3 Replies Latest reply on Feb 29, 2008 11:01 AM by Ragav Gomatam

    Implement digestCallback into login-config.xml

    FREDERIC JAOUEN Newbie

      Password in my database is encrypted with SHA-1 and a salt is add after the password.

      I want to be able to validate my password using org.jboss.security.auth.spi.DatabaseServerLoginModule and used SHA-1 in the hashAlgorithm.

      But I need also to add my salt to the password.

      I see I can do it using digestCallback. So made an implementation of this interface and put it in my login-config.xml.

      It is called but now I need to know exactly what to code ?

      Do I code the postDigest or preDigest ? And how do I add my salt ?

      Do you have any code as example ?

      Thank you !

        • 1. Re: Implement digestCallback into login-config.xml
          Ragav Gomatam Novice

          A salt is a random number of a fixed length. This salt must be different for each stored entry. It must be stored as clear text next to the hashed password. A 64 bits salt is recommended in RSA PKCS5 standard.

          salt can be extracted from hash assuming 6 byte salt:

          private static byte[] extractSalt(String encPass) {
          String encPassNoLabel = encPass.substring(6);
          
          byte[] hashAndSalt = org.apache.commons.codec.binary.Base64.decodeBase64(encPassNoLabel.getBytes());
          int saltLength = hashAndSalt.length - SHA_LENGTH;
          byte[] salt = new byte[saltLength];
          System.arraycopy(hashAndSalt, SHA_LENGTH, salt, 0, saltLength);
          
          return salt;
          }

          where encPass is the hashed string;

          /**
           * From a password, a number of iterations and a salt,
           * returns the corresponding digest
           * @param iterationNb int The number of iterations of the algorithm
           * @param password String The password to encrypt
           * @param salt byte[] The salt
           * @return byte[] The digested password
           * @throws NoSuchAlgorithmException If the algorithm doesn't exist
           */
           public byte[] getHash(int iterationNb, String password, byte[] salt) throws NoSuchAlgorithmException {
           MessageDigest digest = MessageDigest.getInstance("SHA-1");
           digest.reset();
           digest.update(salt);
           byte[] input = digest.digest(password.getBytes("UTF-8"));
           for (int i = 0; i < iterationNb; i++) {
           digest.reset();
           input = digest.digest(input);
           }
           return input;
           }




          Trust this helps....


          • 2. Re: Implement digestCallback into login-config.xml
            FREDERIC JAOUEN Newbie

            Hi, I progress but I'm still blocked...


            My JBoss config is:

            <application-policy name="WebAppE2E">

            <login-module code="org.jboss.security.auth.spi.DatabaseServerLoginModule" flag="required">
            <module-option name="unauthenticatedIdentity">guest</module-option>
            <module-option name="dsJndiName">java:/jdbc/accovia/e2e</module-option>
            <module-option name="principalsQuery">SELECT age_nom_cle FROM age WHERE age_cd=?</module-option>
            <module-option name="rolesQuery">SELECT age_roles_cd, 'Roles' FROM age_roles WHERE age_cd=?</module-option>
            <module-option name="hashEncoding">HEX</module-option>
            <module-option name="hashAlgorithm">SHA-1</module-option>
            <module-option name="digestCallback">com.myclass.MyDigestCallback</module-option>
            </login-module>

            </application-policy>



            My code is:


            package com.myclass;

            import java.security.MessageDigest;
            import java.security.NoSuchAlgorithmException;
            import java.util.Iterator;
            import java.util.Map;

            import org.jboss.crypto.digest.DigestCallback;

            public class MyDigestCallback implements DigestCallback {

            private byte[] username;

            @Override
            public void init(Map arg0) {
            // TODO Auto-generated method stub
            System.out.println("AccoviaDigestCallback.init");
            for (Iterator iter = arg0.entrySet().iterator(); iter.hasNext();) {
            Map.Entry entry = (Map.Entry) iter.next();
            String key = (String) entry.getKey();
            String value = (String) entry.getValue();
            System.out.println("Key=" + key + " value=" + value);
            if (key.contains("javax.security.auth.login.name")) {
            this.username = value.getBytes();
            }
            }
            }

            @Override
            public void preDigest(MessageDigest arg0) {
            }

            @Override
            public void postDigest(MessageDigest arg0) {
            arg0.update(this.username);
            }


            And JBoss is still complaining:

