11 Replies Latest reply on Jan 27, 2006 4:46 PM by Mahesh Dixit

    Password Encryption with DatabaseLoginModule

    Scott Jourdan Newbie

      Dear Friends,

      I would like to encrypt all users passwords in the database, meaning having the encrpyted password in the DB. However, I do not know how I can encrpyt the password recieved from the login page, j_password, so that when the DatabaseLoginModule compares the value from the form, with the value in the database, they are the same. Can this be done using DatabaseLoginModule? Or do I need to customize the login module, or can this be done via a valve?

      Any help/advice would be greatly appreciated.

      Thanks,
      SJ

        • 1. Re: Password Encryption with DatabaseLoginModule
          Scott Jourdan Newbie

          Shortly after posting this I saw the DatabaseServerLoginModule class and noticed there was a convertRawPassword method. So it seems to me that I would just need to extend this class and put in my code for decrypting the database password in that method...is this correct?

          If so, how do I go about doing this? Where would I put the new class that extends DatabaseServerLogin module so I could change my Login-config.xml to find it?

          Thanks again,
          SJ

          • 2. Re: Password Encryption with DatabaseLoginModule
            Scott Stark Master

            The login module gets its connection from the jca datasource configuration so the password encryption needs to be done there. See the following wiki page:

            http://www.jboss.org/wiki/Wiki.jsp?page=EncryptingDataSourcePasswords

            • 3. Re: Password Encryption with DatabaseLoginModule
              Scott Jourdan Newbie

              Mr. Starks,

              Thank you for the reply, but I think I may have been unclear on my question. For this inquery, I am not concerned about the Datasource password, but rather a User's password. I want to have all Users' passwords stored in the database encrypted.

              The problem will be when the user logs in, I need to decrypt the database password to match the unencrypted password the user would enter on a login form.

              This is why I inquired about the convertRawPassword method in the DatabaseServerLogin file. I suppose there are two ways to do it; 1) Somehow intercept the j_password submitted by the login page and encrypt it befor it reaches j_security_check, or 2) Decrypt the database passsword in the login module to compare with the unencypted password the user would enter.

              Am I getting close or trying to make this to hard?

              Thank you for your support,
              SJ

              • 4. Re: Password Encryption with DatabaseLoginModule
                Scott Stark Master

                The more typical way to handle this is to use a secure one-way hash as the storage value. The current login modules support hashing a password for comparison of the password stored in the database. If you do need to store encrypted passwords, the convertRawPassword is the only method that needs to be overriden to support this.

                • 5. Re: Password Encryption with DatabaseLoginModule
                  Scott Jourdan Newbie

                  Scott,

                  Thank you very much. One last question if you have the time:

                  Once I compile this new class, where do I need to put it so that the login-config.xml file can find it? Can I simply JAR it and put it in the lib folder?

                  Thanks, SJ

                  • 6. Re: Password Encryption with DatabaseLoginModule
                    Michael Dinsmore Newbie

                    Scott,
                    I am currently using a secure, one-way encryption method to store the passwords. That is, once they're stored in the database, there is no way to determine what they are -- the only choice a user has if they forget it, is to make a new one. This helps secure the system internally from someone looking up a users password through a database tool (TORA, etc...).
                    I have a customized DatabaseServerLoginModule which has a single method:

                    protected String convertRawPassword(String password)

                    (thanks for some help from the wiki: http://www.jboss.org/wiki/Wiki.jsp?page=CreatingACustomLoginModule). However, the password that is passed into that method seems to be the database value, NOT the raw password which, unfortunately is already encrypted and not recoverable. How am I supposed to encrypt the form value and encrypt it THEN compare it to the database value? Is that possible?

                    Thank you,
                    Mike

                    p.s. I'm off to look up the java source for the DatabaseLoginModule....


                    • 7. Re: Password Encryption with DatabaseLoginModule
                      Michael Dinsmore Newbie

                      Oh, perhaps I should add I'm using JBoss 4.0.1sp1. Thanks to anyone with any insight to this issue... Doesn't seem popular as there's not much reference in all of JASS forum/topic regarding this.

                      • 8. Re: Password Encryption with DatabaseLoginModule
                        Frank Grimes Newbie

                        mjdinsmore,

                        DatabaseServerLoginModule supports hashing of passwords out-of-the-box. (functionality inherited from its base class, UsernamePasswordLoginModule)

                        More specifically, check out the following login-module parameters...

                        hashAlgorithm:
                        the message digest algorithm used to hash passwords.
                        If null then plain passwords will be used.

                        hashCharset:
                        the name of the charset/encoding to use when converting
                        the password String to a byte array. Default is the platform's default encoding.

                        hashEncoding:
                        the string encoding format to use. Defaults to base64.

                        ignorePasswordCase:
                        A flag indicating if the password comparison should ignore case.

                        • 9. Re: Password Encryption with DatabaseLoginModule
                          Mike Osganian Newbie

                          mjdinsmore, were you ever able to solve this? I have the same situation where the passwords are stored in the database encrypted and there isn't a way to decrypt them. I basically just want to compare the encrypted input password with the encrypted password stored in the database. Did you have to write your own login module for this? I don't think merely overriding the convertRawPassword method will do it. And the hashAlgorithm/hashCharset/hashEncoding are great but only if you store your passwords in the database as clear text.

                          Thanks for any help.

                          • 10. Re: Password Encryption with DatabaseLoginModule
                            Mike Osganian Newbie

                            Got it, you have to specify the hashStorePassword to false and hashUserPassword to true.

                            • 11. Re: Password Encryption with DatabaseLoginModule
                              Mahesh Dixit Newbie

                              I have a similar situation where in the password entered by the User for login is encrypted (custom encryption) and stored in the db and currently there is no decrypt for the password.
                              So, i would have to encrypt the password entered by the user on the Login form and compare it with the encrypted password stored in db.

                              How can i acheive this ?

                              We had our application deployed under tomcat earlier and in tomcat there is a way where you can specify the Enrcyption class and the encyprion method.

                              Is there a similar way in JBoss ?

                              Any help is appreciated....

                              Thanks
                              Mahesh