1 Reply Latest reply on Jan 28, 2003 12:20 PM by jwkaltz

UsersRolesLoginModule hashed password doesn't work

hecis Jan 28, 2003 4:20 AM

Hi,

I use UsersRolesLoginModule to login (FORM). If I dont use hash, just clear text in users.properites, it works. but if want to use hash passwords {I tried MD5, SHA), and stored the hashed password in user.properties. But the authentication always fails... I enclose my settings :


<application-policy name = "main-domain">

<login-module code = "org.jboss.security.auth.spi.UsersRolesLoginModule" flag = "required" >
<module-option name = "hashAlgorithm">MD5</module-option>
<module-option name = "hashEncoding">base64</module-option>
<module-option name = "usersProperties">users.properties</module-option>
<module-option name = "rolesProperties">roles.properties</module-option>
<module-option name = "unauthenticatedIdentity">nobody</module-option>
</login-module>

</application-policy>

Thanks for a help.

Petr

1. Re: UsersRolesLoginModule hashed password doesn't work

jwkaltz Jan 28, 2003 12:20 PM (in response to hecis)

What does your stored, hashed password look like ?

I have noticed the following (at least in the UsernamePasswordLoginModule, I don't know if it's the same in the module you are using) :
when you tell the module to hash passwords, it hashes them without a prefix.

However, my hashing utility (on Unix), when asked to hash with SHA produces something like {SHA}kfldskflsd; and this is how I stored the passwords.

Since the login module then does a string compare, of course it's always false. So I subclassed the login module and added code to "fix" the string comparison so that it works in this case too.

Maybe this is the same problem you're having. In any case to get to the bottom of this, you can write a subclass of the login module you're using, and use that (adding logging statements to find out what's going on)
Actions