9 Replies Latest reply on Nov 7, 2017 2:12 AM by mchoma

Wildfly 11 Elytron Bcrypt Mapper

pcarrollnf Nov 4, 2017 8:26 AM

Hello, I am trying to use the elytron <bcrypt-mapper> for authentication. However, authentication does not seem to working.

I am using jBCrypt-0.4 to create the salt and password hash and then storing them in my database.

The following is my <jdbc-realm> configuration in standalone-full.xml

<jdbc-realm name="myRealm">

<principal-query sql="SELECT A.PASSWORD, A.SALT_VALUE, A.ITERATION_COUNT FROM USERS A WHERE A.USER_NAME = LOWER(?)" data-source="myDS">

<bcrypt-mapper password-index="1" salt-index="2" iteration-count-index="3"/>

</principal-query>

<principal-query sql="SELECT DISTINCT ROLE_NAME FROM ROLES WHERE USER_NAME = LOWER(?)" data-source="myDS">

<attribute-mapping>

</attribute-mapping>

</principal-query>

</jdbc-realm>

The following is an example of a generated hash with the password being "password" (without the double quotes).

Full Hash: $2a$12$nxPgtSc/mSl7GG29yif15eDEexpf8mRHscv6SS6p3RHheulQtSOFu

Salt Value: nxPgtSc/mSl7GG29yif15e

Password Hash: DEexpf8mRHscv6SS6p3RHheulQtSOFu

Iteration Count: 12

I store the Salt Value, Password Hash and Iteration Count from above into my USERS table. When I go to my login page and enter my username and password, the log contains the following information.

TRACE [org.wildfly.security] (default task-6) Handling CachedIdentityAuthorizeCallback: principal = null authorizedIdentity = null

DEBUG [org.wildfly.security] (default task-6) Using UsernamePasswordAuthenticationMechanism for username authentication. Realm: [null], Username: [myUsername].

TRACE [org.wildfly.security] (default task-6) Handling NameCallback: authenticationName = myUsername

TRACE [org.wildfly.security] (default task-6) Principal assigning: [myUsername], pre-realm rewritten: [myUsername], realm name: [myRealm], post-realm rewritten: [myUsername], realm rewritten: [myUsername]

TRACE [org.wildfly.security] (default task-6) Executing principalQuery SELECT A.PASSWORD, A.SALT_VALUE, A.ITERATION_COUNT FROM USERS A WHERE A.USER_NAME = LOWER(?) with value myUsername

TRACE [org.wildfly.security] (default task-6) Executing principalQuery SELECT DISTINCT ROLE_NAME FROM ROLES WHERE USER_NAME = LOWER(?) with value myUsername

TRACE [org.wildfly.security] (default task-6) Executing principalQuery SELECT A.PASSWORD, A.SALT_VALUE, A.ITERATION_COUNT FROM USERS A WHERE A.USER_NAME = LOWER(?) with value myUsername

DEBUG [org.wildfly.security] (default task-6) User [myUsername] authentication failed

TRACE [org.wildfly.security] (default task-6) Handling AuthenticationCompleteCallback: fail

I am wondering if anyone has successfully used the <bcrypt-mapper> with Wildfly and, if so, what might I being doing wrong not to get it working?

Thanks.

1. Re: Wildfly 11 Elytron Bcrypt Mapper

mchoma Nov 6, 2017 4:00 AM (in response to pcarrollnf)

There is Elytron test [2]. Seems it is using different hashes for "password" password, but that could be caused by using different iteration count?

[1] https://github.com/wildfly-security/wildfly-elytron/blob/master/src/test/java/org/wildfly/security/password/impl/BCryptPasswordTest.java#L156
[2] https://github.com/wildfly-security/wildfly-elytron/blob/master/src/test/java/org/wildfly/security/password/impl/BCryptPasswordTest.java#L180
Actions
2. Re: Wildfly 11 Elytron Bcrypt Mapper

dmlloyd Nov 6, 2017 8:02 AM (in response to pcarrollnf)

What authentication mechanism are you using?
Actions
3. Re: Wildfly 11 Elytron Bcrypt Mapper

dmlloyd Nov 6, 2017 8:03 AM (in response to mchoma)

Martin Choma wrote:

There is Elytron test [2]. Seems it is using different hashes for "password" password, but that could be caused by using different iteration count?

