1 2 Previous Next 17 Replies Latest reply on Dec 7, 2014 3:07 PM by Adam Daduev

    password encryption in database login-module with picketbox of wildfly.

    Joseph Hwang Novice

      I try to encrypt password in database login module with wildfly picketbox module. These are my sources.

       

      == web.xml

      ...

        <security-role>
            <role-name>administrator</role-name>
        </security-role>

        <login-config>
            <auth-method>DIGEST</auth-method>
            <realm-name>WildFly8DigestRealm</realm-name>
        </login-config>

      ....

       

      == jboss-web.xml

      ...

      <jboss-web>

          <security-domain>java:/jaas/my_secure_domain</security-domain>

      </jboss-web>

       

      == standalone.xml

      ...

      <security-domain name="my_secure_domain" cache-type="default">

          <authentication>

              <login-module code="Database" flag="required">

                  <module-option name="dsJndiName" value="java:jboss/datasources/MySqlDS"/>

                  <module-option name="principalsQuery" value="select password from credential where uid=?"/>

                  <module-option name="rolesQuery" value="select urole from credential where uid=?"/>

                  <module-option name="hashAlgorithm" value="MD5"/>

                  <module-option name="hashEncoding" value="RFC2617"/>

                  <module-option name="hashUserPassword" value="false"/>

                  <module-option name="hashStorePassword" value="true"/>

                  <module-option name="passwordIsA1Hash" value="true"/>

                  <module-option name="storeDigestCallback" value="org.jboss.security.auth.callback.RFC2617Digest"/>

              </login-module>

          </authentication>

      </security-domain>

      ...

       

      Password is encrypted with below

       

      == EncryptPassword.java

      package com.aaa.encrypt;

       

      import org.jboss.crypto.CryptoUtil;

       

      public class EncryptPassword {

          public static void main(String[] args) {
              // TODO Auto-generated method stub
       

              String userName="admin";
              String realmName="WildFly8DigestRealm";
              String password="passwd123";

              String clearTextPassword=userName+":"+realmName+":"+password; 
              String hashedPassword=CryptoUtil.createPasswordHash("MD5", "RFC2617", null, null, clearTextPassword);
              System.out.println("clearTextPassword: "+clearTextPassword);
              System.out.println("hashedPassword: "+hashedPassword);
          }

      }

       

      But the login failed. The log shows following exceptions.

       

      2014-07-10 20:13:43,023 TRACE [org.jboss.security] (default task-2) PBOX000236: Begin initialize method

      2014-07-10 20:13:43,024 DEBUG [org.jboss.security] (default task-2) PBOX000281: Password hashing activated, algorithm: MD5, encoding: RFC2617, charset: null, callback: null, storeCallBack: org.jboss.security.auth.callback.RFC2617Digest

      2014-07-10 20:13:43,024 TRACE [org.jboss.security] (default task-2) PBOX000262: Module options [dsJndiName: java:jboss/datasources/MySqlDS, principalsQuery: select password from credential where uid=?, rolesQuery: select urole from credential where uid=?, suspendResume: true]

      2014-07-10 20:13:43,025 TRACE [org.jboss.security] (default task-2) PBOX000240: Begin login method

      2014-07-10 20:13:43,182 TRACE [org.jboss.security] (default task-2) PBOX000263: Executing query select password from credential where uid=? with username admin

      2014-07-10 20:13:43,198 TRACE [org.jboss.security] (default task-2) PBOX000284: Created DigestCallback org.jboss.security.auth.callback.RFC2617Digest

      2014-07-10 20:13:43,199 TRACE [org.jboss.security] (default task-2) PBOX000244: Begin abort method

      2014-07-10 20:13:43,200 DEBUG [org.jboss.security] (default task-2) PBOX000206: Login failure: javax.security.auth.login.LoginException: PBOX000055: Failed to invoke CallbackHandler

      at org.jboss.security.auth.spi.UsernamePasswordLoginModule.createPasswordHash(UsernamePasswordLoginModule.java:444) [picketbox-4.0.20.Final.jar:4.0.20.Final]

      at org.jboss.security.auth.spi.UsernamePasswordLoginModule.login(UsernamePasswordLoginModule.java:280) [picketbox-4.0.20.Final.jar:4.0.20.Final]

      at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) [rt.jar:1.7.0_60]

      at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57) [rt.jar:1.7.0_60]

      at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) [rt.jar:1.7.0_60]

      at java.lang.reflect.Method.invoke(Method.java:606) [rt.jar:1.7.0_60]

      at javax.security.auth.login.LoginContext.invoke(LoginContext.java:762) [rt.jar:1.7.0_60]

      at javax.security.auth.login.LoginContext.access$000(LoginContext.java:203) [rt.jar:1.7.0_60]

      at javax.security.auth.login.LoginContext$4.run(LoginContext.java:690) [rt.jar:1.7.0_60]

      at javax.security.auth.login.LoginContext$4.run(LoginContext.java:688) [rt.jar:1.7.0_60]

      at java.security.AccessController.doPrivileged(Native Method) [rt.jar:1.7.0_60]

      at javax.security.auth.login.LoginContext.invokePriv(LoginContext.java:687) [rt.jar:1.7.0_60]

      at javax.security.auth.login.LoginContext.login(LoginContext.java:595) [rt.jar:1.7.0_60]

      at org.jboss.security.authentication.JBossCachedAuthenticationManager.defaultLogin(JBossCachedAuthenticationManager.java:408) [picketbox-infinispan-4.0.20.Final.jar:4.0.20.Final]

      at org.jboss.security.authentication.JBossCachedAuthenticationManager.proceedWithJaasLogin(JBossCachedAuthenticationManager.java:345) [picketbox-infinispan-4.0.20.Final.jar:4.0.20.Final]

      at org.jboss.security.authentication.JBossCachedAuthenticationManager.authenticate(JBossCachedAuthenticationManager.java:333) [picketbox-infinispan-4.0.20.Final.jar:4.0.20.Final]

      at org.jboss.security.authentication.JBossCachedAuthenticationManager.isValid(JBossCachedAuthenticationManager.java:146) [picketbox-infinispan-4.0.20.Final.jar:4.0.20.Final]

      at org.wildfly.extension.undertow.security.JAASIdentityManagerImpl.verifyCredential(JAASIdentityManagerImpl.java:109)

      at org.wildfly.extension.undertow.security.JAASIdentityManagerImpl.verify(JAASIdentityManagerImpl.java:77)

