3 Replies Latest reply on Aug 4, 2005 9:10 AM by Rodriguez Arostegui

    Storing encripted password in Database

    Rodriguez Arostegui Newbie

      Hello,
      I've the following login-config security configuration:
      -----------------------------------
      <application-policy name="other">

      <login-module code="org.jboss.security.auth.spi.DatabaseServerLoginModule"
      flag="required">
      <module-option name="dsJndiName">java:guadianaDS</module-option>
      <module-option name="principalsQuery">
      SELECT PASSWORD FROM USUARIOS WHERE id=?
      </module-option>
      <module-option name="rolesQuery">
      SELECT PERFIL, 'Roles' FROM USUARIOS WHERE id=?
      </module-option>
      <module-option name="hashAlgorithm">MD5</module-option>
      <module-option name="hashEncoding">base64</module-option>
      <module-option name="hashCharset">iso-8859-1</module-option>
      </login-module>

      </application-policy>
      ------------------------------------------------------------
      I don't know why, but i had to use the hint given in
      the forum about naming the configuration "other" as a workaround because It allways tried to use the UsersRolesLoginModule.
      After done that, the login process worked with plain text password stored in the DB, but my problem now is that I'm not sure the way of generating encoded password is right. As an example I've done this:
      ------------------------------------------------------------
      MessageDigest md = MessageDigest.getInstance("MD5");
      byte[] digest = md.digest("jose".getBytes("iso-8859-1"));
      ByteArrayOutputStream bas = new ByteArrayOutputStream(digest.length + digest.length / 4 + 1);
      OutputStream encodedStream = MimeUtility.encode(bas, "base64");
      encodedStream.write(digest);
      String newEncryptedString = (String) bas.toString();
      System.out.println(newEncryptedString);
      ------------------------------------------------------------
      As a result I obtain the string: "Zi6qRxmUYdAaYjiECAk0" and i store it in the DB as the password for user "jose".
      When I try to login i get the following error in server.log after activated the trace:
      ------------------------------------------------------------
      2005-08-04 13:57:01,581 TRACE [org.jboss.security.auth.spi.DatabaseServerLoginModule] initialize
      2005-08-04 13:57:01,581 TRACE [org.jboss.security.auth.spi.DatabaseServerLoginModule] Password hashing activated: algorithm = MD5, encoding = base64, charset = iso-8859-1, callback = null
      2005-08-04 13:57:01,581 TRACE [org.jboss.security.auth.spi.DatabaseServerLoginModule] DatabaseServerLoginModule, dsJndiName=java:guadianaDS
      2005-08-04 13:57:01,581 TRACE [org.jboss.security.auth.spi.DatabaseServerLoginModule] principalsQuery=SELECT PASSWORD FROM USUARIOS WHERE id=?
      2005-08-04 13:57:01,581 TRACE [org.jboss.security.auth.spi.DatabaseServerLoginModule] rolesQuery=SELECT PERFIL, 'Roles' FROM USUARIOS WHERE id=?
      2005-08-04 13:57:01,581 TRACE [org.jboss.security.auth.spi.DatabaseServerLoginModule] login
      2005-08-04 13:57:01,591 TRACE [org.jboss.security.auth.spi.DatabaseServerLoginModule] abort
      2005-08-04 13:57:01,591 TRACE [org.jboss.security.plugins.JaasSecurityManager.other] Login failure
      javax.security.auth.login.FailedLoginException: No matching username found in Principals
      at org.jboss.security.auth.spi.DatabaseServerLoginModule.getUsersPassword(DatabaseServerLoginModule.java:111)
      at org.jboss.security.auth.spi.UsernamePasswordLoginModule.login(UsernamePasswordLoginModule.java:162)
      at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
      at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
      at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
      at java.lang.reflect.Method.invoke(Method.java:585)
      at javax.security.auth.login.LoginContext.invoke(LoginContext.java:769)
      at javax.security.auth.login.LoginContext.access$000(LoginContext.java:186)
      at javax.security.auth.login.LoginContext$4.run(LoginContext.java:683)
      at java.security.AccessController.doPrivileged(Native Method)
      at javax.security.auth.login.LoginContext.invokePriv(LoginContext.java:680)
      at javax.security.auth.login.LoginContext.login(LoginContext.java:579)
      at org.jboss.security.plugins.JaasSecurityManager.defaultLogin(JaasSecurityManager.java:483)
      at org.jboss.security.plugins.JaasSecurityManager.authenticate(JaasSecurityManager.java:425)
      at org.jboss.security.plugins.JaasSecurityManager.isValid(JaasSecurityManager.java:251)
      at org.jboss.web.tomcat.security.JBossSecurityMgrRealm.authenticate(JBossSecurityMgrRealm.java:230)
      at org.apache.catalina.authenticator.BasicAuthenticator.authenticate(BasicAuthenticator.java:181)
      at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:446)
      at org.jboss.web.tomcat.security.JaccContextValve.invoke(JaccContextValve.java:59)
      at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:126)
      at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:105)
      at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:107)
      at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:148)
      at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:856)
      at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.processConnection(Http11Protocol.java:744)
      at org.apache.tomcat.util.net.PoolTcpEndpoint.processSocket(PoolTcpEndpoint.java:527)
      at org.apache.tomcat.util.net.MasterSlaveWorkerThread.run(MasterSlaveWorkerThread.java:112)
      at java.lang.Thread.run(Thread.java:595)
      2005-08-04 13:57:01,591 TRACE [org.jboss.security.plugins.JaasSecurityManager.other] End isValid, false
      ------------------------------------------------------------
      Thanks in advance,
      Jose.

        • 1. Re: Storing encripted password in Database
          Michael Konietzka Newbie

           

          ps = conn.prepareStatement(principalsQuery);
           ps.setString(1, username);
           rs = ps.executeQuery();
           if( rs.next() == false )
           throw new FailedLoginException("No matching username found in Principals");
          


          Well, it seems it doesnt find the user "jose" in the database.
          Try in your SQL-Client:

          SELECT PASSWORD FROM USUARIOS WHERE id='jose'


          • 2. Re: Storing encripted password in Database
            Rodriguez Arostegui Newbie

            OK, the right way to generate the password is using:

            java -classpath ./jbosssx.jar org.jboss.security.Base64Encoder jose MD5

            Now I get:
            Zi6qRxmUYdAaYjiECAk0qw==
            instead of
            Zi6qRxmUYdAaYjiECAk0

            With the new digest of the password the login works fine!!

            Any clue of why my Java code generated a too short digest???
            Thanks to everybody.
            Jose.

            • 3. Re: Storing encripted password in Database
              Rodriguez Arostegui Newbie

              I've answered myself again.
              If it helps here comes the java code to generate passwords:
              ---------------------------------------------------------------
              import java.util.ArrayList;
              import org.jboss.security.Base64Encoder;

              public class GenerarPasswords {

              public static void main(String[] args) {

              ArrayList usuarios = new ArrayList();

              String algoritmo = "MD5";

              usuarios.add("jose");
              usuarios.add("silvia");
              usuarios.add("ruben");
              usuarios.add("javier");
              usuarios.add("frufru");
              usuarios.add("saul");

              try {
              for (String i : usuarios) {
              byte[] hash = java.security.MessageDigest.getInstance(algoritmo).digest(i.getBytes());
              String password = Base64Encoder.encode(hash);
              System.out.println("update usuarios set password='"+password+"' where id='"+i+"';");
              }
              } catch (Exception e) {
              e.printStackTrace();
              }
              }
              }