[1] https://github.com/wildfly-security/wildfly-elytron/blob/master/src/test/java/org/wildfly/security/password/impl/BCryptPasswordTest.java#L156
[2] https://github.com/wildfly-security/wildfly-elytron/blob/master/src/test/java/org/wildfly/security/password/impl/BCryptPasswordTest.java#L180
And a different salt. The function operates n times over the salt and last stage result, where n is the iteration count.
Actions
4. Re: Wildfly 11 Elytron Bcrypt Mapper

pcarrollnf Nov 6, 2017 8:34 AM (in response to pcarrollnf)

Is this the mechanism you are looking for?

<http-authentication-factory name="my-http-authentication" http-server-mechanism-factory="global" security-domain="mySecurityDomain">
<mechanism-configuration>
<mechanism mechanism-name="FORM"/>
</mechanism-configuration>
</http-authentication-factory>

And here is a snippet of code that I am using to generate the hashed password.

import org.mindrot.jbcrypt.BCrypt;

String testPassword = "password";
int cost = 12;
String salt = BCrypt.gensalt( cost );
String bcryptPassword = BCrypt.hashpw( testPassword, salt );

Thanks
Actions
5. Re: Wildfly 11 Elytron Bcrypt Mapper

dmlloyd Nov 6, 2017 9:02 AM (in response to pcarrollnf)

Paul Carroll wrote:

Is this the mechanism you are looking for?

<http-authentication-factory name="my-http-authentication" http-server-mechanism-factory="global" security-domain="mySecurityDomain">
<mechanism-configuration>
<mechanism mechanism-name="FORM"/>
</mechanism-configuration>
</http-authentication-factory>

Right. FORM is a clear-password mechanism; some challenge-response type mechanisms (like DIGEST) cannot be used with BCrypt passwords. But you should be fine here.

Paul Carroll wrote:

And here is a snippet of code that I am using to generate the hashed password.

import org.mindrot.jbcrypt.BCrypt;

String testPassword = "password";
int cost = 12;
String salt = BCrypt.gensalt( cost );
String bcryptPassword = BCrypt.hashpw( testPassword, salt );

Thanks

You might want to try generating the same password from the same parameters from Elytron's Password API, which is documented here: WildFly Elytron 1.2.0.Beta8 API

If the results do not match then there is a problem in one implementation or the other. But if they do match, then the problem must be somewhere else.
Actions
6. Re: Wildfly 11 Elytron Bcrypt Mapper

pcarrollnf Nov 6, 2017 11:48 AM (in response to pcarrollnf)

When I used the Wildfly API to generate the password hash and store that in the database, it works. So, can I assume the jBCrypt implementation is not compatible with Wildfly/Elytron?

private static final Provider provider = new WildFlyElytronProvider();

try
{
Security.addProvider( provider );
PasswordFactory factory = PasswordFactory.getInstance( BCryptPassword.ALGORITHM_BCRYPT );

ClearPasswordSpec spec = new ClearPasswordSpec( clearPassword.toCharArray() );
BCryptPassword password = (BCryptPassword) factory.generatePassword( spec );
IteratedSaltedHashPasswordSpec bcryptSpec = factory.getKeySpec( password, IteratedSaltedHashPasswordSpec.class );

Encoder encoder = Base64.getEncoder();
elytronSalt = encoder.encodeToString( bcryptSpec.getSalt() );
elytronHash = encoder.encodeToString( bcryptSpec.getHash() );
}
catch( Exception e )
{
e.printStackTrace();
}
Actions
7. Re: Wildfly 11 Elytron Bcrypt Mapper

dmlloyd Nov 6, 2017 12:16 PM (in response to pcarrollnf)

Paul Carroll wrote:

When I used the Wildfly API to generate the password hash and store that in the database, it works. So, can I assume the jBCrypt implementation is not compatible with Wildfly/Elytron?
Right I think the conclusion is that one or the other has a bug. Could you please file an Elytron JIRA at the bug tracker and reference this conversation?
Actions
8. Re: Wildfly 11 Elytron Bcrypt Mapper

pcarrollnf Nov 6, 2017 12:50 PM (in response to pcarrollnf)

Jira issue created. Thanks
Actions
9. Re: Wildfly 11 Elytron Bcrypt Mapper

mchoma Nov 7, 2017 2:12 AM (in response to pcarrollnf)

discussion continues on [ELY-1435] Elytron BCrypt Mapper Not Working with jBCrypt - JBoss Issue Tracker
Actions

Go to original post