      at io.undertow.security.impl.DigestAuthenticationMechanism.handleDigestHeader(DigestAuthenticationMechanism.java:265) [undertow-core-1.0.0.Final.jar:1.0.0.Final]

      at io.undertow.security.impl.DigestAuthenticationMechanism.authenticate(DigestAuthenticationMechanism.java:149) [undertow-core-1.0.0.Final.jar:1.0.0.Final]

      at io.undertow.security.impl.SecurityContextImpl$AuthAttempter.transition(SecurityContextImpl.java:281) [undertow-core-1.0.0.Final.jar:1.0.0.Final]

      at io.undertow.security.impl.SecurityContextImpl$AuthAttempter.transition(SecurityContextImpl.java:298) [undertow-core-1.0.0.Final.jar:1.0.0.Final]

      at io.undertow.security.impl.SecurityContextImpl$AuthAttempter.access$100(SecurityContextImpl.java:268) [undertow-core-1.0.0.Final.jar:1.0.0.Final]

      at io.undertow.security.impl.SecurityContextImpl.attemptAuthentication(SecurityContextImpl.java:131) [undertow-core-1.0.0.Final.jar:1.0.0.Final]

      at io.undertow.security.impl.SecurityContextImpl.authTransition(SecurityContextImpl.java:106) [undertow-core-1.0.0.Final.jar:1.0.0.Final]

      at io.undertow.security.impl.SecurityContextImpl.authenticate(SecurityContextImpl.java:99) [undertow-core-1.0.0.Final.jar:1.0.0.Final]

      at io.undertow.security.handlers.AuthenticationCallHandler.handleRequest(AuthenticationCallHandler.java:50) [undertow-core-1.0.0.Final.jar:1.0.0.Final]

      at io.undertow.security.handlers.AuthenticationConstraintHandler.handleRequest(AuthenticationConstraintHandler.java:51) [undertow-core-1.0.0.Final.jar:1.0.0.Final]

      at io.undertow.security.handlers.AbstractConfidentialityHandler.handleRequest(AbstractConfidentialityHandler.java:45) [undertow-core-1.0.0.Final.jar:1.0.0.Final]

      at io.undertow.servlet.handlers.security.ServletConfidentialityConstraintHandler.handleRequest(ServletConfidentialityConstraintHandler.java:61) [undertow-servlet-1.0.0.Final.jar:1.0.0.Final]

      at io.undertow.servlet.handlers.security.ServletSecurityConstraintHandler.handleRequest(ServletSecurityConstraintHandler.java:56) [undertow-servlet-1.0.0.Final.jar:1.0.0.Final]

      at io.undertow.security.handlers.AuthenticationMechanismsHandler.handleRequest(AuthenticationMechanismsHandler.java:58) [undertow-core-1.0.0.Final.jar:1.0.0.Final]

      at io.undertow.servlet.handlers.security.CachedAuthenticatedSessionHandler.handleRequest(CachedAuthenticatedSessionHandler.java:70) [undertow-servlet-1.0.0.Final.jar:1.0.0.Final]

      at io.undertow.security.handlers.SecurityInitialHandler.handleRequest(SecurityInitialHandler.java:76) [undertow-core-1.0.0.Final.jar:1.0.0.Final]

      at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:25) [undertow-core-1.0.0.Final.jar:1.0.0.Final]

      at org.wildfly.extension.undertow.security.jacc.JACCContextIdHandler.handleRequest(JACCContextIdHandler.java:61)

      at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:25) [undertow-core-1.0.0.Final.jar:1.0.0.Final]

      at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:25) [undertow-core-1.0.0.Final.jar:1.0.0.Final]

      at io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(ServletInitialHandler.java:240) [undertow-servlet-1.0.0.Final.jar:1.0.0.Final]

      at io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:227) [undertow-servlet-1.0.0.Final.jar:1.0.0.Final]

      at io.undertow.servlet.handlers.ServletInitialHandler.access$000(ServletInitialHandler.java:73) [undertow-servlet-1.0.0.Final.jar:1.0.0.Final]

      at io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(ServletInitialHandler.java:146) [undertow-servlet-1.0.0.Final.jar:1.0.0.Final]

      at io.undertow.server.Connectors.executeRootHandler(Connectors.java:168) [undertow-core-1.0.0.Final.jar:1.0.0.Final]

      at io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:687) [undertow-core-1.0.0.Final.jar:1.0.0.Final]

      at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145) [rt.jar:1.7.0_60]

      at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615) [rt.jar:1.7.0_60]

      at java.lang.Thread.run(Thread.java:745) [rt.jar:1.7.0_60]

      Caused by: javax.security.auth.callback.UnsupportedCallbackException

      at org.jboss.security.auth.callback.JBossCallbackHandler.handleCallBack(JBossCallbackHandler.java:138) [picketbox-4.0.20.Final.jar:4.0.20.Final]

      at org.jboss.security.auth.callback.JBossCallbackHandler.handle(JBossCallbackHandler.java:87) [picketbox-4.0.20.Final.jar:4.0.20.Final]

      at javax.security.auth.login.LoginContext$SecureCallbackHandler$1.run(LoginContext.java:947) [rt.jar:1.7.0_60]

      at javax.security.auth.login.LoginContext$SecureCallbackHandler$1.run(LoginContext.java:944) [rt.jar:1.7.0_60]

      at java.security.AccessController.doPrivileged(Native Method) [rt.jar:1.7.0_60]

      at javax.security.auth.login.LoginContext$SecureCallbackHandler.handle(LoginContext.java:943) [rt.jar:1.7.0_60]

      at org.jboss.security.auth.spi.UsernamePasswordLoginModule.createPasswordHash(UsernamePasswordLoginModule.java:434) [picketbox-4.0.20.Final.jar:4.0.20.Final]

      ... 47 more

       

      I need your advice. Pls inform me what is wrong in my sources.

      Thanks in advance!!

        • 1. Re: password encryption in database login-module with picketbox of wildfly.
          Frank Langelage Master

          Some remarks:

          - as far as I know, the rolesQuery has to return a second column formerly name "role_group" with fixed content "Roles" always. See also Re: Problems with authentication with WildFly.

