1 Reply Latest reply on Jul 14, 2013 12:25 PM by 987654321

    JBoss AS7.1 Switch from basic to digest authentication & SHA-256

    987654321 Newbie

      I have a working JAX-RS web service which uses basic authentication. The user passwords are stored as a SHA-256 hash value plus additional base64 ecoding. The following configuration works fine for this.

       

              <security-domains>
                  <security-domain name="SgpRealm" cache-type="default">
                      <authentication>
                          <login-module code="Database" flag="required">
                              <module-option name="dsJndiName" value="java:/MySqlDS"/>
                              <module-option name="principalsQuery" value="SELECT pwd FROM customer where eMail=?"/>
                              <module-option name="rolesQuery" value="SELECT role, 'Roles' FROM roles WHERE eMail=?"/>
                              <module-option name="hashAlgorithm" value="SHA-256"/>
                              <module-option name="hashEncoding" value="base64"/>
                              <module-option name="hashUserPassword" value="true"/>
                              <module-option name="hashStorePassword" value="false"/>
                          </login-module>
                      </authentication>
                  </security-domain>

       

      No I want to switch from basic to digest authentication. Is there a way to do this, whereby the stored passwords in data base are still SHA-256 hashed plus base64 encoded?

       

      So far I know, a digest authentication works like:

      Hash1 = MD5("username:realm:password")
      Hash2 = MD5("http-method:uri")
      Response = MD5("Hash1:nonce:nc:cnonce:qop:Hash2")
      

       

      But so far the delivered plain-text-password is hashed by JBoss like:

      base64(SHA-256("plainTextPassword"))
      

       

      Thanks in advance

        • 1. Re: JBoss AS7.1 Switch from basic to digest authentication & SHA-256
          987654321 Newbie

          To be a bit more specific, the digest authentication works fine for me as long the user passwords in data base are hashed with MD5. What I want is, to keep the user passwords as a SHA-256 hash (additional base64 encoding is just optional) in data base.

          So what I need is, that the client sends the password SHA-256 encoded like:

           

          Hash1 = SHA-256("username:realm:password")
          Hash2 =
          SHA-256("http-method:uri")
          Response =
          SHA-256("Hash1:nonce:nc:cnonce:qop:Hash2")

           

          Is there a way that JBoss can force the client to do so?