7 Replies Latest reply on Mar 5, 2007 1:00 PM by Vicente Couto

    Auth How to

    Vicente Couto Newbie

      Hi all.
      I'm using an application in jboss with DataBaseServerLoginModule, FORM based auth., and everything is working pretty good.
      But now I'd like to put in the 'password' field, in Users table, an encrypted password. How can I do this work?

        • 2. Re: Auth How to
          jaikiran pai Master

          Sorry posted the wrong link :) Here's the correct one:

          http://www.jboss.com/index.html?module=bb&op=viewtopic&p=4024678#4024678

          • 3. Re: Auth How to
            Peter Johnson Master

            I think those links are for how to secure the password used to make the database connection. I think the original question was how to store encrypted user passwords in the database. The answer to that is you have to use a database-specific mechanism, so you have to first read the documentation that comes with your database on how to store encrypted text.

            • 4. Re: Auth How to
              jaikiran pai Master

               

              "PeterJ" wrote:
              I think those links are for how to secure the password used to make the database connection. I think the original question was how to store encrypted user passwords in the database. The answer to that is you have to use a database-specific mechanism, so you have to first read the documentation that comes with your database on how to store encrypted text.


              Yes, you are right :) I read the question wrong.

              • 5. Re: Auth How to
                Vicente Couto Newbie

                Well, I think I wasn't clear, sorry.
                I know how to store encrypted passwords in the database, it's an easy thing.
                Today, when the server shows the login form, with the DataBaseServerLoginModule, I can connect with the database by the pure text credentials passed through j_security_check, reading two tables in the database.
                By this way, I can connect successfully, but I can "see" the password in the users table (of course, I know that you know that too)! I know how to encrypt this password using a database function, but how I'll do the text password from the login page be compared with that encrypted password?
                I will work later on this, and I think the link will be helpfull, but if you have any other help/examples I appreciate.
                Thanks!

                • 6. Re: Auth How to
                  Peter Johnson Master

                  OK, now I see what you mean. The DataBaseServerLoginModule is written incorrectly. It expects you to be able to write a select statement that returns the unencrypted password. If you have a password that is encrypted using one-way encryption, the DataBaseServerLoginModule will not be able to use it because it does not support any way of dealing with the password. What is needed is a new login module that allows the following entry (if using MySQL and ecrypting the password with the SHA1() function):

                  <module-option name = "principalsQuery">SELECT loginId FROM User WHERE loginId=? and password=sha1(?)</module-option>


                  This login module would accept the loginId an password is the select statement returns a single result.

                  An alternative would be to add a new option to the existing login module, something like:

                  <module-option name = "passwordQuery">SELECT sha1(?)


                  The existing login module could then use this query to encode the password before testing it against the password returned by the current query (which returns the value of the password column).

                  On further thought, looking at the code, there does appear to be support for this. I see references to a callback method related to passwords (UsernamePasswordLoginModule.createPasswordHash), and a method to truend a hashed password (DabaseServerLoginModule). Though it looks as if you have to write your own subclass of DabaseServerLoginModule. Hmm, a subclass that supports my 'passwordQuery' option might be a good idea.



                  • 7. Re: Auth How to
                    Vicente Couto Newbie

                    Peter, you described quite perfectly.
                    I gave a look into DatabaseServerLoginModule and make my own subclass, and worked very fine!
                    Thanks