[英]Wildfly digest login-config with database login module
我嘗試使用Wildfly picketbox模塊加密數據庫登錄模塊中的密碼。 這些是我的來源。
== web.xml
...
<security-role>
<role-name>administrator</role-name>
</security-role>
<login-config>
<auth-method>DIGEST</auth-method>
<realm-name>WildFly8DigestRealm</realm-name>
</login-config>
....
== jboss-web.xml
...
<jboss-web>
<security-domain>java:/jaas/my_secure_domain</security-domain>
</jboss-web>
== standalone.xml
...
<security-domain name="my_secure_domain" cache-type="default">
<authentication>
<login-module code="Database" flag="required">
<module-option name="dsJndiName" value="java:jboss/datasources/MySqlDS"/>
<module-option name="principalsQuery" value="select password from credential where uid=?"/>
<module-option name="rolesQuery" value="select urole, 'Roles' from credential where uid=?"/>
<module-option name="hashAlgorithm" value="MD5"/>
<module-option name="hashEncoding" value="base64"/>
<module-option name="hashUserPassword" value="true"/>
<module-option name="hashStorePassword" value="true"/>
</login-module>
</authentication>
</security-domain>
密碼使用以下加密
== EncryptPassword.java
import java.security.MessageDigest;
import org.jboss.security.Base64Encoder;
public class EncryptPassword {
public static void main(String[] args) {
// TODO Auto-generated method stub
String algoritmo = "MD5";
String clearTextPassword = "passwd123";
String hashedPassword = null;
try {
byte[] hash = MessageDigest.getInstance(algoritmo).digest(clearTextPassword.getBytes());
hashedPassword = Base64Encoder.encode(hash);
System.out.println("Clear Text Password : " + clearTextPassword);
System.out.println("Encrypted Password : " + hashedPassword);
} catch (Exception e) {
e.printStackTrace();
}
}
}
我也在shell上執行Java命令,如下面以及Java文件:
C:> java -cp c:\\ wildfly-8.0.0.final \\ modules \\ system \\ layers \\ base \\ org \\ picketbox \\ main \\ picketbox-4.0.20.Final.jar org.jboss.security.Base64Encoder passwd123 MD5
兩個結果都帶來相同的散列密碼和散列密碼更新。
Clear Text Password : passwd123
Encrypted Password : EWT55bjO92g5bc1TdOS26w==
但是,登錄仍然失敗。 在server.log中,它會拋出以下異常。
LoginModule Class: org.jboss.security.auth.spi.DatabaseServerLoginModule
ControlFlag: LoginModuleControlFlag: required
Options:
name=hashUserPassword, value=true
name=hashAlgorithm, value=MD5
name=principalsQuery, value=select password from credential where uid=?
name=hashEncoding, value=base64
name=dsJndiName, value=java:jboss/datasources/MySqlDS
name=hashStorePassword, value=true
name=rolesQuery, value=select urole, 'Roles' from credential where uid=?
2014-07-15 21:06:45,845 TRACE [org.jboss.security] (default task-2) PBOX000236: Begin initialize method
2014-07-15 21:06:45,845 DEBUG [org.jboss.security] (default task-2) PBOX000281: Password hashing activated, algorithm: MD5, encoding: base64, charset: null, callback: null, storeCallBack: null
2014-07-15 21:06:45,846 TRACE [org.jboss.security] (default task-2) PBOX000262: Module options [dsJndiName: java:jboss/datasources/MySqlDS, principalsQuery: select password from credential where uid=?, rolesQuery: select urole, 'Roles' from credential where uid=?, suspendResume: true]
2014-07-15 21:06:45,847 TRACE [org.jboss.security] (default task-2) PBOX000240: Begin login method
2014-07-15 21:06:46,022 TRACE [org.jboss.security] (default task-2) PBOX000263: Executing query select password from credential where uid=? with username admin
2014-07-15 21:06:46,037 DEBUG [org.jboss.security] (default task-2) PBOX000283: Bad password for username admin
2014-07-15 21:06:46,037 TRACE [org.jboss.security] (default task-2) PBOX000244: Begin abort method
2014-07-15 21:06:46,037 DEBUG [org.jboss.security] (default task-2) PBOX000206: Login failure: javax.security.auth.login.FailedLoginException: PBOX000070: Password invalid/Password required
at org.jboss.security.auth.spi.UsernamePasswordLoginModule.login(UsernamePasswordLoginModule.java:284) [picketbox-4.0.20.Final.jar:4.0.20.Final]
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) [rt.jar:1.7.0_60]
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57) [rt.jar:1.7.0_60]
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) [rt.jar:1.7.0_60]
at java.lang.reflect.Method.invoke(Method.java:606) [rt.jar:1.7.0_60]
at javax.security.auth.login.LoginContext.invoke(LoginContext.java:762) [rt.jar:1.7.0_60]
at javax.security.auth.login.LoginContext.access$000(LoginContext.java:203) [rt.jar:1.7.0_60]
at javax.security.auth.login.LoginContext$4.run(LoginContext.java:690) [rt.jar:1.7.0_60]
at javax.security.auth.login.LoginContext$4.run(LoginContext.java:688) [rt.jar:1.7.0_60]
at java.security.AccessController.doPrivileged(Native Method) [rt.jar:1.7.0_60]
at javax.security.auth.login.LoginContext.invokePriv(LoginContext.java:687) [rt.jar:1.7.0_60]
at javax.security.auth.login.LoginContext.login(LoginContext.java:595) [rt.jar:1.7.0_60]
查看源代碼 ,我發現以下情況:
hashUserPassword
設置為true
並且提供了算法和編碼。 hashStorePassword
設置為true
並且提供了算法和編碼。 現在,如果您的數據庫已經包含散列/編碼密碼(我假設),這意味着從數據庫中檢索到的密碼將被雙重散列/編碼,並且與用戶提供的密碼的比較將失敗。
然后解決方案是將hashStorePassword
選項更改為false
如下所示:
<module-option name="hashStorePassword" value="false"/>
刪除行module-option name="hashUserPassword" value="true"
並將line module-option name="hashStorePassword" value="true"
更改為module-option name="hashStorePassword" value="false"
因為你已經哈希密碼。
聲明:本站的技術帖子網頁,遵循CC BY-SA 4.0協議,如果您需要轉載,請注明本站網址或者原文地址。任何問題請咨詢:yoyou2525@163.com.