Wildfly使用數據庫登錄模塊摘要login-config

Question

我嘗試使用Wildfly picketbox模塊加密數據庫登錄模塊中的密碼。 這些是我的來源。

== web.xml

 ... 
 <security-role> 
    <role-name>administrator</role-name> 
 </security-role> 

 <login-config> 
    <auth-method>DIGEST</auth-method> 
    <realm-name>WildFly8DigestRealm</realm-name> 
 </login-config> 
 .... 

== jboss-web.xml

 ... 
 <jboss-web> 
    <security-domain>java:/jaas/my_secure_domain</security-domain> 
 </jboss-web>

== standalone.xml

... 
 <security-domain name="my_secure_domain" cache-type="default"> 
    <authentication> 
       <login-module code="Database" flag="required"> 
          <module-option name="dsJndiName" value="java:jboss/datasources/MySqlDS"/> 
          <module-option name="principalsQuery" value="select password from credential where uid=?"/> 
          <module-option name="rolesQuery" value="select urole, 'Roles' from credential where uid=?"/> 
          <module-option name="hashAlgorithm" value="MD5"/> 
          <module-option name="hashEncoding" value="base64"/> 
          <module-option name="hashUserPassword" value="true"/> 
          <module-option name="hashStorePassword" value="true"/> 
       </login-module> 
    </authentication> 
 </security-domain>

密碼使用以下加密

== EncryptPassword.java

import java.security.MessageDigest; 
import org.jboss.security.Base64Encoder; 

public class EncryptPassword { 

  public static void main(String[] args) { 
    // TODO Auto-generated method stub 
    String algoritmo = "MD5"; 
    String clearTextPassword = "passwd123"; 
    String hashedPassword = null; 

    try { 
       byte[] hash = MessageDigest.getInstance(algoritmo).digest(clearTextPassword.getBytes()); 
       hashedPassword = Base64Encoder.encode(hash); 
       System.out.println("Clear Text Password : " + clearTextPassword); 
       System.out.println("Encrypted Password : " + hashedPassword); 
    } catch (Exception e) { 
       e.printStackTrace(); 
    } 
  } 
 } 

我也在shell上執行Java命令，如下面以及Java文件：

C：> java -cp c：\\ wildfly-8.0.0.final \\ modules \\ system \\ layers \\ base \\ org \\ picketbox \\ main \\ picketbox-4.0.20.Final.jar org.jboss.security.Base64Encoder passwd123 MD5

兩個結果都帶來相同的散列密碼和散列密碼更新。

Clear Text Password : passwd123 
Encrypted Password : EWT55bjO92g5bc1TdOS26w== 

但是，登錄仍然失敗。 在server.log中，它會拋出以下異常。

 LoginModule Class: org.jboss.security.auth.spi.DatabaseServerLoginModule 
 ControlFlag: LoginModuleControlFlag: required 
 Options: 
 name=hashUserPassword, value=true 
 name=hashAlgorithm, value=MD5 
 name=principalsQuery, value=select password from credential where uid=? 
 name=hashEncoding, value=base64 
 name=dsJndiName, value=java:jboss/datasources/MySqlDS 
 name=hashStorePassword, value=true 
 name=rolesQuery, value=select urole, 'Roles' from credential where uid=? 

 2014-07-15 21:06:45,845 TRACE [org.jboss.security] (default task-2) PBOX000236: Begin initialize method 
 2014-07-15 21:06:45,845 DEBUG [org.jboss.security] (default task-2) PBOX000281: Password hashing activated, algorithm: MD5, encoding: base64, charset: null, callback: null, storeCallBack: null 
 2014-07-15 21:06:45,846 TRACE [org.jboss.security] (default task-2) PBOX000262: Module options [dsJndiName: java:jboss/datasources/MySqlDS, principalsQuery: select password from credential where uid=?, rolesQuery: select urole, 'Roles' from credential where uid=?, suspendResume: true] 
 2014-07-15 21:06:45,847 TRACE [org.jboss.security] (default task-2) PBOX000240: Begin login method 
 2014-07-15 21:06:46,022 TRACE [org.jboss.security] (default task-2) PBOX000263: Executing query select password from credential where uid=? with username admin 
 2014-07-15 21:06:46,037 DEBUG [org.jboss.security] (default task-2) PBOX000283: Bad password for username admin 
 2014-07-15 21:06:46,037 TRACE [org.jboss.security] (default task-2) PBOX000244: Begin abort method 
 2014-07-15 21:06:46,037 DEBUG [org.jboss.security] (default task-2) PBOX000206: Login failure: javax.security.auth.login.FailedLoginException: PBOX000070: Password invalid/Password required 
 at org.jboss.security.auth.spi.UsernamePasswordLoginModule.login(UsernamePasswordLoginModule.java:284) [picketbox-4.0.20.Final.jar:4.0.20.Final] 
 at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) [rt.jar:1.7.0_60] 
 at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57) [rt.jar:1.7.0_60] 
 at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) [rt.jar:1.7.0_60] 
 at java.lang.reflect.Method.invoke(Method.java:606) [rt.jar:1.7.0_60] 
 at javax.security.auth.login.LoginContext.invoke(LoginContext.java:762) [rt.jar:1.7.0_60] 
 at javax.security.auth.login.LoginContext.access$000(LoginContext.java:203) [rt.jar:1.7.0_60] 
 at javax.security.auth.login.LoginContext$4.run(LoginContext.java:690) [rt.jar:1.7.0_60] 
 at javax.security.auth.login.LoginContext$4.run(LoginContext.java:688) [rt.jar:1.7.0_60] 
 at java.security.AccessController.doPrivileged(Native Method) [rt.jar:1.7.0_60] 
 at javax.security.auth.login.LoginContext.invokePriv(LoginContext.java:687) [rt.jar:1.7.0_60] 
 at javax.security.auth.login.LoginContext.login(LoginContext.java:595) [rt.jar:1.7.0_60]

Answer 1

查看源代碼 ，我發現以下情況：

• 輸入用戶密碼經過散列/編碼，因為hashUserPassword設置為true並且提供了算法和編碼。
• 從數據庫檢索的密碼經過散列/編碼，因為hashStorePassword設置為true並且提供了算法和編碼。
• 比較兩個散列/編碼密碼。

現在，如果您的數據庫已經包含散列/編碼密碼（我假設），這意味着從數據庫中檢索到的密碼將被雙重散列/編碼，並且與用戶提供的密碼的比較將失敗。

然后解決方案是將hashStorePassword選項更改為false如下所示：

<module-option name="hashStorePassword" value="false"/> 

Answer 2

刪除行module-option name="hashUserPassword" value="true"並將line module-option name="hashStorePassword" value="true"更改為module-option name="hashStorePassword" value="false"因為你已經哈希密碼。