5 Replies Latest reply on Dec 24, 2004 2:03 AM by alan shields

    password in custom LoginModule

    alan shields Newbie

      I'm writing a custom login module,

      When I get the value from the password callback it appears to have been encrypted in some way.

      Is there any way I can get hold of what the user actually typed?

      I'm trying to compare the password with an existing value in a db that was encrypted with a simple one way hash, Ideally I need the users entered password so that I can run that through the same routine before comparing with the db.

      Failing that does anybody know how the password is being encrypted? I thought it might be MessageDigest MD5 but that does not appear to be the case.

      I'm calling an ejb from a remote client and using jboss 4.0.0, my LoginModule is wrapped up in a ProxyLoginModule.

      Cheers

        • 1. Re: password in custom LoginModule
          Thomas Cherel Novice


          I believe that if the password is encrypted it is the "client" who did it.

          The next question is what is your client? Standalone EJB client application, servlet, others?

          You need to determine the JAAS configuration of this client in order to figure out who/how the password is encrypted.

          If coming through a servlet, it could be that it is simply base64 encoded (default for HTTP basic authentication).

          Thomas

          • 2. Re: password in custom LoginModule
            alan shields Newbie

            here's my client

            package client;
            
            import java.io.IOException;
            import java.util.Hashtable;
            import java.util.Properties;
            
            import javax.naming.InitialContext;
            import javax.rmi.PortableRemoteObject;
            import javax.security.auth.Subject;
            import javax.security.auth.callback.Callback;
            import javax.security.auth.callback.CallbackHandler;
            import javax.security.auth.callback.NameCallback;
            import javax.security.auth.callback.PasswordCallback;
            import javax.security.auth.callback.UnsupportedCallbackException;
            import javax.security.auth.login.AppConfigurationEntry;
            import javax.security.auth.login.Configuration;
            import javax.security.auth.login.LoginContext;
            import org.jboss.security.SimplePrincipal;
            
            public class TestClient {
            
            
             static InitialContext ctx;
            
             public static void main( String args[]) {
             try{
            
             // jaas login
             Configuration.setConfiguration(new PasswordConfig());
             LoginContext c=new LoginContext("",new TestCallbackHandler());
             c.login();
             Subject s=c.getSubject();
             System.out.println("subject is "+s);
            
             // the following gives the same results
             /*
             org.jboss.security.SecurityAssociation.setPrincipal(new SimplePrincipal("ALAN"));
             org.jboss.security.SecurityAssociation.setCredential(new SimplePrincipal("PASSWORD"));
             */
            
             Properties j = new Properties();
            
             j.setProperty("java.naming.factory.initial","org.jnp.interfaces.NamingContextFactory");
             j.setProperty("java.naming.provider.url","jnp://localhost:1099");
             j.setProperty("java.naming.factory.url.pkgs","org.jboss.naming:org.jnp.interfaces");
             j.setProperty("DISCOVERY_TIMEOUT","1000");
            
            
             System.out.println("get context");
            
             ctx = new InitialContext( j );
            
             System.out.println("lookup");
             Object obj = ctx.lookup("Test");
            
             testing.remote.TestHome testHome = (testing.remote.TestHome)
             PortableRemoteObject.narrow(obj,testing.remote.TestHome.class);
             System.out.println("create ");
            
             testing.remote.Test test=testHome.create();
             System.out.println("call ");
            
             System.out.println(test.getWard("K6"));
            
             System.out.println("Done ");
            
             } catch (Exception e){
             e.printStackTrace();
             }
             }
            
            
             public static class PasswordConfig extends Configuration {
            
             public PasswordConfig() {
             }
            
             public AppConfigurationEntry[] getAppConfigurationEntry(String applicationName) {
             AppConfigurationEntry[] loginModules=new AppConfigurationEntry[1];
             Hashtable options=new Hashtable();
             loginModules[0]=new AppConfigurationEntry("org.jboss.security.ClientLoginModule",AppConfigurationEntry.LoginModuleControlFlag.REQUIRED,options);
             return loginModules;
             }
            
             public void refresh() {
             }
            
             }
            
             private static class TestCallbackHandler implements CallbackHandler {
            
             public void handle(Callback[] callbacks) throws IOException, UnsupportedCallbackException {
             for(int i1=0;i1<callbacks.length;i1++) {
             System.out.println("call back "+callbacks[i1]);
             if(callbacks[i1] instanceof NameCallback) {
             NameCallback nc=(NameCallback)callbacks[i1];
             System.out.println(nc.getPrompt()+":"+nc.getName());
             nc.setName("ALAN");
             }
             if(callbacks[i1] instanceof PasswordCallback) {
             PasswordCallback nc=(PasswordCallback)callbacks[i1];
             nc.setPassword("PASSWORD".toCharArray());
             }
             }
             }
            
             }
            
            }
            


            Thanks

            • 3. Re: password in custom LoginModule
              Thomas Cherel Novice

              This is strange.
              Youa re using the standard JBoss client login module in your client. As far as I know this guy does not encrypt anything.
              I have a custom JAAS login module with JBoss 3.2.6 and the client aslo uses the standard JBoss client login module and I have no problem getting the password.
              Might be a JBoss 4.0.0 specific problem, I am not sure. I looked at quickly the JBoss 4.0.0 sources, and it does not seem that the password gets encrypted either.

              Thomas

              • 4. Re: password in custom LoginModule
                Scott Stark Master

                There is no default encryption so if its showing up, its been configured somewhere. Trace level logging on the org.jboss.security category and eliminating unused login module configs are the way to debug what is happening.

                • 5. Re: password in custom LoginModule
                  alan shields Newbie

                  Sorry this was all down to me being stupid

                  I was doing password.toString() rather than new String(password), what I thought was an encrypted password was just the object reference....

                  Time for some alcohol I think

                  Merry Christmas