          <module-option name="rolesQuery" value="SELECT role, role_group FROM mbi_jrole WHERE username=?"/>

           

          - this might be related:

          2014-07-10 20:13:43,024 DEBUG [org.jboss.security] (default task-2) PBOX000281: Password hashing activated, algorithm: MD5, encoding: RFC2617, charset: null, callback: null, storeCallBack: org.jboss.security.auth.callback.RFC2617Digest

          Caused by: javax.security.auth.callback.UnsupportedCallbackException at org.jboss.security.auth.callback.JBossCallbackHandler.handleCallBack(JBossCallbackHandler.java:138) [picketbox-4.0.20.Final.jar:4.0.20.Final]

          A parameter missing in your xml?

          1 of 1 people found this helpful
          • 2. Re: password encryption in database login-module with picketbox of wildfly.
            Joseph Hwang Novice

            Thank you for your reply, Frank!

            So I modified some of my codes like below with your advice,

             

            <security-domain name="my_secure_domain" cache-type="default">

                <authentication>

                    <login-module code="Database" flag="required">

                        <module-option name="dsJndiName" value="java:jboss/datasources/MySqlDS"/>

                        <module-option name="principalsQuery" value="select password from credential where uid=?"/>

                        <module-option name="rolesQuery" value="select urole, role_group from credential where uid=?"/>

                        <module-option name="hashAlgorithm" value="MD5"/>

                        <module-option name="hashEncoding" value="base64"/>

                        <module-option name="hashCharset" value="UTF-8"/>

                    </login-module>

                 </authentication>

            </security-domain>

             

            And I encrypted password with this codes

             

            import org.jboss.crypto.CryptoUtil;

             

            public class EncryptPassword {

                public static void main(String[] args) {
                    // TODO Auto-generated method stub
                    String userName="admin";
                    String realmName="WildFly8DigestRealm";
                    String password="passwd123";

                    String clearTextPassword=userName+":"+realmName+":"+password; 
                    String hashedPassword=CryptoUtil.createPasswordHash("MD5", "base64", "UTF-8", null, clearTextPassword);
                    System.out.println("clearTextPassword: "+clearTextPassword);
                    System.out.println("hashedPassword: "+hashedPassword);
                }

            }

             

            But Login was also failed, The log shows that,

             

            2014-07-12 16:09:01,729 TRACE [org.jboss.security] (default task-3) PBOX000200: Begin isValid, principal: org.wildfly.extension.undertow.security.AccountImpl$AccountPrincipal@586034f, cache entry: null
            2014-07-12 16:09:01,729 TRACE [org.jboss.security] (default task-3) PBOX000209: defaultLogin, principal: org.wildfly.extension.undertow.security.AccountImpl$AccountPrincipal@586034f
            2014-07-12 16:09:01,729 TRACE [org.jboss.security] (default task-3) PBOX000221: Begin getAppConfigurationEntry(my_secure_domain), size: 4
            2014-07-12 16:09:01,730 TRACE [org.jboss.security] (default task-3) PBOX000224: End getAppConfigurationEntry(my_secure_domain), AuthInfo: AppConfigurationEntry[]:
            [0]
            LoginModule Class: org.jboss.security.auth.spi.DatabaseServerLoginModule
            ControlFlag: LoginModuleControlFlag: required
            Options:
            name=hashCharset, value=UTF-8
            name=hashAlgorithm, value=MD5
            name=principalsQuery, value=select password from credential where uid=?
            name=hashEncoding, value=base64
            name=dsJndiName, value=java:jboss/datasources/MySqlDS
            name=rolesQuery, value=select urole, role_group from credential where uid=?

             

