I have a working JAX-RS web service which uses basic authentication. The user passwords are stored as a SHA-256 hash value plus additional base64 ecoding. The following configuration works fine for this.
| | <security-domains> |
| | <security-domain name="SgpRealm" cache-type="default"> |
| | <authentication> |
| | <login-module code="Database" flag="required"> |
| | <module-option name="dsJndiName" value="java:/MySqlDS"/> |
| | <module-option name="principalsQuery" value="SELECT pwd FROM customer where eMail=?"/> |
| | <module-option name="rolesQuery" value="SELECT role, 'Roles' FROM roles WHERE eMail=?"/> |
| | <module-option name="hashAlgorithm" value="SHA-256"/> |
| | <module-option name="hashEncoding" value="base64"/> |
| | <module-option name="hashUserPassword" value="true"/> |
| | <module-option name="hashStorePassword" value="false"/> |
| | </login-module> |
| | </authentication> |
| | </security-domain> |
No I want to switch from basic to digest authentication. Is there a way to do this, whereby the stored passwords in data base are still SHA-256 hashed plus base64 encoded?
So far I know, a digest authentication works like:
Hash1 = MD5("username:realm:password")
Hash2 = MD5("http-method:uri")
Response = MD5("Hash1:nonce:nc:cnonce:qop:Hash2")
But so far the delivered plain-text-password is hashed by JBoss like:
base64(SHA-256("plainTextPassword"))
Thanks in advance
