6 Replies Latest reply on Dec 12, 2006 3:52 PM by Elise Wade

    Login encryption not working

    Elise Wade Newbie

      I have MD5 encrypted passwords in my database. I would like the login module to encrypt the plain text password before comparing to the database password. I have the following application policy set up in the login-config.xml file:
      <application-policy name = "HsqlDbRealm">

      <login-module code = "org.jboss.resource.security.ConfiguredIdentityLoginModule" flag = "required">
      <module-option name = "principal">sa</module-option>
      <module-option name = "userName">sa</module-option>
      <module-option name = "password"></module-option>
      <module-option name="hashAlgorithm">MD5</module-option>
      <module-option name ="hashEncoding">base64</module-option>
      <module-option name = "managedConnectionFactoryName">jboss.jca:service=LocalTxCM,name=DefaultDS</module-option>
      </login-module>

      </application-policy>

      But its not working. My login page is treating the password as plain text and not encoding it before comparison. What am I missing here?
      (I am using JBoss 4.0.4 with Hibernate and Postgress 8.1.4.)

      Thanks for the help!
      Elise Wade

        • 1. Re: Login encryption not working
          Scott Stark Master

          There is no automatic encoding of login page passwords. That would require client side javascript or server side filter.

          • 2. Re: Login encryption not working
            Elise Wade Newbie

            Gee, then what are the module options hashAlgorithm and hashEncoding for?

            In the user's guide you say

            This module supports password stacking, password hashing and unathenticated identity.
            Looking up password hashing, I see the manual says,
            These modules generally work with plain text passwords, but can also be configured to support hashed passwords to prevent plain text passwords from being stored on the server side.


            Again, we're trying to use your database module for login and specify hashing and encoding of plaintext passwords.

            If you don't support that, perhaps you need to change your documentation. So its just a bit more clear how and what these options are intended to do.

            • 3. Re: Login encryption not working
              Scott Stark Master

              Its for taking a clear-text password from a user interface and matching it to a hashed database password. You have not given enough info to indicate where this is failing. Details of what is encoded, what is not, and the debugging logging are needed if you want better feedback.

              http://wiki.jboss.org/wiki/Wiki.jsp?page=JBossHelp

              • 4. Re: Login encryption not working
                Elise Wade Newbie

                Ok. Then perhaps I am not being clear. That is precisely what I am trying to do.

                I have (correctly) encrypted and encoded passwords stored in my database.

                We are using the database server login module. It works fine for clear text passwords -- that is passwords stored and entered as plain text. However, when we try to turn on the encryption/encoding it does not work any differently than it did when we did not have these options enabled.

                You can see my config set up in the first post.

                Here is what happens. For purposes of this test, I have stored one user with a plain text password.

                Scenario 1:
                User has plain text (clear) password stored.
                Logon with correct plain text password works.
                It should not work with encryption turned on.
                (I can provide a excerpt of the server log file if you need it, but it is lengthy.)

                Scenario 2:
                User has plain text password stored.
                Logon with incorrect password.
                It fails, which is the expected outcome.
                Here is an excerpt from the server log.

                2006-12-11 15:58:13,656 DEBUG [org.jboss.security.auth.spi.DatabaseServerLoginModule] Bad password for username=E0andre
                2006-12-11 15:58:13,656 DEBUG [org.jboss.seam.contexts.Lifecycle] >>> Begin web request
                2006-12-11 15:58:13,656 DEBUG [org.jboss.seam.Component] instantiating Seam component: org.jboss.seam.core.manager
                2006-12-11 15:58:13,656 DEBUG [org.jboss.seam.core.Manager] No stored conversation
                2006-12-11 15:58:13,656 DEBUG [org.jboss.seam.contexts.Contexts] found in application context: org.jboss.seam.core.init
                2006-12-11 15:58:13,656 DEBUG [org.jboss.seam.jsf.AbstractSeamPhaseListener] After restoring conversation context: ConversationContext(5)
                2006-12-11 15:58:13,656 DEBUG [org.jboss.seam.Component] instantiating Seam component: facesMessages
                2006-12-11 15:58:13,687 DEBUG [org.jboss.seam.core.Manager] Discarding conversation state: 5
                2006-12-11 15:58:13,687 DEBUG [org.jboss.seam.contexts.Lifecycle] flushing page context
                2006-12-11 15:58:13,687 DEBUG [org.jboss.seam.core.Manager] Discarding conversation state: 5
                2006-12-11 15:58:13,687 DEBUG [org.jboss.seam.contexts.Lifecycle] flushing page context
                2006-12-11 15:58:13,703 DEBUG [org.jboss.seam.contexts.Lifecycle] After render response, destroying contexts
                2006-12-11 15:58:13,703 DEBUG [org.jboss.seam.contexts.Lifecycle] destroying event context
                2006-12-11 15:58:13,703 DEBUG [org.jboss.seam.contexts.Contexts] destroying: javax.servlet.forward.request_uri
                2006-12-11 15:58:13,703 DEBUG [org.jboss.seam.contexts.Contexts] destroying: javax.servlet.forward.context_path
                2006-12-11 15:58:13,703 DEBUG [org.jboss.seam.contexts.Contexts] destroying: javax.servlet.forward.servlet_path
                2006-12-11 15:58:13,703 DEBUG [org.jboss.seam.contexts.Contexts] destroying: org.jboss.seam.core.manager
                2006-12-11 15:58:13,703 DEBUG [org.jboss.seam.contexts.Contexts] destroying: class org.apache.myfaces.renderkit.html.util.JavascriptUtils.OLD_VIEW_ID
                2006-12-11 15:58:13,703 DEBUG [org.jboss.seam.contexts.Contexts] destroying: org.apache.myfaces.application.jsp.JspStateManagerImpl.SERIALIZED_VIEW
                2006-12-11 15:58:13,703 DEBUG [org.jboss.seam.contexts.Contexts] destroying: com.sun.facelets.legacy.ELCONTEXT
                2006-12-11 15:58:13,703 DEBUG [org.jboss.seam.contexts.Lifecycle] destroying conversation context
                2006-12-11 15:58:13,703 DEBUG [org.jboss.seam.contexts.Contexts] destroying: facesMessages
                2006-12-11 15:58:13,703 DEBUG [org.jboss.seam.contexts.Lifecycle] flushing server-side conversation context
                2006-12-11 15:58:13,703 DEBUG [org.jboss.seam.contexts.Lifecycle] <<< End web request

