5 Replies Latest reply on Nov 15, 2005 7:29 AM by Edgar Silva

    Extending DatabaseServerLoginModule

    Edgar Silva Newbie

      Hi Folks...

      I have a particular issue for my application, I am storing the passwords using MD5 Algoritm for improve security issues.

      As I am doing it, I created a new class extending DataBaseServerLoginModule, and I just changed the login method.

      My change is not working, I just get the plain password sent thrugh BASIC HTTP and I apply MD5 and I´ve comparing one with other, and it does not working.

      Somebody could help with some trick to solve it?

      The Following code is part of my implementations to that scenario:

      public class MD5DatabaseServerLoginModule extends DatabaseServerLoginModule
      /** The login identity */
      private Principal identity;
      /** The proof of login identity */
      private char[] credential;

      /** Perform the authentication of the username and password.
      public boolean login() throws LoginException
      //log to test only here
      Logger log = Logger.getLogger(MD5DatabaseServerLoginModule.class);

      // See if shared credentials exist
      if( super.login() == true )
      // Setup our view of the user
      Object username =
      if( username instanceof Principal )
      identity = (Principal) username;
      String name = username.toString();
      identity = new SimplePrincipal(name);
      Object password =
      if( password instanceof char[] )
      credential = (char[]) password;
      else if( password != null )
      String tmp = password.toString();
      credential = tmp.toCharArray();
      return true;

      super.loginOk = false;
      String[] info = getUsernameAndPassword();
      String username = info[0];
      String password = info[1];
      log.debug("Senha informada vindo do INFO"+ password);
      if( username == null && password == null )
      identity = unauthenticatedIdentity;
      //super.log.trace("Authenticating as

      if( identity == null )
      identity = new SimplePrincipal(username);
      // Hash the user entered password if password hashing is in use

      // Validate the password supplied by the subclass

      String expectedPassword = getUsersPassword();

      log.debug("Senha vindo do banco :" + expectedPassword);

      password =MD5Cripto.getInstance().criptografar(password);
      log.debug("Senha criptografada:"+ password);


      if( validatePassword(password,expectedPassword) == false )
      throw new FailedLoginException("Password Incorrect/Password

      if( getUseFirstPass() == true )
      { // Add the username and password to the shared state map
      sharedState.put("javax.security.auth.login.name", username);
      sharedState.put("javax.security.auth.login.password", credential);
      loginOk = true;
      log.debug("Login?" + loginOk);
      return true;


      My class to Apply MD5 is the following :

      * Classe Utilitaria para MD5
      * @author Edgar Silva
      public class MD5Util {
      static private final MessageDigest MD5 = getMessageDigest();
      static private final char[] INT_TO_CHAR = {'0', '1', '2', '3', '4', '5',
      '7', '8', '9', 'a', 'b', 'c',
      'e', 'f'};
      /** Creates a new instance of MD5Util */
      private MD5Util() {

      private static MessageDigest getMessageDigest() {
      try {
      return MessageDigest.getInstance("MD5");
      } catch (NoSuchAlgorithmException nsae) {
      throw new ExceptionInInitializerError(nsae);

      public static String encrypt(String senha) {
      final StringBuffer ret = new StringBuffer(32);

      try {
      final byte[] digest = ((MessageDigest)MD5.clone()).digest(

      int b;
      for (int i = 0; i < digest.length; i++) {
      b = (digest < 0) ? -digest + 127 : digest;

      ret.append(INT_TO_CHAR[(b & 0x00F0) >> 4])
      .append(INT_TO_CHAR[b & 0x000F]);

      return ret.toString();
      } catch (CloneNotSupportedException cnse) {
      throw new Error(cnse);


      I hope that I had explained my trouble and situation...Since now, thanks a lot by any help!

      Best Regards

      Edgar Silva

        • 1. Re: Extending DatabaseServerLoginModule
          Scott Stark Master

          The DatabaseServerLoginModule already supports hashing of passwords by any digest supported by the JDK. I suggest you revist this capability and describe why it does not work for you before extending DatabaseServerLoginModule.

          • 2. Re: Extending DatabaseServerLoginModule
            Edgar Silva Newbie

            Hi Scott,

            My non-functional requirements says something about number of chars (32 chars) I must to persist in the Database.

            Have you some idea in how to implement it? i have been looked for it in Docs but I haven´t foud.

            As example of some password you can see : 97a65a518cd04a3b134b89c4680a213a

            Ok, If I set my web.xml for DIGEST I think it can't work , As I was reading at JBoss Doc and its Sources, I just need only to change the login method, but if you could haver other technique, I will be glad in to know it!


            Edgar A Silva

            • 3. Re: Extending DatabaseServerLoginModule
              Edgar Silva Newbie

              I changed my web.xml portion to DIGEST as the following code:

              no description
              <realm-name>Q2 Realm</realm-name>

              And I changed my login-config to:

              <application-policy name="q2security">

              <login-module code="org.jboss.security.auth.spi.DatabaseServerLoginModule" flag="required">
              <module-option name="dsJndiName">java:/CorporativoDS</module-option>
              <module-option name="principalsQuery">


              I wanna do this, but I wanna hide the password from any malicious access. So I am using MD5 hashing... I could to use LDAP, but my customer wants to use it.... I think it too simple, and an appropriate scenario to override login method in DatabaseServerLoginModule class. Am I wrong???



              • 4. Re: Extending DatabaseServerLoginModule
                Scott Stark Master

                DIGEST auth has nothing to do with MD5 hashed passwords. Its an alternative web authentication mechanism that uses a challenge/response mechanism to has the input password. MD5 is a 32 byte digest, so what is the problem with configuring DatabaseServerLoginModule like:

                 <application-policy name="someRole">
                 <login-module code="org.jboss.security.auth.spi.DatabaseServerLoginModule" flag="required">
                 <module-option name="hashAlgorithm">MD5</module-option>
                 <module-option name="hashEncoding">base64</module-option>

                • 5. Re: Extending DatabaseServerLoginModule
                  Edgar Silva Newbie

                  Hi Scott...

                  I am moving the implementation to use LDAP, so I will use standard jboss login module, and I am sure it works fine, cause I did it in the past.

                  The foudantion of that question is too simple, I dont wanna keep plain passwords in some column in the Database, is there available an util jboss class to crypt the passwords? and then with this to promote a real secure login based on database ?

                  I dont wanna store my user name as edgar, pass edgarsilva, however I would like to store edgar and pass abobora547454@wewdSD, anb based on some loginmodule I can to process it approprietally, doesn't matter if I will use BASIC or FORM autentication, it could be a nice feature inside Application Server´s login module.

                  Some final idea?

                  Best Regards

                  Edgar Silva