3 Replies Latest reply on Mar 16, 2014 6:14 PM by polinchw

Using encrypted password in the DB database login module

marcusdidiusfalco Jan 16, 2014 10:12 AM

Hello,

EAP 6.0

I am trying to use encrypted passwords in the database for authentication

I have a database login configured. It works without encryption. Following the directions in Francesco Marchioni: JBoss AS 7 Configuration, Deployment, and Administration

I have added module-options for reading encrypted passwords:

For testing purposes:

public class Base64Hash {

public static void main(String[] args) {

// String password = args[0];

String password = "jboss";

MessageDigest md = null;

try {

md = MessageDigest.getInstance("MD5");

} catch (NoSuchAlgorithmException e) {

// TODO Auto-generated catch block

e.printStackTrace();

}

byte[] passwordBytes = password.getBytes();

byte[] hash = md.digest(passwordBytes);

String passwordHash = org.jboss.security.Base64Utils.tob64(hash);

System.out.println(passwordHash);

}

I have replaced the password in the DB with the produced hash.

The login does not work any more. When replace the hash in the DB with "jboss", the login works. So it looks like the configuration of the login module does not work for hashing.

The only ERROR in the log is from the unsucessful login:

15:33:11,536 ERROR [org.jboss.security.authentication.JBossCachedAuthenticationM

anager] (http-/127.0.0.1:8080-1) Login failure: javax.security.auth.login.Failed

LoginException: Password Incorrect/Password Required

at org.jboss.security.auth.spi.UsernamePasswordLoginModule.login(Usernam

ePasswordLoginModule.java:293) [picketbox-4.0.9.Final-redhat-1.jar:4.0.9.Final-r

edhat-1].....

Any help would be appreciated

1. Re: Using encrypted password in the DB database login module

fnasser Feb 27, 2014 8:56 AM (in response to marcusdidiusfalco)

I had the same issue following the book recipe. I got it working, here are the changes:

1) Either remove the hashStorePassword or change it to hashUserPassword (not needed, the default for that is true)

2) calculate the passwordHash from a String password like this:
passwordHash = Util.createPasswordHash("MD5", "BASE64", null, null, password);

3) To fill your database you can obtain the digests like this:
echo -n 'password' | openssl dgst -md5 -binary | openssl base64

where password is the password you want to use (make sure you use single quotes in case you have special characters in your password; do NOT escape then with a \ as the digest is changed by it).
Actions
2. Re: Using encrypted password in the DB database login module

polinchw Mar 16, 2014 4:51 PM (in response to marcusdidiusfalco)

I've had this exact same problem. I think the book must be wrong. I'm going to try Fernando's solution.
Actions
3. Re: Using encrypted password in the DB database login module

polinchw Mar 16, 2014 6:14 PM (in response to polinchw)

Wow it worked. I used these settings:

<security-domain name="mysqldomain" cache-type="default">
                    <authentication>
                        <login-module code="Database" flag="required">
                            <module-option name="dsJndiName" value="java:jboss/datasources/MysqlDS"/>
                            <module-option name="principalsQuery" value="select password from user where name=?"/>
                            <module-option name="rolesQuery" value="select role,'Roles' from roles where name=?"/>
                            <module-option name="hashAlgorithm" value="MD5"/>
                            <module-option name="hashEncoding" value="base64"/>
                            <module-option name="hashUserPassword" value="true"/>
                        </login-module>
                    </authentication>
                </security-domain>

private static String hashPassword(String password) {
        return org.jboss.crypto.CryptoUtil.createPasswordHash("MD5", "BASE64", null, null, password);
    }
Actions

Go to original post