1 Reply Latest reply on Nov 16, 2009 2:46 AM by Patrick Breiter

    MD5 Authentication Fails with JBoss 5.1

    Patrick Breiter Newbie

      Hello everybody

      I have a question regarding the MD5 Authentication in JBoss 5.1 GA.
      I used the normal authentication without MD5 hashes so far, but now i have to migrate an old version to a new version and the passwords are stored as MD5 strings in the database.

      So all I did was changing the login-config.xml and I was adding the following lines:

      <module-option name="hashAlgorithm">MD5</module-option>
      <module-option name="hashEncoding">base64</module-option>


      The other part of my login-config.xml looks like this. I have tested the queries and the rolename and the password (as hash) is returned:



      <module-option name="principalsQuery">SELECT password FROM users WHERE username=? AND active=1</module-option>
      
      <module-option name="rolesQuery">SELECT USERROLE.rolename, 'Roles' FROM USERS INNER JOIN (USERROLE INNER JOIN MAPUSERUSERROLE ON USERROLE.roleid = MAPUSERUSERROLE.roleid) ON USERS.userid = MAPUSERUSERROLE.userid where USERS.username=?</module-option>


      Unfortunately, the login always fails and I have no idea why. I guess it's the MD5 Hash which jboss generates is not equal to this in the database. In the jboss-log4j.xml I enabled tracing for org.jboss.security, and that's all I get from the server.log file:

      2009-11-02 11:25:14,314 TRACE [org.jboss.security.auth.spi.DatabaseServerLoginModule] (http-127.0.0.1-8084-1) initialize
      2009-11-02 11:25:14,314 TRACE [org.jboss.security.auth.spi.DatabaseServerLoginModule] (http-127.0.0.1-8084-1) Security domain: SSIS2-domain
      2009-11-02 11:25:14,314 TRACE [org.jboss.security.auth.spi.DatabaseServerLoginModule] (http-127.0.0.1-8084-1) Password hashing activated: algorithm = MD5, encoding = base64, charset = {default}, callback = null, storeCallback = null
      2009-11-02 11:25:14,315 TRACE [org.jboss.security.auth.spi.DatabaseServerLoginModule] (http-127.0.0.1-8084-1) DatabaseServerLoginModule, dsJndiName=java:SSIS2DSprod
      2009-11-02 11:25:14,315 TRACE [org.jboss.security.auth.spi.DatabaseServerLoginModule] (http-127.0.0.1-8084-1) principalsQuery=SELECT password FROM users WHERE username=? AND active=1
      2009-11-02 11:25:14,315 TRACE [org.jboss.security.auth.spi.DatabaseServerLoginModule] (http-127.0.0.1-8084-1) rolesQuery=SELECT USERROLE.rolename, 'Roles' FROM USERS INNER JOIN (USERROLE INNER JOIN MAPUSERUSERROLE ON USERROLE.roleid = MAPUSERUSERROLE.roleid) ON USERS.userid = MAPUSERUSERROLE.userid where USERS.username=?
      2009-11-02 11:25:14,315 TRACE [org.jboss.security.auth.spi.DatabaseServerLoginModule] (http-127.0.0.1-8084-1) suspendResume=true
      2009-11-02 11:25:14,319 TRACE [org.jboss.security.auth.spi.DatabaseServerLoginModule] (http-127.0.0.1-8084-1) login
      2009-11-02 11:25:14,326 TRACE [org.jboss.security.auth.spi.DatabaseServerLoginModule] (http-127.0.0.1-8084-1) suspendAnyTransaction
      2009-11-02 11:25:14,329 TRACE [org.jboss.security.auth.spi.DatabaseServerLoginModule] (http-127.0.0.1-8084-1) Excuting query: SELECT password FROM users WHERE username=? AND active=1, with username: tlubrpa1
      2009-11-02 11:25:15,116 TRACE [org.jboss.security.auth.spi.DatabaseServerLoginModule] (http-127.0.0.1-8084-1) Obtained user password
      2009-11-02 11:25:15,116 TRACE [org.jboss.security.auth.spi.DatabaseServerLoginModule] (http-127.0.0.1-8084-1) resumeAnyTransaction
      2009-11-02 11:25:15,116 DEBUG [org.jboss.security.auth.spi.DatabaseServerLoginModule] (http-127.0.0.1-8084-1) Bad password for username=tlubrpa1
      2009-11-02 11:25:15,116 TRACE [org.jboss.security.auth.spi.DatabaseServerLoginModule] (http-127.0.0.1-8084-1) abort


      Does anyone have an idea how I can debug the MD5 Hash Jboss generates? Or can I do anything else to know why I can't login?

      Thanks a lot!
      Patrick

        • 1. Re: MD5 Authentication Fails with JBoss 5.1
          Patrick Breiter Newbie

          Guys, we were able to solve this problem.

          If you have a look at the JBoss Manual (chapter 9), you will see that the hashes from jboss are Base64-Encoded. The hashes I used were Hex-Encoded, so as you can see, that doesn't fit together.

          How can you now change them to Base64-Encoding?

          Make a short database-script with the following code:

          ------
          set sqlblanklines on;
          set serveroutput on;
          
          DECLARE
          
          BEGIN
           -- read password field as hex-encoded raw data and convert data using base64 encoding
           update users set password=utl_raw.cast_to_varchar2(utl_encode.base64_encode(utl_raw.cast_to_raw(utl_raw.cast_to_varchar2(password))));
          END;
          ------
          


          After this, you should be able to login.

          Hope that helps. Maybe there is anyone out there how thinks this is useful.

          Best regards!