1 Reply Latest reply on Jul 14, 2013 12:25 PM by 987654321

    JBoss AS7.1 Switch from basic to digest authentication & SHA-256

    987654321 Newbie

      I have a working JAX-RS web service which uses basic authentication. The user passwords are stored as a SHA-256 hash value plus additional base64 ecoding. The following configuration works fine for this.


                  <security-domain name="SgpRealm" cache-type="default">
                          <login-module code="Database" flag="required">
                              <module-option name="dsJndiName" value="java:/MySqlDS"/>
                              <module-option name="principalsQuery" value="SELECT pwd FROM customer where eMail=?"/>
                              <module-option name="rolesQuery" value="SELECT role, 'Roles' FROM roles WHERE eMail=?"/>
                              <module-option name="hashAlgorithm" value="SHA-256"/>
                              <module-option name="hashEncoding" value="base64"/>
                              <module-option name="hashUserPassword" value="true"/>
                              <module-option name="hashStorePassword" value="false"/>


      No I want to switch from basic to digest authentication. Is there a way to do this, whereby the stored passwords in data base are still SHA-256 hashed plus base64 encoded?


      So far I know, a digest authentication works like:

      Hash1 = MD5("username:realm:password")
      Hash2 = MD5("http-method:uri")
      Response = MD5("Hash1:nonce:nc:cnonce:qop:Hash2")


      But so far the delivered plain-text-password is hashed by JBoss like:



      Thanks in advance

        • 1. Re: JBoss AS7.1 Switch from basic to digest authentication & SHA-256
          987654321 Newbie

          To be a bit more specific, the digest authentication works fine for me as long the user passwords in data base are hashed with MD5. What I want is, to keep the user passwords as a SHA-256 hash (additional base64 encoding is just optional) in data base.

          So what I need is, that the client sends the password SHA-256 encoded like:


          Hash1 = SHA-256("username:realm:password")
          Hash2 =
          Response =


          Is there a way that JBoss can force the client to do so?