5 Replies Latest reply on Nov 22, 2010 8:47 PM by Nikos Massios

    JBoss 5.1 LdapExtLoginModule with encrypted bindCredential problem

    Shawn Ellis Newbie

      I have a JBoss 5.1.0 GA instance where I'm trying to use an encrypted password with a JaasSecurityDomain and I'm getting an incorrect password error message.  If I remove the jaasSecurityDomain module-option from my login-config.xml and I specify a plaintext password, the login process works fine.  I have the same setup in JBoss 4.0.5 with a JaasSecurityDomain working without any problems.  Is there anything different required with JBoss 5.1.0 to use an encrypted binding password? I've already verified that server.password exists and is the same file that I was using in Jboss 4.0.5.  Thanks.

       

      login-config.xml:

       

      <application-policy name="MyRealm">
              <authentication>
                  <login-module code="org.jboss.security.auth.spi.LdapExtLoginModule" flag="required" >
                      <module-option name="java.naming.provider.url">ldap://virtualad:389</module-option>
                      <module-option name="jaasSecurityDomain">jboss.security:service=JaasSecurityDomain,domain=MyDomain</module-option>
                      <module-option name="bindDN">psu@sandbox.local</module-option>
                      <module-option name="bindCredential">2NUTSBGQTEkjW5g6.0CjGz</module-option>
                      <module-option name="baseCtxDN">ou=Accounts,dc=sandbox,dc=local</module-option>
                      <module-option name="baseFilter">(sAMAccountName={0})</module-option>

       

                      <module-option name="rolesCtxDN">ou=Accounts,dc=sandbox,dc=local</module-option>
                      <module-option name="roleFilter"><![CDATA[(&(objectclass=group)(member={1}))]]></module-option>
                      <module-option name="roleAttributeID">cn</module-option>
                      <module-option name="roleNameAttributeID">cn</module-option>
                      <module-option name="allowEmptyPasswords">false</module-option>
                      <module-option name="roleAttributeIsDN">true</module-option>
                  </login-module>
                  <login-module code="org.jboss.security.auth.spi.RoleMappingLoginModule"
                                flag="optional">
                    <module-option name="rolesProperties">roleMappings.properties</module-option>
                    <module-option name="replaceRole">false</module-option>
                  </login-module>
              </authentication>
          </application-policy>

       

      jboss-service.xml:

       

      <!-- My JaasSecurityDomain -->
         <mbean code="org.jboss.security.plugins.JaasSecurityDomain"
            name="jboss.security:service=JaasSecurityDomain,domain=MyDomain">
            <constructor>
               <arg type="java.lang.String" value="MyDomain"></arg>
            </constructor>
            <attribute name="KeyStorePass">{CLASS}org.jboss.security.plugins.FilePassword:${jboss.server.home.dir}/conf/server.password</attribute>
            <attribute name="Salt">abcdefgh</attribute>
            <attribute name="IterationCount">13</attribute>
         </mbean>

       

      security.log:

       

      LoginModule Class: org.jboss.security.auth.spi.LdapExtLoginModule
      ControlFlag: LoginModuleControlFlag: required
      Options:
      name=roleNameAttributeID, value=cn
      name=roleFilter, value=(&(objectclass=group)(member={1}))
      name=baseFilter, value=(sAMAccountName={0})
      name=allowEmptyPasswords, value=false
      name=bindCredential, value=****
      name=bindDN, value=psu@sandbox.local
      name=java.naming.provider.url, value=ldap://virtualad:389
      name=roleAttributeID, value=cn
      name=baseCtxDN, value=ou=Accounts,dc=sandbox,dc=local
      name=roleAttributeIsDN, value=true
      name=rolesCtxDN, value=ou=Accounts,dc=sandbox,dc=local
      name=jaasSecurityDomain, value=jboss.security:service=JaasSecurityDomain,domain=MyDomain
      [1]
      LoginModule Class: org.jboss.security.auth.spi.RoleMappingLoginModule
      ControlFlag: LoginModuleControlFlag: optional
      Options:
      name=rolesProperties, value=roleMappings.properties
      name=replaceRole, value=false

       


      2010-04-12 10:37:38,025 TRACE [org.jboss.security.auth.spi.LdapExtLoginModule] initialize

       

      2010-04-12 10:37:38,025 TRACE [org.jboss.security.auth.spi.LdapExtLoginModule] Security domain: MyRealm

       

      2010-04-12 10:37:38,025 TRACE [org.jboss.security.auth.spi.LdapExtLoginModule] login

       

      2010-04-12 10:37:38,040 DEBUG [org.jboss.security.auth.spi.LdapExtLoginModule] Bad password for username=psu

       

      2010-04-12 10:37:38,040 TRACE [org.jboss.security.auth.spi.RoleMappingLoginModule] initialize

       

      2010-04-12 10:37:38,040 TRACE [org.jboss.security.auth.spi.RoleMappingLoginModule] Security domain: MyRealm

