I'm having problems getting password verification to work when I encrypt passwords and store on the database.
Basically web app is secured with form based security over SSL - when user goes to a secured area they are prompted to logon or register. Usernames/passwords held in mysql database connected to via EJB.
With plain text this all works fine. However, when I try and use encryption the logon fails.
I've checked the database table and the username and password are being encrypted. I think the problem is with how I've setup the login-config.xml (or something else?) - I thought I'd configured it so that when a user attempted to logon the password (and username?) would be automatically converted to md5/base64 and compared against the table.
I've tried every setting I can think of (using hex rather than base64, encoding the username and password, just the password etc.) and still can't get this to work - any help/ideas appreciated.
login-config.xml
<!-- Security domain for HomeSite -->
<application-policy name = "homesite">
<login-module code = "org.jboss.security.auth.spi.DatabaseServerLoginModule"
flag = "required">
<module-option name = "hashAlgorithm">MD5</module-option>
<module-option name = "hashEncoding">base64</module-option>
<module-option name="hashCharset">UTF-8</module-option>
<module-option name = "dsJndiName">java:/MySqlDS</module-option>
<module-option name = "principalsQuery">SELECT client_id FROM gluser WHERE client_id=?</module-option>
<module-option name = "rolesQuery">SELECT role, 'Roles' FROM glroles WHERE client_id=?</module-option>
</login-module>
</application-policy>
Code to encrypt password
public static String encode(String password) throws
NoSuchAlgorithmException, UnsupportedEncodingException {
//System.out.println("Password to encode is: " + password);
MessageDigest md = MessageDigest.getInstance("MD5");
md.update(password.getBytes("UTF8"));
String encodedString = new BASE64Encoder().encode(md.digest());
//String encodedString = new HexDumpEncoder().encode(md.digest());
// System.out.println("Encoded String is: " + encodedString);
return encodedString;