            2014-07-12 16:09:01,730 TRACE [org.jboss.security] (default task-3) PBOX000236: Begin initialize method
            2014-07-12 16:09:01,731 DEBUG [org.jboss.security] (default task-3) PBOX000281: Password hashing activated, algorithm: MD5, encoding: base64, charset: UTF-8, callback: null, storeCallBack: null
            2014-07-12 16:09:01,731 TRACE [org.jboss.security] (default task-3) PBOX000262: Module options [dsJndiName: java:jboss/datasources/MySqlDS, principalsQuery: select password from credential where uid=?, rolesQuery: select urole, role_group from credential where uid=?, suspendResume: true]
            2014-07-12 16:09:01,732 TRACE [org.jboss.security] (default task-3) PBOX000240: Begin login method
            2014-07-12 16:09:01,733 TRACE [org.jboss.security] (default task-3) PBOX000263: Executing query select password from credential where uid=? with username admin
            2014-07-12 16:09:01,736 DEBUG [org.jboss.security] (default task-3) PBOX000283: Bad password for username admin
            2014-07-12 16:09:01,736 TRACE [org.jboss.security] (default task-3) PBOX000244: Begin abort method
            2014-07-12 16:09:01,736 DEBUG [org.jboss.security] (default task-3) PBOX000206: Login failure: javax.security.auth.login.FailedLoginException: PBOX000070: Password invalid/Password required
            at org.jboss.security.auth.spi.UsernamePasswordLoginModule.login(UsernamePasswordLoginModule.java:284) [picketbox-4.0.20.Final.jar:4.0.20.Final]
            at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) [rt.jar:1.7.0_60]
            at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57) [rt.jar:1.7.0_60]
            at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) [rt.jar:1.7.0_60]
            at java.lang.reflect.Method.invoke(Method.java:606) [rt.jar:1.7.0_60]
            at javax.security.auth.login.LoginContext.invoke(LoginContext.java:762) [rt.jar:1.7.0_60]
            at javax.security.auth.login.LoginContext.access$000(LoginContext.java:203) [rt.jar:1.7.0_60]
            at javax.security.auth.login.LoginContext$4.run(LoginContext.java:690) [rt.jar:1.7.0_60]
            at javax.security.auth.login.LoginContext$4.run(LoginContext.java:688) [rt.jar:1.7.0_60]
            at java.security.AccessController.doPrivileged(Native Method) [rt.jar:1.7.0_60]
            at javax.security.auth.login.LoginContext.invokePriv(LoginContext.java:687) [rt.jar:1.7.0_60]
            at javax.security.auth.login.LoginContext.login(LoginContext.java:595) [rt.jar:1.7.0_60]
            at org.jboss.security.authentication.JBossCachedAuthenticationManager.defaultLogin(JBossCachedAuthenticationManager.java:408) [picketbox-infinispan-4.0.20.Final.jar:4.0.20.Final]
            at org.jboss.security.authentication.JBossCachedAuthenticationManager.proceedWithJaasLogin(JBossCachedAuthenticationManager.java:345) [picketbox-infinispan-4.0.20.Final.jar:4.0.20.Final]
            at org.jboss.security.authentication.JBossCachedAuthenticationManager.authenticate(JBossCachedAuthenticationManager.java:333) [picketbox-infinispan-4.0.20.Final.jar:4.0.20.Final]
            at org.jboss.security.authentication.JBossCachedAuthenticationManager.isValid(JBossCachedAuthenticationManager.java:146) [picketbox-infinispan-4.0.20.Final.jar:4.0.20.Final]
            at org.wildfly.extension.undertow.security.JAASIdentityManagerImpl.verifyCredential(JAASIdentityManagerImpl.java:109)
            at org.wildfly.extension.undertow.security.JAASIdentityManagerImpl.verify(JAASIdentityManagerImpl.java:77)
            at io.undertow.security.impl.DigestAuthenticationMechanism.handleDigestHeader(DigestAuthenticationMechanism.java:265) [undertow-core-1.0.0.Final.jar:1.0.0.Final]
            at io.undertow.security.impl.DigestAuthenticationMechanism.authenticate(DigestAuthenticationMechanism.java:149) [undertow-core-1.0.0.Final.jar:1.0.0.Final]
            at io.undertow.security.impl.SecurityContextImpl$AuthAttempter.transition(SecurityContextImpl.java:281) [undertow-core-1.0.0.Final.jar:1.0.0.Final]
            at io.undertow.security.impl.SecurityContextImpl$AuthAttempter.transition(SecurityContextImpl.java:298) [undertow-core-1.0.0.Final.jar:1.0.0.Final]
            at io.undertow.security.impl.SecurityContextImpl$AuthAttempter.access$100(SecurityContextImpl.java:268) [undertow-core-1.0.0.Final.jar:1.0.0.Final]
            at io.undertow.security.impl.SecurityContextImpl.attemptAuthentication(SecurityContextImpl.java:131) [undertow-core-1.0.0.Final.jar:1.0.0.Final]
            at io.undertow.security.impl.SecurityContextImpl.authTransition(SecurityContextImpl.java:106) [undertow-core-1.0.0.Final.jar:1.0.0.Final]
            at io.undertow.security.impl.SecurityContextImpl.authenticate(SecurityContextImpl.java:99) [undertow-core-1.0.0.Final.jar:1.0.0.Final]
            at io.undertow.security.handlers.AuthenticationCallHandler.handleRequest(AuthenticationCallHandler.java:50) [undertow-core-1.0.0.Final.jar:1.0.0.Final]
            at io.undertow.security.handlers.AuthenticationConstraintHandler.handleRequest(AuthenticationConstraintHandler.java:51) [undertow-core-1.0.0.Final.jar:1.0.0.Final]
            at io.undertow.security.handlers.AbstractConfidentialityHandler.handleRequest(AbstractConfidentialityHandler.java:45) [undertow-core-1.0.0.Final.jar:1.0.0.Final]
            at io.undertow.servlet.handlers.security.ServletConfidentialityConstraintHandler.handleRequest(ServletConfidentialityConstraintHandler.java:61) [undertow-servlet-1.0.0.Final.jar:1.0.0.Final]
            at io.undertow.servlet.handlers.security.ServletSecurityConstraintHandler.handleRequest(ServletSecurityConstraintHandler.java:56) [undertow-servlet-1.0.0.Final.jar:1.0.0.Final]
            at io.undertow.security.handlers.AuthenticationMechanismsHandler.handleRequest(AuthenticationMechanismsHandler.java:58) [undertow-core-1.0.0.Final.jar:1.0.0.Final]
            at io.undertow.servlet.handlers.security.CachedAuthenticatedSessionHandler.handleRequest(CachedAuthenticatedSessionHandler.java:70) [undertow-servlet-1.0.0.Final.jar:1.0.0.Final]
            at io.undertow.security.handlers.SecurityInitialHandler.handleRequest(SecurityInitialHandler.java:76) [undertow-core-1.0.0.Final.jar:1.0.0.Final]
            at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:25) [undertow-core-1.0.0.Final.jar:1.0.0.Final]
            at org.wildfly.extension.undertow.security.jacc.JACCContextIdHandler.handleRequest(JACCContextIdHandler.java:61)
            at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:25) [undertow-core-1.0.0.Final.jar:1.0.0.Final]
            at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:25) [undertow-core-1.0.0.Final.jar:1.0.0.Final]
            at io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(ServletInitialHandler.java:240) [undertow-servlet-1.0.0.Final.jar:1.0.0.Final]
            at io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:227) [undertow-servlet-1.0.0.Final.jar:1.0.0.Final]
            at io.undertow.servlet.handlers.ServletInitialHandler.access$000(ServletInitialHandler.java:73) [undertow-servlet-1.0.0.Final.jar:1.0.0.Final]
            at io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(ServletInitialHandler.java:146) [undertow-servlet-1.0.0.Final.jar:1.0.0.Final]
            at io.undertow.server.Connectors.executeRootHandler(Connectors.java:168) [undertow-core-1.0.0.Final.jar:1.0.0.Final]
            at io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:687) [undertow-core-1.0.0.Final.jar:1.0.0.Final]
            at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145) [rt.jar:1.7.0_60]
            at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615) [rt.jar:1.7.0_60]
            at java.lang.Thread.run(Thread.java:745) [rt.jar:1.7.0_60]

             

            2014-07-12 16:09:01,739 TRACE [org.jboss.security] (default task-3) PBOX000201: End isValid, result = false
            2014-07-12 16:09:01,741 TRACE [org.jboss.security] (default task-3) PBOX000354: Setting security roles ThreadLocal: null

             

            Do you think my encrypted password is generated wrong? Pls, inform me how you encrypted your password?

            Your help will be deeply appreciated. Thanks

            • 3. Re: Re: password encryption in database login-module with picketbox of wildfly.
              Frank Langelage Master

              My config is a bit diffrent:

              Login-module used is DatabaseUsers configured in standalone-full.xml like this:

              <login-module code="DatabaseUsers" flag="required">

                <module-option name="dsJndiName" value="java:jboss/datasources/DefaultDS"/>

                <module-option name="principalsQuery" value="SELECT password FROM mbi_juser WHERE username=? AND is_activ=1"/>

                <module-option name="rolesQuery" value="SELECT role, role_group FROM mbi_jrole WHERE username=?"/>

                <module-option name="hashAlgorithm" value="MD5"/>

                <module-option name="hashEncoding" value="base64"/>

              </login-module>

              AFAIK DatabaseUsers is just an alias for Database.