                Scenario 3.
                User has (correctly) encrypted password stored in the database.
                Logon using matching plain text password.
                It fails as it should not. Here is the excerpt from the server.log

                2006-12-11 16:03:06,343 DEBUG [org.jboss.security.auth.spi.DatabaseServerLoginModule] Bad password for username=E0ewade
                2006-12-11 16:03:06,343 DEBUG [org.jboss.seam.contexts.Lifecycle] >>> Begin web request
                2006-12-11 16:03:06,343 DEBUG [org.jboss.seam.Component] instantiating Seam component: org.jboss.seam.core.manager
                2006-12-11 16:03:06,343 DEBUG [org.jboss.seam.core.Manager] No stored conversation
                2006-12-11 16:03:06,343 DEBUG [org.jboss.seam.contexts.Contexts] found in application context: org.jboss.seam.core.init
                2006-12-11 16:03:06,343 DEBUG [org.jboss.seam.jsf.AbstractSeamPhaseListener] After restoring conversation context: ConversationContext(14)
                2006-12-11 16:03:06,343 DEBUG [org.jboss.seam.Component] instantiating Seam component: facesMessages
                2006-12-11 16:03:06,343 DEBUG [org.jboss.seam.core.Manager] Discarding conversation state: 14
                2006-12-11 16:03:06,343 DEBUG [org.jboss.seam.contexts.Lifecycle] flushing page context
                2006-12-11 16:03:06,359 DEBUG [org.jboss.seam.core.Manager] Discarding conversation state: 14
                2006-12-11 16:03:06,359 DEBUG [org.jboss.seam.contexts.Lifecycle] flushing page context
                2006-12-11 16:03:06,359 DEBUG [org.jboss.seam.contexts.Lifecycle] After render response, destroying contexts
                2006-12-11 16:03:06,359 DEBUG [org.jboss.seam.contexts.Lifecycle] destroying event context
                2006-12-11 16:03:06,359 DEBUG [org.jboss.seam.contexts.Contexts] destroying: javax.servlet.forward.request_uri
                2006-12-11 16:03:06,359 DEBUG [org.jboss.seam.contexts.Contexts] destroying: javax.servlet.forward.context_path
                2006-12-11 16:03:06,359 DEBUG [org.jboss.seam.contexts.Contexts] destroying: javax.servlet.forward.servlet_path
                2006-12-11 16:03:06,359 DEBUG [org.jboss.seam.contexts.Contexts] destroying: org.jboss.seam.core.manager
                2006-12-11 16:03:06,359 DEBUG [org.jboss.seam.contexts.Contexts] destroying: class org.apache.myfaces.renderkit.html.util.JavascriptUtils.OLD_VIEW_ID
                2006-12-11 16:03:06,359 DEBUG [org.jboss.seam.contexts.Contexts] destroying: org.apache.myfaces.application.jsp.JspStateManagerImpl.SERIALIZED_VIEW
                2006-12-11 16:03:06,359 DEBUG [org.jboss.seam.contexts.Contexts] destroying: com.sun.facelets.legacy.ELCONTEXT
                2006-12-11 16:03:06,359 DEBUG [org.jboss.seam.contexts.Lifecycle] destroying conversation context
                2006-12-11 16:03:06,359 DEBUG [org.jboss.seam.contexts.Contexts] destroying: facesMessages
                2006-12-11 16:03:06,359 DEBUG [org.jboss.seam.contexts.Lifecycle] flushing server-side conversation context
                2006-12-11 16:03:06,359 DEBUG [org.jboss.seam.contexts.Lifecycle] <<< End web request

                Scenario 4:
                User has encrypted password stored in the database.
                Logon is done with the encrypted string.
                Result: Logon succeeds when it should fail.
                (Again this is a really long log entry. But it is exactly like scenario 1)

                In summary, even though I have done my very best to enable ecryption (hashing) and encoding, the login module is behaving as though these things are not turned on. What do I need to do to get it to work?

                Elise

                • 5. Re: Login encryption not working
                  Scott Stark Master

                  The HsqlDbRealm you show is for connecting to the database as the indicated user. This is not the security-domain you would be using for your web app. Show the configuration for the security domain referenced by your web app.

                  • 6. Re: Login encryption not working
                    Elise Wade Newbie

                    Never mind. I put the options in the wrong policy. When I put them in the correct policy it works as advertised. I was looking in the wrong places to solve my problem.
                    Thanks for the help.