I try to encrypt password in database login module with Wildfly picketbox module. These are my sources.
== web.xml
...
<security-role>
<role-name>administrator</role-name>
</security-role>
<login-config>
<auth-method>DIGEST</auth-method>
<realm-name>WildFly8DigestRealm</realm-name>
</login-config>
....
== jboss-web.xml
...
<jboss-web>
<security-domain>java:/jaas/my_secure_domain</security-domain>
</jboss-web>
== standalone.xml
...
<security-domain name="my_secure_domain" cache-type="default">
<authentication>
<login-module code="Database" flag="required">
<module-option name="dsJndiName" value="java:jboss/datasources/MySqlDS"/>
<module-option name="principalsQuery" value="select password from credential where uid=?"/>
<module-option name="rolesQuery" value="select urole, 'Roles' from credential where uid=?"/>
<module-option name="hashAlgorithm" value="MD5"/>
<module-option name="hashEncoding" value="base64"/>
<module-option name="hashUserPassword" value="true"/>
<module-option name="hashStorePassword" value="true"/>
</login-module>
</authentication>
</security-domain>
Password is encrypted with below
== EncryptPassword.java
import java.security.MessageDigest;
import org.jboss.security.Base64Encoder;
public class EncryptPassword {
public static void main(String[] args) {
// TODO Auto-generated method stub
String algoritmo = "MD5";
String clearTextPassword = "passwd123";
String hashedPassword = null;
try {
byte[] hash = MessageDigest.getInstance(algoritmo).digest(clearTextPassword.getBytes());
hashedPassword = Base64Encoder.encode(hash);
System.out.println("Clear Text Password : " + clearTextPassword);
System.out.println("Encrypted Password : " + hashedPassword);
} catch (Exception e) {
e.printStackTrace();
}
}
}
And also I executed Java command on shell like below as well as above Java file:
C:>java -cp c:\\wildfly-8.0.0.final\\modules\\system\\layers\\base\\org\\picketbox\\main\\picketbox-4.0.20.Final.jar org.jboss.security.Base64Encoder passwd123 MD5
Both result brings the same hashed password and hashed password is updated.
Clear Text Password : passwd123
Encrypted Password : EWT55bjO92g5bc1TdOS26w==
However, login is still failed. And in server.log it throws the following exception.
LoginModule Class: org.jboss.security.auth.spi.DatabaseServerLoginModule
ControlFlag: LoginModuleControlFlag: required
Options:
name=hashUserPassword, value=true
name=hashAlgorithm, value=MD5
name=principalsQuery, value=select password from credential where uid=?
name=hashEncoding, value=base64
name=dsJndiName, value=java:jboss/datasources/MySqlDS
name=hashStorePassword, value=true
name=rolesQuery, value=select urole, 'Roles' from credential where uid=?
2014-07-15 21:06:45,845 TRACE [org.jboss.security] (default task-2) PBOX000236: Begin initialize method
2014-07-15 21:06:45,845 DEBUG [org.jboss.security] (default task-2) PBOX000281: Password hashing activated, algorithm: MD5, encoding: base64, charset: null, callback: null, storeCallBack: null
2014-07-15 21:06:45,846 TRACE [org.jboss.security] (default task-2) PBOX000262: Module options [dsJndiName: java:jboss/datasources/MySqlDS, principalsQuery: select password from credential where uid=?, rolesQuery: select urole, 'Roles' from credential where uid=?, suspendResume: true]
2014-07-15 21:06:45,847 TRACE [org.jboss.security] (default task-2) PBOX000240: Begin login method
2014-07-15 21:06:46,022 TRACE [org.jboss.security] (default task-2) PBOX000263: Executing query select password from credential where uid=? with username admin
2014-07-15 21:06:46,037 DEBUG [org.jboss.security] (default task-2) PBOX000283: Bad password for username admin
2014-07-15 21:06:46,037 TRACE [org.jboss.security] (default task-2) PBOX000244: Begin abort method
2014-07-15 21:06:46,037 DEBUG [org.jboss.security] (default task-2) PBOX000206: Login failure: javax.security.auth.login.FailedLoginException: PBOX000070: Password invalid/Password required
at org.jboss.security.auth.spi.UsernamePasswordLoginModule.login(UsernamePasswordLoginModule.java:284) [picketbox-4.0.20.Final.jar:4.0.20.Final]
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) [rt.jar:1.7.0_60]
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57) [rt.jar:1.7.0_60]
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) [rt.jar:1.7.0_60]
at java.lang.reflect.Method.invoke(Method.java:606) [rt.jar:1.7.0_60]
at javax.security.auth.login.LoginContext.invoke(LoginContext.java:762) [rt.jar:1.7.0_60]
at javax.security.auth.login.LoginContext.access$000(LoginContext.java:203) [rt.jar:1.7.0_60]
at javax.security.auth.login.LoginContext$4.run(LoginContext.java:690) [rt.jar:1.7.0_60]
at javax.security.auth.login.LoginContext$4.run(LoginContext.java:688) [rt.jar:1.7.0_60]
at java.security.AccessController.doPrivileged(Native Method) [rt.jar:1.7.0_60]
at javax.security.auth.login.LoginContext.invokePriv(LoginContext.java:687) [rt.jar:1.7.0_60]
at javax.security.auth.login.LoginContext.login(LoginContext.java:595) [rt.jar:1.7.0_60]
Looking at the source code , I see the following happening:
hashUserPassword
is set to true
and the algorithm and encoding are provided. hashStorePassword
is set to true
and the algorithm and encoding are provided. Now, if your database already contains the hashed/encoded password (which I assume), this means that the one retrieved from the database will be doubly hashed/encoded, and the comparison with the user-provided one will fail.
The solution would then be to change the hashStorePassword
option to false
like this:
<module-option name="hashStorePassword" value="false"/>
删除行module-option name="hashUserPassword" value="true"
并将line module-option name="hashStorePassword" value="true"
更改为module-option name="hashStorePassword" value="false"
因为你已经哈希密码。
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.