               

              $JAVA_HOME/bin/java -classpath $JARFILE org.jboss.security.Base64Encoder $PASSWD MD5 | tr -d '[]'

              JARFILE=$JBOSS_HOME/modules/system/layers/base/org/picketbox/main/picketbox-4.0.21.Beta1.jar (depends on your exact WF version)

               

              As you can see, I only encrypt and hash the password itself, no username, no RealmName.

              So I think this is the fault, I cannot see how your way could work.

              1 of 1 people found this helpful
              • 4. Re: password encryption in database login-module with picketbox of wildfly.
                Joseph Hwang Novice

                I changed encryption java file like below ;

                 

                import java.security.MessageDigest;

                import org.jboss.security.Base64Encoder;

                 

                public class EncryptPassword {

                   public static void main(String[] args) {
                      // TODO Auto-generated method stub
                         String algoritmo = "MD5";
                         String clearTextPassword = "passwd123";
                         String hashedPassword = null;

                      

                         try {
                            byte[] hash = MessageDigest.getInstance(algoritmo).digest(clearTextPassword.getBytes());
                            hashedPassword = Base64Encoder.encode(hash);
                            System.out.println("Clear Text Password : " + clearTextPassword);
                            System.out.println("Encrypted Password : " + hashedPassword);
                         } catch (Exception e) {
                            e.printStackTrace();
                        }
                   }
                }

                 

                And also I executed java command on shell like below as well as above java file

                 

                C:\>java -cp c:\wildfly-8.1.0.final\modules\system\layers\base\org\picketbox\main\picketbox-4.0.21.Beta1.jar  org.jboss.security.Base64Encoder  passwd123  MD5

                 

                Both result brings the same hashed password and hashed password is updated.

                 

                Clear Text Password : passwd123

                Encrypted Password : EWT55bjO92g5bc1TdOS26w==

                 

                However, login is still failed. And in server.log it throws same exception.

                I need any help desperately.

                • 5. Re: password encryption in database login-module with picketbox of wildfly.
                  Joseph Hwang Novice

                  Dear Frank!

                  I think my hashed password is wrong itself, not correctly encrypted. The plain password login in BASIC login-config is successful. Login fails and log throws the same exception only in DIGEST login-config with database login module and even with UsersRoles login module. I am afraid my password encryption source and configuration seem to be totally wrong!! For your information, my configuration file is standalone.xml, not standalone-full.xml.

                  Any idea or reference site?

                  • 6. Re: password encryption in database login-module with picketbox of wildfly.
                    Frank Langelage Master

                    Ah, yes. You're using DIGEST, I'm using FORM.

                    For DIGEST-password you can use

                    java -classpath $JBOSS_HOME/modules/system/layers/base/org/picketbox/main/picketbox-4.0.21.Beta1.jar org.jboss.security.auth.callback.RFC2617Digest <Username> <Realmname> <Password> 

                    e.g.

                    java -classpath $JBOSS_HOME/modules/system/layers/base/org/picketbox/main/picketbox-4.0.21.Beta1.jar org.jboss.security.auth.callback.RFC2617Digest admin WildFly8DigestRealm passwd123                                                                                

                    which gives

                    RFC2617 A1 hash: 7b4b25cb806856a998ae6455f2445ae8

                    • 7. Re: password encryption in database login-module with picketbox of wildfly.
                      Joseph Hwang Novice

                      Thank you for your immediate reply, Frank !

                      The hashed password from EncryptPassword.java is the exact  same of the password generated from your above java command.

                      I think next step is configuration of database login module in standalone.xml.

                      As i mentioned above, security-configuration is like below,

                       

                      <authentication>

                              <login-module code="Database" flag="required">

                                  <module-option name="dsJndiName" value="java:jboss/datasources/MySqlDS"/>

                                  <module-option name="principalsQuery" value="select password from credential where uid=?"/>

                                  <module-option name="rolesQuery" value="select urole, 'Roles' from credential where uid=?"/>

                                  <module-option name="hashAlgorithm" value="MD5"/>

                                  <module-option name="hashEncoding" value="RFC2617"/>

                                  <module-option name="hashUserPassword" value="false"/>

                                  <module-option name="hashStorePassword" value="true"/>

                                  <module-option name="passwordIsA1Hash" value="true"/>

                                  <module-option name="storeDigestCallback" value="org.jboss.security.auth.callback.RFC2617Digest"/>

                              </login-module>

                          </authentication>

                       

                       

                      This database login-module configuration worked well on JBoss AS 7, But on WildFly 8 it throws the following exception,

                       

                      2014-07-10 20:13:43,023 TRACE [org.jboss.security] (default task-2) PBOX000236: Begin initialize method

                      2014-07-10 20:13:43,024 DEBUG [org.jboss.security] (default task-2) PBOX000281: Password hashing activated, algorithm: MD5, encoding: RFC2617, charset: null, callback: null, storeCallBack: org.jboss.security.auth.callback.RFC2617Digest

                      2014-07-10 20:13:43,024 TRACE [org.jboss.security] (default task-2) PBOX000262: Module options [dsJndiName: java:jboss/datasources/MySqlDS, principalsQuery: select password from credential where uid=?, rolesQuery: select urole, 'Roles' from credential where uid=?, suspendResume: true]

                      2014-07-10 20:13:43,025 TRACE [org.jboss.security] (default task-2) PBOX000240: Begin login method

                      2014-07-10 20:13:43,182 TRACE [org.jboss.security] (default task-2) PBOX000263: Executing query select password from credential where uid=? with username admin

                      2014-07-10 20:13:43,198 TRACE [org.jboss.security] (default task-2) PBOX000284: Created DigestCallback org.jboss.security.auth.callback.RFC2617Digest

                      2014-07-10 20:13:43,199 TRACE [org.jboss.security] (default task-2) PBOX000244: Begin abort method

                      2014-07-10 20:13:43,200 DEBUG [org.jboss.security] (default task-2) PBOX000206: Login failure: javax.security.auth.login.LoginException: PBOX000055: Failed to invoke CallbackHandler

                      at org.jboss.security.auth.spi.UsernamePasswordLoginModule.createPasswordHash(UsernamePasswordLoginModule.java:444) [picketbox-4.0.20.Final.jar:4.0.20.Final]

                      at org.jboss.security.auth.spi.UsernamePasswordLoginModule.login(UsernamePasswordLoginModule.java:280) [picketbox-4.0.20.Final.jar:4.0.20.Final]

                      at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) [rt.jar:1.7.0_60]

                      at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57) [rt.jar:1.7.0_60]

                      at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) [rt.jar:1.7.0_60]

                      at java.lang.reflect.Method.invoke(Method.java:606) [rt.jar:1.7.0_60]

                      at javax.security.auth.login.LoginContext.invoke(LoginContext.java:762) [rt.jar:1.7.0_60]

                       

                      Is there any update or modification of database module-option of wildfly 8 from the previous JBoss AS7 ?

