3 Replies Latest reply on Mar 21, 2002 4:44 PM by Luke Taylor

    hashAlgorithm for DatabaseServerLoginModule

    Aaron Roller Newbie

      App Server = JBoss-2.4.4_Tomcat-4.0.1
      OS = Windows XP

      I have been successfully using the DatabaseServerLoginModule as my login module storing a clear-text password in the database. I have tried to start using hashed passwords with no success. Here are some quick questions before the details:

      ---------------------------------------------

      Using MySQL, what is the type-mapping that the DatabaseServerLoginModule is expecting. Should I be storing byte[] mapped to BLOB or should I convert the byte[] back to a String and use VARCHAR?

      -------------------------------------------------

      Is this the right way to hash the password before persisting it?

      protected static MessageDigest shaDigest = MessageDigest.getInstance("SHA");

      this.hashedBytes = shaDigest.digest(clearTextPassword.getBytes());

      Where hashedBytes would be persisted to the database using CMP 2.0.

      ------------------------------------

      My Auth.conf file is as follows:

      free2be {
      org.jboss.security.auth.spi.DatabaseServerLoginModule required
      dsJndiName="java:com.free2be.datasource.ApplicationDataSource"
      principalsQuery="select password from user_profile username where username=?"
      rolesQuery="SELECT t1.role_name, t2.role_group_name FROM role AS t1, role_group AS t2, user_profile AS t3 where t3.username=?"
      hashAlgorithm=SHA
      hashEncoding=hex
      ;
      };

      Any insight would be helpful.

      Aaron Roller

        • 1. Re: hashAlgorithm for DatabaseServerLoginModule
          Aaron Roller Newbie

          More information:

          When I have the password column set to BLOB and I don't use encryption the login works successfully. MySQL Front database utility shows the blob is being stored as the password I have entered (text view of a BLOB).

          So I could only assume that the encryption is the point of failure. How do I hash the clear text password and save it so that the DatabaseServerLoginModule can successfully compare it's hashed version? Am I using HEX or Base64 (neither work).

          • 2. Re: hashAlgorithm for DatabaseServerLoginModule
            J. Wolfgang Kaltz Novice

            My understanding is, you don't hash the password yourself, it is passed as clear-text to the login module; if you configured the login module to use hashing, then it will hash the password itself, and compare it to whatever the database returns for password, as a string compare.

            The easiest and quickest way to see exactly what's going on, is to inspect the DatabaseServerLoginModule.java, perhaps add some debug messages. This is easy to do, and one of the great advantages of an open-source product :)

            • 3. Re: hashAlgorithm for DatabaseServerLoginModule
              Luke Taylor Novice

              > So I could only assume that the encryption is the point of failure.
              >How do I hash the clear text password and save it so that the DatabaseServerLoginModule can successfully compare it's hashed version?
              > Am I using HEX or Base64 (neither work).

              The hashing is implemented in UsernamePasswordLoginModule, so it doesn't know anything about the database and deals with string hashes exclusively. These should be either hex or base64 encoded - are you encoding the hashes to a base64 or hex string (tomcat 4 style) before storing them in the database?

              There is a static "createPasswordHash" method in the org.jboss.security.Util class which you can use:

              public static String createPasswordHash(String hashAlgorithm, String hashEncoding, String hashCharset, String username, String password)