            2008-02-28 17:45:03,040 TRACE [org.jboss.security.auth.spi.DatabaseServerLoginModule] initialize, instance=@10135900
            2008-02-28 17:45:03,040 TRACE [org.jboss.security.auth.spi.DatabaseServerLoginModule] Security domain: WebAppE2E
            2008-02-28 17:45:03,040 TRACE [org.jboss.security.auth.spi.DatabaseServerLoginModule] Saw unauthenticatedIdentity=guest
            2008-02-28 17:45:03,040 TRACE [org.jboss.security.auth.spi.DatabaseServerLoginModule] Password hashing activated: algorithm = SHA-1, encoding = HEX, charset = {default}, callback = com.myclass.MyDigestCallback, storeCallback = null
            2008-02-28 17:45:03,040 TRACE [org.jboss.security.auth.spi.DatabaseServerLoginModule] DatabaseServerLoginModule, dsJndiName=java:/jdbc/accovia/e2e
            2008-02-28 17:45:03,040 TRACE [org.jboss.security.auth.spi.DatabaseServerLoginModule] principalsQuery=SELECT age_password FROM age WHERE age_cd=?
            2008-02-28 17:45:03,040 TRACE [org.jboss.security.auth.spi.DatabaseServerLoginModule] rolesQuery=SELECT age_roles_cd, 'Roles' FROM age_roles WHERE age_cd=?
            2008-02-28 17:45:03,040 TRACE [org.jboss.security.auth.spi.DatabaseServerLoginModule] suspendResume=true
            2008-02-28 17:45:03,040 TRACE [org.jboss.security.auth.spi.DatabaseServerLoginModule] login
            2008-02-28 17:45:03,040 TRACE [org.jboss.security.auth.spi.DatabaseServerLoginModule] Created DigestCallback: com.myclass.MyDigestCallback@681070
            2008-02-28 17:45:03,040 INFO [STDOUT] AccoviaDigestCallback.init
            2008-02-28 17:45:03,040 INFO [STDOUT] Key=digestCallback value=com.myclass.MyDigestCallback
            2008-02-28 17:45:03,040 INFO [STDOUT] Key=javax.security.auth.login.password value=fj9!2619
            2008-02-28 17:45:03,040 INFO [STDOUT] Key=javax.security.auth.login.name value=FJ9
            2008-02-28 17:45:03,040 INFO [STDOUT] username=FJ9
            2008-02-28 17:45:03,040 INFO [STDOUT] Key=jboss.security.security_domain value=WebAppE2E
            2008-02-28 17:45:03,040 INFO [STDOUT] Key=hashAlgorithm value=SHA-1
            2008-02-28 17:45:03,040 INFO [STDOUT] Key=principalsQuery value=SELECT age_password FROM age WHERE age_cd=?
            2008-02-28 17:45:03,071 INFO [STDOUT] Key=unauthenticatedIdentity value=guest
            2008-02-28 17:45:03,071 INFO [STDOUT] Key=hashEncoding value=HEX
            2008-02-28 17:45:03,071 INFO [STDOUT] Key=dsJndiName value=java:/jdbc/accovia/e2e
            2008-02-28 17:45:03,071 INFO [STDOUT] Key=rolesQuery value=SELECT age_roles_cd, 'Roles' FROM age_roles WHERE age_cd=?
            2008-02-28 17:45:03,071 INFO [STDOUT] AccoviaDigestCallback.preDigest >>>
            2008-02-28 17:45:03,071 INFO [STDOUT] AccoviaDigestCallback.postDigest >>>
            2008-02-28 17:45:03,071 INFO [STDOUT] strDigest=2DBFF16D448199F9156EF54533C284FBE10988D6
            2008-02-28 17:45:03,071 TRACE [org.jboss.security.auth.spi.DatabaseServerLoginModule] suspendAnyTransaction
            2008-02-28 17:45:03,071 DEBUG [org.jboss.resource.connectionmanager.IdleRemover] internalRegisterPool: registering pool with interval 900000 old interval: 9223372036854775807
            2008-02-28 17:45:03,071 DEBUG [org.jboss.resource.connectionmanager.IdleRemover] internalRegisterPool: about to notify thread: old next: 1204239153071, new next: 1204239153071
            2008-02-28 17:45:03,134 TRACE [org.jboss.security.auth.spi.DatabaseServerLoginModule] Excuting query: SELECT age_password FROM age WHERE age_cd=?, with username: FJ9
            2008-02-28 17:45:03,134 TRACE [org.jboss.security.auth.spi.DatabaseServerLoginModule] Obtained user password
            2008-02-28 17:45:03,134 TRACE [org.jboss.security.auth.spi.DatabaseServerLoginModule] resumeAnyTransaction
            2008-02-28 17:45:03,134 DEBUG [org.jboss.security.auth.spi.DatabaseServerLoginModule] Bad password for username=FJ9
            2008-02-28 17:45:03,134 TRACE [org.jboss.security.auth.spi.DatabaseServerLoginModule] abort
            2008-02-28 17:45:03,134 TRACE [org.jboss.security.plugins.JaasSecurityManager.WebAppE2E] Login failure
            javax.security.auth.login.FailedLoginException: Password Incorrect/Password Required
            at org.jboss.security.auth.spi.UsernamePasswordLoginModule.login(UsernamePasswordLoginModule.java:213)

            ANY IDEAS ???

            Thank you All !!!

            • 3. Re: Implement digestCallback into login-config.xml
              Ragav Gomatam Novice

              I don't see you extracting the salt in preDigets or postDigest methods.