1 Reply Latest reply on Jul 7, 2005 7:29 AM by Peter Todd

    MD5/base64 encryption DatabaseServerLoginModule problem

    Peter Todd Newbie

      I'm having problems getting password verification to work when I encrypt passwords and store on the database.

      Basically web app is secured with form based security over SSL - when user goes to a secured area they are prompted to logon or register. Usernames/passwords held in mysql database connected to via EJB.
      With plain text this all works fine. However, when I try and use encryption the logon fails.

      I've checked the database table and the username and password are being encrypted. I think the problem is with how I've setup the login-config.xml (or something else?) - I thought I'd configured it so that when a user attempted to logon the password (and username?) would be automatically converted to md5/base64 and compared against the table.

      I've tried every setting I can think of (using hex rather than base64, encoding the username and password, just the password etc.) and still can't get this to work - any help/ideas appreciated.

      login-config.xml
      <!-- Security domain for HomeSite -->
      <application-policy name = "homesite">

      <login-module code = "org.jboss.security.auth.spi.DatabaseServerLoginModule"
      flag = "required">
      <module-option name = "hashAlgorithm">MD5</module-option>
      <module-option name = "hashEncoding">base64</module-option>
      <module-option name="hashCharset">UTF-8</module-option>
      <module-option name = "dsJndiName">java:/MySqlDS</module-option>
      <module-option name = "principalsQuery">SELECT client_id FROM gluser WHERE client_id=?</module-option>
      <module-option name = "rolesQuery">SELECT role, 'Roles' FROM glroles WHERE client_id=?</module-option>

      </login-module>

      </application-policy>


      Code to encrypt password

      public static String encode(String password) throws
      NoSuchAlgorithmException, UnsupportedEncodingException {
      //System.out.println("Password to encode is: " + password);
      MessageDigest md = MessageDigest.getInstance("MD5");
      md.update(password.getBytes("UTF8"));
      String encodedString = new BASE64Encoder().encode(md.digest());
      //String encodedString = new HexDumpEncoder().encode(md.digest());
      // System.out.println("Encoded String is: " + encodedString);
      return encodedString;