4 Replies Latest reply on May 20, 2009 2:23 PM by Marian Stránecký

    Need a little help from a seam and php guru

    Gerald Anderson Newbie

      I'm being asked to authenticate our forums (phpbb3) against our seam application database.  Seam app is 2.1.1.GA using new identity system and hash is MD5. 


      I'm trying to write the php module I need to authenticate but I can't quite get the right digest out of php.  Currently I'm trying:


      php:

       base64_encode(pack("H*",md5($username . $password)))



      Which gets me pretty close, but no cookie.


      Does anybody have the secret that I need? 


      Thanks!
      Gerald

        • 1. Re: Need a little help from a seam and php guru
          Nikolay Elenkov Master

          Well, use the source :) Check out PasswordHash#generatedSaltedHash(). It goes like this:


          if (saltPhrase != null)
          {
             md.update(saltPhrase.getBytes());
             byte[] salt = md.digest();
                      
             md.reset();
             md.update(password.getBytes());
             md.update(salt);
          }
          



          saltPhrase is the username, so you need to hash it to get the salt,
          then concat the password with the salt and hash again to get the final hash string.
          So the algorithm is something like this
          (S: salt, U: username, P: password, PH: password hash, MD: message digest (MD5 in your case)):


          S = MD(U)
          PH = MD(P||S)
          



          Btw, all this has changed in Seam 2.1.2, so beware :)


          HTH


          • 2. Re: Need a little help from a seam and php guru
            Gerald Anderson Newbie

            Ahh, wasn't catching that the username was being hashed.  Still not able to get it though. 


            Let me ask about a different direction;  What's the latest and greatest on integration with JBoss SSO or OpenSSO.  I see that there's Jira issues out there but don't see that anything is happening.  On the other side there is a ton of buzz about it via google.  Is anybody aware of any decent documentation in this regard (SSO) for a relatively plug-n-play solution?


            Really appreciate your response Nikolay!


            Gerald

            • 3. Re: Need a little help from a seam and php guru
              Nikolay Elenkov Master

              Gerald Anderson wrote on May 14, 2009 00:23:


              Ahh, wasn't catching that the username was being hashed.  Still not able to get it though. 



              I am far from a PHP guru, but your best bet is probably to print both steps from Java and PHP and see where things go wrong.
              You need a binary blob of the password bytes + the salt bytes to get this to work with the standard md5 function. Btw, does
              PHP have md5_update or some such?



              Let me ask about a different direction;  What's the latest and greatest on integration with JBoss SSO or OpenSSO.  I see that there's Jira issues out there but don't see that anything is happening.  On the other side there is a ton of buzz about it via google.  Is anybody aware of any decent documentation in this regard (SSO) for a relatively plug-n-play solution?


              Yeah, I'd like to see something like this too. It shouldn't be too hard to integrate Seam security with *SSO, but if someone has already done it, all the better :)


              • 4. Re: Need a little help from a seam and php guru
                Marian Stránecký Newbie
                Yes... the problem is definitely that PHP has no cryptographic framework like JCE. The MD5 function is pretty simple without a possibility to update the digest prior to finalizing

                AFAIK the same situation is for SHA1 && PHP.

                If you really wish to generate user records from PHP, the fastest workaround is to write custom PasswordHash (probably not extending but a new class, the current one has imho no proper abstraction) and to use own hash building mechanism which can be reproduced in PHP with simple call to md5 function, e.g.: $md5($salt.md5($pwd)).

                Marian