.final\domain\configuration\application-roles.properties'
      Press any key to continue . . .
      
      

       

      1. First and main question, do you see anything wrong with the configuration above ?

      2. Bonus question, is RealmDirect login module (from https://docs.jboss.org/author/display/AS71/Security+Realms) part of 7.1.1 or only 7.1.2 (which seems to be not released)?

       

      Thanking you warmly by advance

        • 1. Re: JBoss AS 7.1.1Final - Digest authentication sending incorrect password
          ybxiang.china

          Why NOT post content of application-users.properties and application-roles.properties???

          • 2. Re: JBoss AS 7.1.1Final - Digest authentication sending incorrect password
            ybxiang.china

            my configuration works well:

             

            standalone.xml

             

                <security-realms>
                    <security-realm name="ManagementRealm">
                        <authentication>
                            <jaas name="nms-jaas-security-domain"/>
                        </authentication>
                    </security-realm>
                    <security-realm name="ApplicationRealm">
                        <server-identities>
                            <ssl>
                                <keystore path="server.keystore" relative-to="jboss.server.config.dir" keystore-password="ybxiang_keystore_password"/>
                            </ssl>
                        </server-identities>
                        <authentication>
                            <jaas name="nms-jaas-security-domain"/>
                        </authentication>
                    </security-realm>
                </security-realms>

             

             

             

             

               <subsystem xmlns="urn:jboss:domain:security:1.2">
                    <security-domains>
                        <security-domain name="nms-jaas-security-domain" cache-type="default">
                            <authentication>
                                <login-module code="Remoting" flag="optional">
                                    <module-option name="password-stacking" value="useFirstPass"/>
                                </login-module>
                                <login-module code="org.jboss.security.auth.spi.DatabaseServerLoginModule" flag="required">
                                    <module-option name="password-stacking" value="useFirstPass"/>
                                    <module-option name="dsJndiName" value="java:jboss/datasources/NmsMySqlDS"/>
                                    <module-option name="principalsQuery" value="SELECT hashedPassword FROM User WHERE username=?"/>
                                    <module-option name="rolesQuery" value="SELECT DISTINCT r.name, 'Roles' FROM User u, User_UserGroup ug, UserGroup_JaasRole gr, JaasRole r WHERE u.id=ug.user_id AND ug.usergroup_id=gr.usergroup_id AND gr.jaasrole_id=r.id AND u.rowStatus=0 AND u.username=?"/>
                                    <module-option name="hashAlgorithm" value="SHA-256"/>
                                    <module-option name="hashEncoding" value="Base64"/>
                                    <module-option name="hashCharset" value="UTF-8"/>
                                    <module-option name="unauthenticatedIdentity" value="guest"/>
                                </login-module>
                            </authentication>
                        </security-domain>
                        <security-domain name="other" cache-type="default">
                            <authentication>
                                <login-module code="Remoting" flag="optional">
                                    <module-option name="password-stacking" value="useFirstPass"/>
                                </login-module>
                                <login-module code="RealmDirect" flag="required">
                                    <module-option name="password-stacking" value="useFirstPass"/>
                                </login-module>
                            </authentication>
                        </security-domain>

             

            jboss-web.xml

             

            <?xml version="1.0" encoding="UTF-8"?>

            <jboss-web>

                <security-domain>java:/jaas/nms-jaas-security-domain</security-domain>

            </jboss-web>

             

             

            web.xml

             

            <login-config>
            <auth-method>BASIC</auth-method>
            <realm-name>Hello World Authorization</realm-name>
            </login-config>
            • 3. Re: JBoss AS 7.1.1Final - Digest authentication sending incorrect password
              ybxiang.china

              1. Are you sure you are using "other" domain in web.xml and jboss-web.xml

               

              2. I think

              <login-config>
                        <auth-method>DIGEST</auth-method>
              </login-config>

               

              in web.xml is wrong.

               

              Please try

              <login-config>
                        <auth-method>basic</auth-method>
              </login-config>

               

              I do NOT think  <auth-method> in web.xml suports "DIGEST" value.

               

              Another <auth-method> is "FORM" which means you write your own html form to input username and password.

               

               

               

               

              "DIGEST" means your password is saved in property files or DB in digest mode.

              It is NOT an "auth-method" and has nothing to do with web.xml.

              • 4. Re: JBoss AS 7.1.1Final - Digest authentication sending incorrect password
                matthieus

                Thank you for your answer, I appreciate it.

                As I said in the first post, BASIC is working just fine, but BASIC authentication is sending the password in clear on the network. DIGEST authentication method is sending a hashed password so I'd prefer using that one instead.

                According https://community.jboss.org/message/744521#744521, it is possible to use DIGEST with Jboss 7, DIGEST being specified as the auth-method in the web.xml.

                Also from http://docs.jboss.org/jbossas/docs/Server_Configuration_Guide/4/html/J2EE_Declarative_Security_Overview-Web_Content_Security_Constraints.html, "Legal auth-method values are BASIC,DIGEST, FORM, and CLIENT-CERT".

                • 5. Re: JBoss AS 7.1.1Final - Digest authentication sending incorrect password
                  ybxiang.china

                  Sorry. I am wrong.

                   

                   

                  I use SSL, so I did NOT research this auth method.

                  • 6. Re: JBoss AS 7.1.1Final - Digest authentication sending incorrect password
                    ybxiang.china

                    As I said in the first post, BASIC is working just fine, but BASIC authentication is sending the password in clear on the network. DIGEST authentication method is sending a hashed password so I'd prefer using that one instead.

                     

                    ~~~~~~~~~~~You are right.

                                              But, I think even if the DIGEST authentication method works, hacker can interceptor the hashed password and send it to your server directly to login your account.

                                              Maybe I am wrong. I think you had better use SSL to defend hacker.

                     

                                              If DIGEST authentication method can defend hacker, people will NOT invent SSL.

                    • 7. Re: JBoss AS 7.1.1Final - Digest authentication sending incorrect password
                      dlofthouse

                      But, I think even if the DIGEST authentication method works, hacker can interceptor the hashed password and send it to your server directly to login your account.

                      There is more to the message exchange than just hashing the password and sending it - if it was just a hashed password then yes there would be nothing to defend against a replay attack.

                       

                      If DIGEST authentication method can defend hacker, people will NOT invent SSL.

                      They solve different problems, as an example whilst Digest authentication provides capabiltiies to detect and prevent replays of the authentication headers it does nothing to protect the contents of the messages exchanges so if the contents of the HTTP messages are also sensitive then SSL is required.

                      • 8. Re: JBoss AS 7.1.1Final - Digest authentication sending incorrect password
                        ybxiang.china

                        I agree with you completely.

                        That is what I want to say, but do NOT know how to say.