Re: org.apache.axis2.AxisFault: The security token could not be authenticated or authorized

Tue, 07 May 2013 10:17:58 -0700 

On Tue, May 7, 2013 at 8:36 AM, Tania Marinova <taniamm2...@yahoo.com> wrote:
>
> try to add the rampart security to my made
> what I have made
>
> I have stored in a database the hashed value of "bobPW" password and the
> salt
>
> In my PWCBHandler
>
> I get the stored password and hash
> I hash pwcb.getPassword() with the stord password
> check if this hashed password is equal to the stored password
>
<snip>

> private static String hash(String password, byte[] salt) throws Exception
>   {
>            SecretKeyFactory f =
> SecretKeyFactory.getInstance("PBKDF2WithHmacSHA1");
>            KeySpec spec = new PBEKeySpec(password.toCharArray(), salt,
> 65536, 256);
>            return
> Base64.encodeBase64String(f.generateSecret(spec).getEncoded());
>  }
>
<snip>

> NFO: Server startup in 9608 ms
> java.lang.NullPointerException
>     at kim.PWCB.hash(PWCB.java:68)
>     at kim.PWCB.handle(PWCB.java:44)
<snip>
> [ERROR] The security token could not be authenticated or authorized
> org.apache.axis2.AxisFault: The security token could not be authenticated
> or authorized
>     at
> org.apache.rampart.handler.RampartReceiver.setFaultCodeAndThrowAxisFault(RampartReceiver.java:180)
>     at
> org.apache.rampart.handler.RampartReceiver.invoke(RampartReceiver.java:95)

Typically the salt + raw password would be hashed, resulting in a
digest that would be stored in the DB in the password column. You
would then receive a clear text password from the user, convert that
to a digest, and compare the bytes to your stored digest. (The API
does most of this for you) . The digests to compare have to use the
same iterations, algo, salt size etc. I advise against storing the
salt as a separate column. This tutorial is a good start on the
subject:

http://throwingfire.com/storing-passwords-securely/

Another issue is Base64 conversion, typically you would convert the
encrypted String to Base64 before storing it to the db. Your code uses
Base64.decode, so make sure the String you pass to it is in Base64
format.

Finally, you are getting an NPE, so test all your vars for null at the
beginning of hash() before you use them.  I can't tell from what you
pasted where PWCB.java:68 is.

- R

---------------------------------------------------------------------
To unsubscribe, e-mail: java-user-unsubscr...@axis.apache.org
For additional commands, e-mail: java-user-h...@axis.apache.org

Reply via email to