                      Your advice will be deeply appreciated! Thanks

                      • 8. Re: password encryption in database login-module with picketbox of wildfly.
                        Frank Langelage Master

                        Looking at https://access.redhat.com/documentation/en-US/JBoss_Enterprise_Application_Platform/6/html/API_Documentation/files/javadoc/org/jboss/security/auth/spi/UsernamePasswordLoginModule.html

                        or http://grepcode.com/file/repo1.maven.org/maven2/org.picketbox/picketbox/4.0.20.Final/org/jboss/security/auth/spi/UsernamePasswordLoginModule.java

                        it seems you need to add an additional option, because they say "digestCallback - The class name of the DigestCallback DigestCallback implementation that includes pre/post digest content like salts for hashing the input password. Only used if hashAlgorithm has been specified."

                        And "org.jboss.security.auth.callback.DigestCallbackHandler" might be the right value for it. But I did not find any hint to this using my favorite search engine.

                         

                        Is there any further stack with "Caused by" in server.log?

                        • 9. Re: password encryption in database login-module with picketbox of wildfly.
                          Joseph Hwang Novice

                          Thank you for your reply,Frank! I think we seem to be almost close to solve this issue.

                          I added the following line into my Database login-module like below:

                           

                          <security-domain name="my_secure_domain" cache-type="default">

                               <authentication>

                                    <login-module code="Database" flag="required">

                                         <module-option name="dsJndiName" value="java:jboss/datasources/MySqlDS"/>

                                         <module-option name="principalsQuery" value="select password from credential where uid=?"/>

                                         <module-option name="rolesQuery" value="select urole, 'Roles' from credential where uid=?"/>

                                         <module-option name="hashAlgorithm" value="MD5"/>

                                         <module-option name="hashEncoding" value="RFC2617"/>

                                         <module-option name="hashUserPassword" value="false"/>

                                         <module-option name="hashStorePassword" value="true"/>

                                         <module-option name="passwordIsA1Hash" value="true"/>

                                         <module-option name="digestCallback" value="org.jboss.security.auth.callback.DigestCallbackHandler"/>

                                         <module-option name="storeDigestCallback" value="org.jboss.security.auth.callback.RFC2617Digest"/>

                                    </login-module>

                               </authentication>

                          </security-domain>

                           

                          But the log throws the same exceptions and 'caused by' statements

                           

                          LoginModule Class: org.jboss.security.auth.spi.DatabaseServerLoginModule
                          ControlFlag: LoginModuleControlFlag: required
                          Options:
                          name=digestCallback, value=org.jboss.security.auth.callback.DigestCallbackHandler
                          name=hashUserPassword, value=false
                          name=hashAlgorithm, value=MD5
                          name=principalsQuery, value=select password from credential where uid=?
                          name=passwordIsA1Hash, value=true
                          name=hashEncoding, value=RFC2617
                          name=dsJndiName, value=java:jboss/datasources/MySqlDS
                          name=storeDigestCallback, value=org.jboss.security.auth.callback.RFC2617Digest
                          name=hashStorePassword, value=true
                          name=rolesQuery, value=select urole, 'Roles' from credential where uid=?

                           

