1 Reply Latest reply on Jun 24, 2012 6:45 AM by Sueleyman Vurucu

    Database login module with encrypted password.

    Sueleyman Vurucu Expert

      Hi Comunity,

       

      I try to login from a JSF application. The user and useruserole should read from database. If I store the no encrypted password in the database then everything works fine. Bur with encrypted password it will not work.

       

      I get this Exception if I try to login:

       

      00:31:45,691 TRACE [org.jboss.security.auth.spi.DatabaseServerLoginModule] (http-localhost-127.0.0.1-8080-2) initialize
      00:31:45,691 TRACE [org.jboss.security.auth.spi.DatabaseServerLoginModule] (http-localhost-127.0.0.1-8080-2) Security domain: wmsdomain
      00:31:45,691 TRACE [org.jboss.security.auth.spi.DatabaseServerLoginModule] (http-localhost-127.0.0.1-8080-2) Password hashing activated: algorithm = SHA-256, encoding = base64, charset = {default}, callback = null, storeCallback = null
      00:31:45,691 TRACE [org.jboss.security.auth.spi.DatabaseServerLoginModule] (http-localhost-127.0.0.1-8080-2) DatabaseServerLoginModule, dsJndiName=java:/datasources/WMSDS
      00:31:45,691 TRACE [org.jboss.security.auth.spi.DatabaseServerLoginModule] (http-localhost-127.0.0.1-8080-2) principalsQuery=SELECT PASSWORD FROM WMSUSER WHERE NAME = ?
      00:31:45,707 TRACE [org.jboss.security.auth.spi.DatabaseServerLoginModule] (http-localhost-127.0.0.1-8080-2) rolesQuery=select name , 'Roles'  from wmsuserrole where ID in( select WMSUSERROLE_ID from wmsuser where name=?)
      00:31:45,707 TRACE [org.jboss.security.auth.spi.DatabaseServerLoginModule] (http-localhost-127.0.0.1-8080-2) suspendResume=true
      00:31:45,707 TRACE [org.jboss.security.auth.spi.DatabaseServerLoginModule] (http-localhost-127.0.0.1-8080-2) login
      00:31:45,722 TRACE [org.jboss.security.auth.spi.DatabaseServerLoginModule] (http-localhost-127.0.0.1-8080-2) suspendAnyTransaction
      00:31:45,722 TRACE [org.jboss.security.auth.spi.DatabaseServerLoginModule] (http-localhost-127.0.0.1-8080-2) Excuting query: SELECT PASSWORD FROM WMSUSER WHERE NAME = ?, with username: wmsuser2
      00:31:45,863 TRACE [org.jboss.security.auth.spi.DatabaseServerLoginModule] (http-localhost-127.0.0.1-8080-2) Obtained user password
      00:31:45,863 TRACE [org.jboss.security.auth.spi.DatabaseServerLoginModule] (http-localhost-127.0.0.1-8080-2) resumeAnyTransaction
      00:31:45,863 DEBUG [org.jboss.security.auth.spi.DatabaseServerLoginModule] (http-localhost-127.0.0.1-8080-2) Bad password for username=wmsuser2
      00:31:45,863 TRACE [org.jboss.security.auth.spi.DatabaseServerLoginModule] (http-localhost-127.0.0.1-8080-2) abort
      00:31:45,879 ERROR [org.jboss.security.authentication.JBossCachedAuthenticationManager] (http-localhost-127.0.0.1-8080-2) Login failure: javax.security.auth.login.FailedLoginException: Password Incorrect/Password Required
      

       

      My security domain:

       

      <security-domain name="wmsdomain" cache-type="default">
                          <authentication>
                              <login-module code="Remoting" flag="optional">
                                  <module-option name="password-stacking" value="useFirstPass"/>
                              </login-module>
                              <login-module code="Database" flag="required">
                                    <module-option name="dsJndiName" value="java:/datasources/WMSDS" />
                                  <module-option name="principalsQuery" value="SELECT PASSWORD FROM WMSUSER WHERE NAME = ?"/>
                                  <module-option name="rolesQuery" value="select name , 'Roles'  from wmsuserrole where ID in( select WMSUSERROLE_ID from wmsuser where name=?)"/>
                                  <module-option name="password-stacking" value="useFirstPass"/>
                                  <module-option name="hashAlgorithm" value ="SHA-256"/>
                                  <module-option name="hashEncoding" value="base64"/>
                              </login-module>
                          </authentication>
                      </security-domain>
      

       

      My encryption :

       

      MessageDigest mdEnc = null;
      try {
        mdEnc = MessageDigest.getInstance("SHA-256");
      } catch (NoSuchAlgorithmException e) {
        e.printStackTrace();
      }
      // Encryption algorithm
      mdEnc.update(aPassword.getBytes(), 0, aPassword.length());

      String md5 = new BigInteger(1, mdEnc.digest()).toString(16); // Encrypted string

       

      Did I miss something ?

        • 1. Re: Database login module with encrypted password.
          Sueleyman Vurucu Expert

          Ok I found this problem.

           

          I add the dependency:

           

          <dependency>

                <groupId>org.picketbox</groupId>

                <artifactId>picketbox</artifactId>

                <version>4.0.7.Final</version>

            </dependency>

           

          to my project and lokk what jboss do. By encrypting my password with  String createPasswordHash = Util.createPasswordHash("MD5", "hex", null, null, aPassword);

          So I have to use for the loginmodule.

                        <module-option name="hashAlgorithm" value ="MD5"/>
                                      <module-option name="hashEncoding" value="hex"/>