Wildfly使用数据库登录模块摘要login-config
[英]Wildfly digest login-config with database login module
问题描述
我尝试使用Wildfly picketbox模块加密数据库登录模块中的密码。 这些是我的来源。
== web.xml
...
<security-role>
<role-name>administrator</role-name>
</security-role>
<login-config>
<auth-method>DIGEST</auth-method>
<realm-name>WildFly8DigestRealm</realm-name>
</login-config>
....
== jboss-web.xml
...
<jboss-web>
<security-domain>java:/jaas/my_secure_domain</security-domain>
</jboss-web>
== standalone.xml
...
<security-domain name="my_secure_domain" cache-type="default">
<authentication>
<login-module code="Database" flag="required">
<module-option name="dsJndiName" value="java:jboss/datasources/MySqlDS"/>
<module-option name="principalsQuery" value="select password from credential where uid=?"/>
<module-option name="rolesQuery" value="select urole, 'Roles' from credential where uid=?"/>
<module-option name="hashAlgorithm" value="MD5"/>
<module-option name="hashEncoding" value="base64"/>
<module-option name="hashUserPassword" value="true"/>
<module-option name="hashStorePassword" value="true"/>
</login-module>
</authentication>
</security-domain>
密码使用以下加密
== EncryptPassword.java
import java.security.MessageDigest;
import org.jboss.security.Base64Encoder;
public class EncryptPassword {
public static void main(String[] args) {
// TODO Auto-generated method stub
String algoritmo = "MD5";
String clearTextPassword = "passwd123";
String hashedPassword = null;
try {
byte[] hash = MessageDigest.getInstance(algoritmo).digest(clearTextPassword.getBytes());
hashedPassword = Base64Encoder.encode(hash);
System.out.println("Clear Text Password : " + clearTextPassword);
System.out.println("Encrypted Password : " + hashedPassword);
} catch (Exception e) {
e.printStackTrace();
}
}
}
我也在shell上执行Java命令,如下面以及Java文件:
C:> java -cp c:\\ wildfly-8.0.0.final \\ modules \\ system \\ layers \\ base \\ org \\ picketbox \\ main \\ picketbox-4.0.20.Final.jar org.jboss.security.Base64Encoder passwd123 MD5
两个结果都带来相同的散列密码和散列密码更新。
Clear Text Password : passwd123
Encrypted Password : EWT55bjO92g5bc1TdOS26w==
但是,登录仍然失败。 在server.log中,它会抛出以下异常。
LoginModule Class: org.jboss.security.auth.spi.DatabaseServerLoginModule
ControlFlag: LoginModuleControlFlag: required
Options:
name=hashUserPassword, value=true
name=hashAlgorithm, value=MD5
name=principalsQuery, value=select password from credential where uid=?
name=hashEncoding, value=base64
name=dsJndiName, value=java:jboss/datasources/MySqlDS
name=hashStorePassword, value=true
name=rolesQuery, value=select urole, 'Roles' from credential where uid=?
2014-07-15 21:06:45,845 TRACE [org.jboss.security] (default task-2) PBOX000236: Begin initialize method
2014-07-15 21:06:45,845 DEBUG [org.jboss.security] (default task-2) PBOX000281: Password hashing activated, algorithm: MD5, encoding: base64, charset: null, callback: null, storeCallBack: null
2014-07-15 21:06:45,846 TRACE [org.jboss.security] (default task-2) PBOX000262: Module options [dsJndiName: java:jboss/datasources/MySqlDS, principalsQuery: select password from credential where uid=?, rolesQuery: select urole, 'Roles' from credential where uid=?, suspendResume: true]
2014-07-15 21:06:45,847 TRACE [org.jboss.security] (default task-2) PBOX000240: Begin login method
2014-07-15 21:06:46,022 TRACE [org.jboss.security] (default task-2) PBOX000263: Executing query select password from credential where uid=? with username admin
2014-07-15 21:06:46,037 DEBUG [org.jboss.security] (default task-2) PBOX000283: Bad password for username admin
2014-07-15 21:06:46,037 TRACE [org.jboss.security] (default task-2) PBOX000244: Begin abort method
2014-07-15 21:06:46,037 DEBUG [org.jboss.security] (default task-2) PBOX000206: Login failure: javax.security.auth.login.FailedLoginException: PBOX000070: Password invalid/Password required
at org.jboss.security.auth.spi.UsernamePasswordLoginModule.login(UsernamePasswordLoginModule.java:284) [picketbox-4.0.20.Final.jar:4.0.20.Final]
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) [rt.jar:1.7.0_60]
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57) [rt.jar:1.7.0_60]
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) [rt.jar:1.7.0_60]
at java.lang.reflect.Method.invoke(Method.java:606) [rt.jar:1.7.0_60]
at javax.security.auth.login.LoginContext.invoke(LoginContext.java:762) [rt.jar:1.7.0_60]
at javax.security.auth.login.LoginContext.access$000(LoginContext.java:203) [rt.jar:1.7.0_60]
at javax.security.auth.login.LoginContext$4.run(LoginContext.java:690) [rt.jar:1.7.0_60]
at javax.security.auth.login.LoginContext$4.run(LoginContext.java:688) [rt.jar:1.7.0_60]
at java.security.AccessController.doPrivileged(Native Method) [rt.jar:1.7.0_60]
at javax.security.auth.login.LoginContext.invokePriv(LoginContext.java:687) [rt.jar:1.7.0_60]
at javax.security.auth.login.LoginContext.login(LoginContext.java:595) [rt.jar:1.7.0_60]
2 个解决方案
解决方案1
4 已采纳 2014-07-15 13:42:45
查看源代码 ,我发现以下情况:
- 输入用户密码经过散列/编码,因为
hashUserPassword设置为true并且提供了算法和编码。 - 从数据库检索的密码经过散列/编码,因为
hashStorePassword设置为true并且提供了算法和编码。 - 比较两个散列/编码密码。
现在,如果您的数据库已经包含散列/编码密码(我假设),这意味着从数据库中检索到的密码将被双重散列/编码,并且与用户提供的密码的比较将失败。
然后解决方案是将hashStorePassword选项更改为false如下所示:
<module-option name="hashStorePassword" value="false"/>
解决方案2
1 2015-06-19 13:36:04
删除行module-option name="hashUserPassword" value="true"并将line module-option name="hashStorePassword" value="true"更改为module-option name="hashStorePassword" value="false"因为你已经哈希密码。
如何在tomcat中使用领域login-config进行无效和登录
[英]How can I invalidate and login using realm login-config in tomcat
使用JBOSS通过login-config将错误传递到form-error-page
[英]Passing errors through login-config to form-error-page with JBOSS
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.