                          2014-07-18 21:37:45,246 TRACE [org.jboss.security] (default task-3) PBOX000236: Begin initialize method
                          2014-07-18 21:37:45,246 DEBUG [org.jboss.security] (default task-3) PBOX000281: Password hashing activated, algorithm: MD5, encoding: RFC2617, charset: null, callback: org.jboss.security.auth.callback.DigestCallbackHandler, storeCallBack: org.jboss.security.auth.callback.RFC2617Digest
                          2014-07-18 21:37:45,247 TRACE [org.jboss.security] (default task-3) PBOX000262: Module options [dsJndiName: java:jboss/datasources/MySqlDS, principalsQuery: select password from credential where uid=?, rolesQuery: select urole, 'Roles' from credential where uid=?, suspendResume: true]
                          2014-07-18 21:37:45,247 TRACE [org.jboss.security] (default task-3) PBOX000240: Begin login method
                          2014-07-18 21:37:45,249 TRACE [org.jboss.security] (default task-3) PBOX000263: Executing query select password from credential where uid=? with username admin
                          2014-07-18 21:37:45,251 TRACE [org.jboss.security] (default task-3) PBOX000284: Created DigestCallback org.jboss.security.auth.callback.RFC2617Digest
                          2014-07-18 21:37:45,252 TRACE [org.jboss.security] (default task-3) PBOX000244: Begin abort method
                          2014-07-18 21:37:45,252 DEBUG [org.jboss.security] (default task-3) PBOX000206: Login failure: javax.security.auth.login.LoginException: PBOX000055: Failed to invoke CallbackHandler
                          at org.jboss.security.auth.spi.UsernamePasswordLoginModule.createPasswordHash(UsernamePasswordLoginModule.java:444) [picketbox-4.0.21.Beta1.jar:4.0.21.Beta1]
                          at org.jboss.security.auth.spi.UsernamePasswordLoginModule.login(UsernamePasswordLoginModule.java:280) [picketbox-4.0.21.Beta1.jar:4.0.21.Beta1]
                          at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) [rt.jar:1.7.0_60]
                          at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57) [rt.jar:1.7.0_60]
                          at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) [rt.jar:1.7.0_60]
                          at java.lang.reflect.Method.invoke(Method.java:606) [rt.jar:1.7.0_60]
                          at javax.security.auth.login.LoginContext.invoke(LoginContext.java:762) [rt.jar:1.7.0_60]
                          at javax.security.auth.login.LoginContext.access$000(LoginContext.java:203) [rt.jar:1.7.0_60]
                          at javax.security.auth.login.LoginContext$4.run(LoginContext.java:690) [rt.jar:1.7.0_60]
                          at javax.security.auth.login.LoginContext$4.run(LoginContext.java:688) [rt.jar:1.7.0_60]
                          at java.security.AccessController.doPrivileged(Native Method) [rt.jar:1.7.0_60]
                          at javax.security.auth.login.LoginContext.invokePriv(LoginContext.java:687) [rt.jar:1.7.0_60]
                          at javax.security.auth.login.LoginContext.login(LoginContext.java:595) [rt.jar:1.7.0_60]
                          at org.jboss.security.authentication.JBossCachedAuthenticationManager.defaultLogin(JBossCachedAuthenticationManager.java:408) [picketbox-infinispan-4.0.21.Beta1.jar:4.0.21.Beta1]
                          at org.jboss.security.authentication.JBossCachedAuthenticationManager.proceedWithJaasLogin(JBossCachedAuthenticationManager.java:345) [picketbox-infinispan-4.0.21.Beta1.jar:4.0.21.Beta1]
                          at org.jboss.security.authentication.JBossCachedAuthenticationManager.authenticate(JBossCachedAuthenticationManager.java:333) [picketbox-infinispan-4.0.21.Beta1.jar:4.0.21.Beta1]
                          at org.jboss.security.authentication.JBossCachedAuthenticationManager.isValid(JBossCachedAuthenticationManager.java:146) [picketbox-infinispan-4.0.21.Beta1.jar:4.0.21.Beta1]
                          at org.wildfly.extension.undertow.security.JAASIdentityManagerImpl.verifyCredential(JAASIdentityManagerImpl.java:111)
                          at org.wildfly.extension.undertow.security.JAASIdentityManagerImpl.verify(JAASIdentityManagerImpl.java:77)
                          at io.undertow.security.impl.DigestAuthenticationMechanism.handleDigestHeader(DigestAuthenticationMechanism.java:265) [undertow-core-1.0.15.Final.jar:1.0.15.Final]
                          at io.undertow.security.impl.DigestAuthenticationMechanism.authenticate(DigestAuthenticationMechanism.java:149) [undertow-core-1.0.15.Final.jar:1.0.15.Final]
                          at io.undertow.security.impl.SecurityContextImpl$AuthAttempter.transition(SecurityContextImpl.java:281) [undertow-core-1.0.15.Final.jar:1.0.15.Final]
                          at io.undertow.security.impl.SecurityContextImpl$AuthAttempter.transition(SecurityContextImpl.java:298) [undertow-core-1.0.15.Final.jar:1.0.15.Final]
                          at io.undertow.security.impl.SecurityContextImpl$AuthAttempter.access$100(SecurityContextImpl.java:268) [undertow-core-1.0.15.Final.jar:1.0.15.Final]
                          at io.undertow.security.impl.SecurityContextImpl.attemptAuthentication(SecurityContextImpl.java:131) [undertow-core-1.0.15.Final.jar:1.0.15.Final]
                          at io.undertow.security.impl.SecurityContextImpl.authTransition(SecurityContextImpl.java:106) [undertow-core-1.0.15.Final.jar:1.0.15.Final]
                          at io.undertow.security.impl.SecurityContextImpl.authenticate(SecurityContextImpl.java:99) [undertow-core-1.0.15.Final.jar:1.0.15.Final]
                          at io.undertow.servlet.handlers.security.ServletAuthenticationCallHandler.handleRequest(ServletAuthenticationCallHandler.java:54) [undertow-servlet-1.0.15.Final.jar:1.0.15.Final]
                          at io.undertow.server.handlers.DisableCacheHandler.handleRequest(DisableCacheHandler.java:27) [undertow-core-1.0.15.Final.jar:1.0.15.Final]
                          at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:25) [undertow-core-1.0.15.Final.jar:1.0.15.Final]
                          at io.undertow.security.handlers.AuthenticationConstraintHandler.handleRequest(AuthenticationConstraintHandler.java:51) [undertow-core-1.0.15.Final.jar:1.0.15.Final]
                          at io.undertow.security.handlers.AbstractConfidentialityHandler.handleRequest(AbstractConfidentialityHandler.java:45) [undertow-core-1.0.15.Final.jar:1.0.15.Final]
                          at io.undertow.servlet.handlers.security.ServletConfidentialityConstraintHandler.handleRequest(ServletConfidentialityConstraintHandler.java:61) [undertow-servlet-1.0.15.Final.jar:1.0.15.Final]
                          at io.undertow.servlet.handlers.security.ServletSecurityConstraintHandler.handleRequest(ServletSecurityConstraintHandler.java:56) [undertow-servlet-1.0.15.Final.jar:1.0.15.Final]
                          at io.undertow.security.handlers.AuthenticationMechanismsHandler.handleRequest(AuthenticationMechanismsHandler.java:58) [undertow-core-1.0.15.Final.jar:1.0.15.Final]
                          at io.undertow.servlet.handlers.security.CachedAuthenticatedSessionHandler.handleRequest(CachedAuthenticatedSessionHandler.java:70) [undertow-servlet-1.0.15.Final.jar:1.0.15.Final]
                          at io.undertow.security.handlers.SecurityInitialHandler.handleRequest(SecurityInitialHandler.java:76) [undertow-core-1.0.15.Final.jar:1.0.15.Final]
                          at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:25) [undertow-core-1.0.15.Final.jar:1.0.15.Final]
                          at org.wildfly.extension.undertow.security.jacc.JACCContextIdHandler.handleRequest(JACCContextIdHandler.java:61)
                          at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:25) [undertow-core-1.0.15.Final.jar:1.0.15.Final]
                          at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:25) [undertow-core-1.0.15.Final.jar:1.0.15.Final]
                          at io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(ServletInitialHandler.java:240) [undertow-servlet-1.0.15.Final.jar:1.0.15.Final]
                          at io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:227) [undertow-servlet-1.0.15.Final.jar:1.0.15.Final]
                          at io.undertow.servlet.handlers.ServletInitialHandler.access$000(ServletInitialHandler.java:73) [undertow-servlet-1.0.15.Final.jar:1.0.15.Final]
                          at io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(ServletInitialHandler.java:146) [undertow-servlet-1.0.15.Final.jar:1.0.15.Final]
                          at io.undertow.server.Connectors.executeRootHandler(Connectors.java:177) [undertow-core-1.0.15.Final.jar:1.0.15.Final]
                          at io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:727) [undertow-core-1.0.15.Final.jar:1.0.15.Final]
                          at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145) [rt.jar:1.7.0_60]
                          at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615) [rt.jar:1.7.0_60]
                          at java.lang.Thread.run(Thread.java:745) [rt.jar:1.7.0_60]