       

      2010-04-12 10:37:38,040 TRACE [org.jboss.security.auth.spi.RoleMappingLoginModule] login

       

      2010-04-12 10:37:38,040 TRACE [org.jboss.security.auth.spi.LdapExtLoginModule] abort

       

      2010-04-12 10:37:38,040 TRACE [org.jboss.security.auth.spi.RoleMappingLoginModule] abort

       

      2010-04-12 10:37:38,040 TRACE [org.jboss.security.plugins.auth.JaasSecurityManagerBase.MyRealm] Login failure

       

      javax.security.auth.login.FailedLoginException: Password Incorrect/Password Required

       

          at org.jboss.security.auth.spi.UsernamePasswordLoginModule.login(UsernamePasswordLoginModule.java:252)

       

          at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)

       

          at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)

        • 1. Re: JBoss 5.1 LdapExtLoginModule with encrypted bindCredential problem
          Matias Carminatti Newbie

           

          Hi Shawn,

           

          I have the same problem as you expose here.

           

          Have you been able to solve your problem?

           

          I really would appreciate you help with this issue.

          • 2. Re: JBoss 5.1 LdapExtLoginModule with encrypted bindCredential problem
            Shawn Ellis Newbie

            Encrypted bindCredentials don't work with JBoss 5.0.* and JBoss 5.1.* community edition due to a defect.  RedHat does have a fix for their supported version of JBoss, but I don't know if the fix is publicly available.

            • 3. Re: JBoss 5.1 LdapExtLoginModule with encrypted bindCredential problem
              Matias Carminatti Newbie

              Shawn,

               

              Thanks for your prompt response. :-)

               

              I've seen on tour this issue is fixed in version 6 of jboss.

               

              I also tried to replace jboss jbosssx.jar 5.1 version of the 2.0.4 but  it did not work.

               

              I think that version will migrate.

               

              thank you very  much!

              • 4. Re: JBoss 5.1 LdapExtLoginModule with encrypted bindCredential problem
                Nikos Massios Novice

                We have encountered the same problem on JBoss 5.1 GA. Has anybody found a solution?

                 

                There is a similar thread connected to this

                http://community.jboss.org/thread/42934?tstart=0

                 

                We are considering fixing it ourselves.

                 

                Nikos

                • 5. Re: JBoss 5.1 LdapExtLoginModule with encrypted bindCredential problem
                  Nikos Massios Novice

                  The problem was with

                  The DecodeAction class that is called by both the LdapExtLoginModule and the LdapLoginModule classes

                   

                  The original code can be found here

                  http://www.docjar.com/docs/api/org/jboss/security/auth/spi/DecodeAction.html

                   

                  I  rewrote parts of it to make it look like this. I tried it on JBoss  5.1GA with both the LdapLoginModule and the LdapExtLoginModule and it  now works

                   

                   

                  package org.jboss.security.auth.spi;

                   

                  import java.security.AccessController;
                  import java.security.PrivilegedActionException;
                  import java.security.PrivilegedExceptionAction;

                   

                  import javax.management.MBeanServer;
                  import javax.management.ObjectName;

                   

                  import org.apache.log4j.Logger;
                  import org.jboss.mx.util.MBeanServerLocator;

                   

                  class DecodeAction implements PrivilegedExceptionAction<Object> {
                      protected static Logger _logger = Logger.getLogger(DecodeAction.class);
                     

                   

                      String password;
                      ObjectName serviceName;

                   

                      DecodeAction(String password, ObjectName serviceName) {
                          _logger.debug("DecodeAction password " + password + " serviceName " +serviceName);
                          this.password = password;
                          this.serviceName = serviceName;

                      }

                   

                      /**
                       *
                       * @return
                       * @throws Exception
                       */
                      public Object run() throws Exception {
                          _logger.debug("DecodeAction run fixedDecode64 " + password );

                   

                          // Invoke the decodeb64 op
                          byte[] secret = decode64(password);

                   

                          // Convert to UTF-8 base char array
                          String secretPassword = new String(secret, "UTF-8");
                         
                          //_logger.debug( " secretPassword " +secretPassword);
                          return secretPassword.toCharArray();
                      }

                   

                   

                      private byte[] decode64(String secret) throws Exception {

                   

                         
                          MBeanServer server = MBeanServerLocator.locateJBoss();
                          Object[] params = {secret};
                          String[] signature = {"java.lang.String"};
                           byte[] decoded = ( byte[]) server.invoke(serviceName, "decode64",
                                                            params, signature);

                   

                           return decoded;
                      }

                   

                      static char[] decode(String password, ObjectName serviceName)

                              throws Exception {
                          DecodeAction action = new DecodeAction(password, serviceName);
                          try {
                              char[] decode = (char[]) AccessController.doPrivileged(action);
                              return decode;
                          } catch (PrivilegedActionException e) {
                              _logger.debug("package access decode caught an exception ",e );
                              throw e.getException();
                          }
                      }
                  }