1 Reply Latest reply on Mar 27, 2014 4:29 PM by broubach

    Change of hashAlgorithm from MD5 to SHA-512 causes EJB remote connection to failing Authentication

    forfano

      Lads,

       

      Here is a detailed description of the issue we are facing:

       

      The issue happens only when we have a remote EJB call. It fails to authenticate.  We found out that Jboss is receiving the password from EJB Client correctly but then when it creates the hash to compare against the one in application-users.properties it is USING MD5 instead of SHA-512. As a result the authentication is failing. If we change the password in application-users.properties from SHA-512 back to MD5 then the EJB Client manages to authenticate.

       

       

      The changes we did aims to make Jboss to use SHA-512 when authenticating logins for ApplicationRealm (security-domain other).

       

      So  in order to achieve it we changed:

       

      ==host.xml==

       

      <security-realm name="ApplicationRealm">

      <authentication>

      <properties path="application-users.properties" relative-to="jboss.domain.config.dir"/>

      </authentication>

      </security-realm>

       

       

      ==domain.xml==

       

      <security-domains>

      <security-domain name="other" cache-type="default">

      <authentication>

      <login-module code="UsersRoles" flag="required">

      <module-option name="usersProperties" value="${jboss.domain.config.dir}/application-users.properties"/>

      <module-option name="rolesProperties" value="${jboss.domain.config.dir}/application-roles.properties"/>

      <module-option name="realm" value="ApplicationRealm"/>

      <module-option name="password-stacking" value="useFirstPass"/>

      <module-option name="hashAlgorithm" value="SHA-512"/>

      <module-option name="hashEncoding" value="hex"/>

      </login-module>

      <login-module code="Remoting" flag="optional">

      <module-option name="password-stacking" value="useFirstPass"/>

      </login-module>

      </authentication>

      </security-domain>

      ......

       

      ==application-users.properties==

       

      WE PUT THE NEW HASH IN SHA-512 FOR the user used

       

      Message was edited by: Flavio Orfano