                          Caused by: javax.security.auth.callback.UnsupportedCallbackException
                          at org.jboss.security.auth.callback.JBossCallbackHandler.handleCallBack(JBossCallbackHandler.java:138) [picketbox-4.0.21.Beta1.jar:4.0.21.Beta1]
                          at org.jboss.security.auth.callback.JBossCallbackHandler.handle(JBossCallbackHandler.java:87) [picketbox-4.0.21.Beta1.jar:4.0.21.Beta1]
                          at javax.security.auth.login.LoginContext$SecureCallbackHandler$1.run(LoginContext.java:947) [rt.jar:1.7.0_60]
                          at javax.security.auth.login.LoginContext$SecureCallbackHandler$1.run(LoginContext.java:944) [rt.jar:1.7.0_60]
                          at java.security.AccessController.doPrivileged(Native Method) [rt.jar:1.7.0_60]
                          at javax.security.auth.login.LoginContext$SecureCallbackHandler.handle(LoginContext.java:943) [rt.jar:1.7.0_60]
                          at org.jboss.security.auth.spi.UsernamePasswordLoginModule.createPasswordHash(UsernamePasswordLoginModule.java:434) [picketbox-4.0.21.Beta1.jar:4.0.21.Beta1]
                          ... 49 more

                          • 10. Re: password encryption in database login-module with picketbox of wildfly.
                            Bradley Snyder Newbie

                            I think I see what's going on here. The short story is I believe digestCallback and storeDigestCallback should be the same, should BOTH be set to org.jboss.security.auth.callback.RFC2617Digest. You're getting UnsupportedCallbackException because instead of giving the code a Callback, you are giving it a CallbackHandler.

                             

                            Look closely at the following places in the UserPasswordLoginModule source code that Frank linked:

                             

                                 -Line 261

                                      // Hash the user entered password if password hashing is in use

                                      if( hashAlgorithm != null && hashUserPassword == true )

                                           password = createPasswordHash(username, password, DIGEST_CALLBACK);

                                 -Line 279

                                      // Allow the storeDigestCallback to hash the expected password

                                      if( hashAlgorithm != null && hashStorePassword == true )

                                           expectedPassword = createPasswordHash(username, expectedPassword, STORE_DIGEST_CALLBACK);

                                 -Line 434: callbackHandler.handle(callbacks);

                             

                            It's not super clear to me what these properties are referring to, but I believe that hashUserPassword is referring to what the user actually sends, and hashStorePassword is referring to what is in the database. Or maybe something else? Either way, both digestCallback and storeDigestCallback are being used in the exact same way in the exact same function. The only reason DIGEST_CALLBACK and STORE_DIGEST_CALLBACK would be different as far as I can see is if there was some sort of difference in encryption between how the user sends credentials and how the store encrypts the credentials in the database, and in that case they'd both still be callback classes, not a handler like your DigestCallbackHandler. The code calls callbackHandler.handle(callbacks), where callbacks is what you are specifying. But you are basically telling it to do callbackHandler.handle(callbackHandler), which clearly won't work.

                             

                            Make digestCallback == storeDigestCallback and see what happens.

                            • 11. Re: password encryption in database login-module with picketbox of wildfly.
                              Joseph Hwang Novice

                              I coded like below as your advice :

                               

                              <module-option name="digestCallback" value="org.jboss.security.auth.callback.RFC2617Digest"/>

                              <module-option name="storeDigestCallback" value="org.jboss.security.auth.callback.RFC2617Digest"/>

                               

                              But login failed and in server.log it throws the same exception.

                              Any way thanks for your interest.

                              • 12. Re: password encryption in database login-module with picketbox of wildfly.
                                Joseph Hwang Novice

                                Dear Frank!

                                Do you think this issue is caused by the bug of wildfly 8 jaas? and do we have to make JIRA to solve this issue?

                                If you agree, pls reply me. Thanks!

                                • 13. Re: Re: password encryption in database login-module with picketbox of wildfly.
                                  Bradley Snyder Newbie

                                  I don't think this is a bug. I think there's a missing step.

                                   

                                  The core of your issue: there has to be some property somewhere that changes the Callback Handler from the JBossCallbackHandler in your stack trace to the DigestCallbackHandler. And it's not going to be a <module-option>; I've searched UsernamePasswordLoginModule, RFC2617Digest, DigestCallbackHandler, and JBossCallbackHandler trying to figure this out.

                                   

                                  I did find this: Security subsystem configuration - WildFly 8 - Project Documentation Editor - scroll down to security-management and look at "default-callback-handler-class-name". I believe setting that to org.jboss.security.auth.callback.DigestCallbackHandler (or maybe just DigestCallbackHandler, but I bet fully qualified is required) will do it. The problem is, you can't do it. I tried to test this out, and the server wouldn't start and threw "Message: JBAS014788: Unexpected attribute 'default-callback-handler-class-name' encountered".

                                   

                                  If you look in the ${jboss.home.dir}/docs/schema/, you'll notice that jboss-as-security_1_0.xsd is the only one that supports that attribute (line 85). jboss-as-security_1_1 and _1_2 do not. I tried setting the subsystem to 1.0 but that didn't work either. There has to be a way to tell Picketbox to use DigestCallbackHandler instead of JBossCallbackHandler. Maybe as a <system-property> at the top of the standalone.xml file?

                                   

                                  Edit: actually, on further thought, maybe the removal of "default-callback-handler-class-name" from <security-management> is a bug/mistake that broke the DIGEST options in UsernamePasswordLoginModule.

                                  • 14. Re: password encryption in database login-module with picketbox of wildfly.
                                    Joseph Hwang Novice

                                    Thank you for your detail reply, Bradley! But above configuration worked well in JBoss AS 7. So I want to make JIRA issue. If i am wrong, this issue would be solved by the issue assignee any way.

                                    This is the link of JIRA issue, https://issues.jboss.org/browse/WFLY-3659

                                    Why don't  you join with us as well as Frank Langelage

                                    1 2 Previous Next