Shortly after posting this I saw the DatabaseServerLoginModule class and noticed there was a convertRawPassword method. So it seems to me that I would just need to extend this class and put in my code for decrypting the database password in that method...is this correct?
If so, how do I go about doing this? Where would I put the new class that extends DatabaseServerLogin module so I could change my Login-config.xml to find it?
The login module gets its connection from the jca datasource configuration so the password encryption needs to be done there. See the following wiki page:
Thank you for the reply, but I think I may have been unclear on my question. For this inquery, I am not concerned about the Datasource password, but rather a User's password. I want to have all Users' passwords stored in the database encrypted.
The problem will be when the user logs in, I need to decrypt the database password to match the unencrypted password the user would enter on a login form.
This is why I inquired about the convertRawPassword method in the DatabaseServerLogin file. I suppose there are two ways to do it; 1) Somehow intercept the j_password submitted by the login page and encrypt it befor it reaches j_security_check, or 2) Decrypt the database passsword in the login module to compare with the unencypted password the user would enter.
Am I getting close or trying to make this to hard?
Thank you for your support,
The more typical way to handle this is to use a secure one-way hash as the storage value. The current login modules support hashing a password for comparison of the password stored in the database. If you do need to store encrypted passwords, the convertRawPassword is the only method that needs to be overriden to support this.
Thank you very much. One last question if you have the time:
Once I compile this new class, where do I need to put it so that the login-config.xml file can find it? Can I simply JAR it and put it in the lib folder?
I am currently using a secure, one-way encryption method to store the passwords. That is, once they're stored in the database, there is no way to determine what they are -- the only choice a user has if they forget it, is to make a new one. This helps secure the system internally from someone looking up a users password through a database tool (TORA, etc...).
I have a customized DatabaseServerLoginModule which has a single method:
protected String convertRawPassword(String password)
(thanks for some help from the wiki: http://www.jboss.org/wiki/Wiki.jsp?page=CreatingACustomLoginModule). However, the password that is passed into that method seems to be the database value, NOT the raw password which, unfortunately is already encrypted and not recoverable. How am I supposed to encrypt the form value and encrypt it THEN compare it to the database value? Is that possible?
p.s. I'm off to look up the java source for the DatabaseLoginModule....
Oh, perhaps I should add I'm using JBoss 4.0.1sp1. Thanks to anyone with any insight to this issue... Doesn't seem popular as there's not much reference in all of JASS forum/topic regarding this.
DatabaseServerLoginModule supports hashing of passwords out-of-the-box. (functionality inherited from its base class, UsernamePasswordLoginModule)
More specifically, check out the following login-module parameters...
the message digest algorithm used to hash passwords.
If null then plain passwords will be used.
the name of the charset/encoding to use when converting
the password String to a byte array. Default is the platform's default encoding.
the string encoding format to use. Defaults to base64.
A flag indicating if the password comparison should ignore case.
mjdinsmore, were you ever able to solve this? I have the same situation where the passwords are stored in the database encrypted and there isn't a way to decrypt them. I basically just want to compare the encrypted input password with the encrypted password stored in the database. Did you have to write your own login module for this? I don't think merely overriding the convertRawPassword method will do it. And the hashAlgorithm/hashCharset/hashEncoding are great but only if you store your passwords in the database as clear text.
Thanks for any help.
Got it, you have to specify the hashStorePassword to false and hashUserPassword to true.
I have a similar situation where in the password entered by the User for login is encrypted (custom encryption) and stored in the db and currently there is no decrypt for the password.
So, i would have to encrypt the password entered by the user on the Login form and compare it with the encrypted password stored in db.
How can i acheive this ?
We had our application deployed under tomcat earlier and in tomcat there is a way where you can specify the Enrcyption class and the encyprion method.
Is there a similar way in JBoss ?
Any help is appreciated....