John & Dmitriy, Thanks for the pointers. Derek and I ended up grabbing a library from Blackboard and have used their classes to verify the password hashing. I'll put the file and the subsequent configuration and the error we're getting in hopes of getting pointed in the right direction. The java file is attached. The configuration is thus:
<!-- BBDB Authentication Handler -->
<bean id="bb_bb60AuthenticationHandler"
class="edu.fsu.cas.authentication.handler.BBDBAuthenticationHandler"
p:name="bb_bb60AuthenticationHandler"
p:dataSource-ref="dataSource"
p:sql="select passwd from bb_bb60.users where user_id = ?"
/>
Now, you'll see a test that we run at the end of the file and it looks to run
correctly when we put it through eclipse. The error we get in Tomcat is:
Aug 20, 2014 10:48:54 AM org.apache.catalina.core.StandardWrapperValve invoke
SEVERE: Servlet.service() for servlet [cas] in context with path [/cas] threw
exception [Request processing failed; nested exception is
org.springframework.webflow.execution.ActionExecutionException: Exception
thrown executing [AnnotatedAction@2bd1c812 targetAction =
[EvaluateAction@b3163dd expression =
authenticationViaFormAction.submit(flowRequestContext, flowScope.credentials,
messageContext), resultExpression = [null]], attributes = map[[empty]]] in
state 'realSubmit' of flow 'login' -- action execution attributes were
'map[[empty]]'] with root cause
java.lang.IllegalArgumentException: 'principal' cannot be null.
Check the correctness of @Audit annotation at the following audit point:
execution(public abstract org.jasig.cas.authentication.Authentication
org.jasig.cas.authentication.AuthenticationManager.authenticate(org.jasig.cas.authentication.principal.Credentials))
at
com.github.inspektr.audit.AuditActionContext.assertNotNull(AuditActionContext.java:81)
at
com.github.inspektr.audit.AuditActionContext.<init>(AuditActionContext.java:63)
at
com.github.inspektr.audit.AuditTrailManagementAspect.executeAuditCode(AuditTrailManagementAspect.java:149)
at
com.github.inspektr.audit.AuditTrailManagementAspect.handleAuditTrail(AuditTrailManagementAspect.java:139)
blahblahblahmorestacktrace...
Jonathan Liedy
Middleware Administrator
The Florida State University
2035 East Paul Dirac Drive
Sliger, Suite 113
Tallahassee, FL 32310
[email protected]
Voice: (850) 270-7368
From: Dmitriy Kopylenko [mailto:[email protected]]
Sent: Tuesday, August 19, 2014 11:48 AM
To: [email protected]
Subject: Re: [cas-user] Comparing dynamically salted SHA512 encoded passwords
from a database
Another option is to use Shiro's HashService API which supports multiple
MessageDigest algorithms. There is a CAS' PasswordEncoder implementation on top
of it (but only currently with static config options for salt and iterations):
https://github.com/Unicon/cas-addons/wiki/Configuring%20ShiroHashServicePasswordEncoder
The idea would be to come up with an abstraction API, let's say
DigestConfigurationSource and implementation(s) that could pull values from a
variety of back end stores e.g. RDBMS - for algorithm, salt, number of
iterations, etc. and wire that into this PE impl (which of course would need to
be refactored to use this abstraction, etc.)
Best,
Dmitriy.
On Aug 19, 2014, at 11:36 AM, John Gasper
<[email protected]<mailto:[email protected]>> wrote:
Hi Jonathan,
I hope all is well at FSU.
I haven't seen any complete DB salted hashing solutions out there. I'm
attaching a class (org.apache.directory.studio.ldapbrowser.core.model.password)
that I borrowed from the Apache DS project. I basically stripped it down to be
a single class that produces the SSHA hashes. I believe the original class has
a password verify routine. Using that, this and a JDBC Auth Handler, you (or a
dev at FSU) should probably be able to get something working for SSHA512.
Good luck!
On 8/17/14 10:14 PM, Liedy, Jonathan wrote:
Hey all,
?
Does anyone have an implementation of pulling a salt from a database and
comparing the given encoded password with a database stored password?
?
The latest release of Blackboard uses SHA512 encoded passwords with a
dynamically generated salt.? The salt, iterations and hash are all in the same
table.? I?m no java dev, but if someone has a similar implementation they could
share, I could probably hack through it.
?
Thanks,
?
Jonathan Liedy
Middleware Administrator
The Florida State University
2035 East Paul Dirac Drive
Sliger, Suite 113
Tallahassee, FL 32310
[email protected]<mailto:[email protected]>
Voice: (850) 270-7368
?
--
You are currently subscribed to
[email protected]<mailto:[email protected]> as:
[email protected]<mailto:[email protected]>
To unsubscribe, change settings or access archives, see
http://www.ja-sig.org/wiki/display/JSG/cas-user
--
John Gasper
IAM Consultant
Unicon, Inc.
PGP/GPG Key: 0xbafee3ef
--
You are currently subscribed to
[email protected]<mailto:[email protected]> as:
[email protected]<mailto:[email protected]>
To unsubscribe, change settings or access archives, see
http://www.ja-sig.org/wiki/display/JSG/cas-user
<Password.java>
--
You are currently subscribed to
[email protected]<mailto:[email protected]> as:
[email protected]<mailto:[email protected]>
To unsubscribe, change settings or access archives, see
http://www.ja-sig.org/wiki/display/JSG/cas-user
--
You are currently subscribed to [email protected] as:
[email protected]
To unsubscribe, change settings or access archives, see
http://www.ja-sig.org/wiki/display/JSG/cas-user
BBDBAuthenticationHandler.java
Description: BBDBAuthenticationHandler.java
