Hello,
44
first thank you for your answer ! And ithink I do what you're saying
I store the hashed password but also the salt in a separate column (because I
should hash then the plain text password with the same same hash)
then I make a soap request in which as you seeI give the plain text password
(wich I'm not sure is secure enough and maybe I should thinj how can I change
this)
"<?xml version=\"1.0\" encoding=\"utf-8\"?>" +
"<soapenv:Envelope " +
"xmlns:soapenv=\"http://schemas.xmlsoap.org/soap/envelope//"; "
+
"xmlns:nilo=\"http://nilo/";>"+
"<soapenv:Header>"+
'<wsse:Security
xmlns:wsse=\"http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd/";
soapenv:mustUnderstand="1">'+
'<wsse:UsernameToken
xmlns:wsu="http://docs.oasisopen.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd";
wsu:Id="123">'+
'<wsse:Username>bob</wsse:Username>'+
'<wsse:Password
Type="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordText";>bobPW</wsse:Password>'+
'</wsse:UsernameToken>'+
'</wsse:Security>'+
"</soapenv:Header>"+
"<soapenv:Body>" +
"<nilo:InsertIntoDB>" +
'<nilo:data>'+tranXml+'</nilo:data>' +
' </nilo:InsertIntoDB>'+
'</soapenv:Body>' +
'</soapenv:Envelope>';
------------------------------------------------------------------------------------------------------------------------------
then In my password callback handler as you see
I hash the received password with the salt from the database
passwordforchecking= hash(pwcb.getPassword(),Base64.decodeBase64(newArray[1]));
System.out.println(passwordforchecking);
and here is where I get the null point exception and I can't understand why!
the salt is the same! the hash method is the same. Now I;m really desperate -
can't solve this for days
to be moprespecific I'm sending all the code where I save the password first-
(to compare with the code of my password callbackclass and to see that I;m
right and the hash method is the same and my salt is the same )
publicclasshash_2 {
staticbyte[] salt= newbyte[16];
publicstaticString password= "bobPW";
//you save that I have hashed the same password
privatestaticfinalintsaltLen= 32;
publicstaticString storedpassword;
publicstaticvoidmain(String[] args) throwsException {
//generateSalt();
salt= generateSalt();
System.out.println("salt1:"+salt.toString());
storedpassword=hash(password,salt);
System.out.println(storedpassword.toString());
InsertIntoDB();
}
publicstaticvoidInsertIntoDB () throwsClassNotFoundException
{
Class.forName("org.postgresql.Driver");
Connection conn=null;
try
{
conn = DriverManager.getConnection(
"jdbc:postgresql://localhost:5432/plovdivbizloca",
"postgres", "tan");
}
catch(SQLException ex)
{
ex.printStackTrace();
}
PreparedStatement pstmt = null;
String insertQuery = "insert into passwordforservice ( password, salt)";
insertQuery += " values (?, ?)";
try
{
pstmt = conn.prepareStatement(insertQuery);
pstmt.setString (1, storedpassword);
pstmt.setString(2, Base64.encodeBase64String(salt));
introwss = pstmt.executeUpdate();
if(rowss != 0)
{
System.out.println("Done");
}
}
catch(Exception ex)
{
ex.printStackTrace();
}
}
publicstaticbyte[] generateSalt() throwsNoSuchAlgorithmException
{
byte[] salt = SecureRandom.getInstance("SHA1PRNG").generateSeed(saltLen);
// store the salt with the password
returnsalt;
}
privatestaticString hash(String password, byte[] salt) throwsException
{
SecretKeyFactory f = SecretKeyFactory.getInstance("PBKDF2WithHmacSHA1");
KeySpec spec = newPBEKeySpec(password.toCharArray(), salt, 65536, 256);
returnBase64.encodeBase64String(f.generateSecret(spec).getEncoded());
}
________________________________
From: robert lazarski <robertlazar...@gmail.com>
To: java-user@axis.apache.org; Tania Marinova <taniamm2...@yahoo.com>
Sent: Tuesday, May 7, 2013 8:17 PM
Subject: Re: org.apache.axis2.AxisFault: The security token could not be
authenticated or authorized
On Tue, May 7, 2013 at 8:36 AM, Tania Marinova <taniamm2...@yahoo.com> wrote:
>
> try to add the rampart security to my made
> what I have made
>
> I have stored in a database the hashed value of "bobPW" password and the
> salt
>
> In my PWCBHandler
>
> I get the stored password and hash
> I hash pwcb.getPassword() with the stord password
> check if this hashed password is equal to the stored password
>
<snip>
> private static String hash(String password, byte[] salt) throws Exception
> {
> SecretKeyFactory f =
> SecretKeyFactory.getInstance("PBKDF2WithHmacSHA1");
> KeySpec spec = new PBEKeySpec(password.toCharArray(), salt,
> 65536, 256);
> return
> Base64.encodeBase64String(f.generateSecret(spec).getEncoded());
> }
>
<snip>
> NFO: Server startup in 9608 ms
> java.lang.NullPointerException
> at kim.PWCB.hash(PWCB.java:68)
> at kim.PWCB.handle(PWCB.java:44)
<snip>
> [ERROR] The security token could not be authenticated or authorized
> org.apache.axis2.AxisFault: The security token could not be authenticated
> or authorized
> at
> org.apache.rampart.handler.RampartReceiver.setFaultCodeAndThrowAxisFault(RampartReceiver.java:180)
> at
> org.apache.rampart.handler.RampartReceiver.invoke(RampartReceiver.java:95)
Typically the salt + raw password would be hashed, resulting in a
digest that would be stored in the DB in the password column. You
would then receive a clear text password from the user, convert that
to a digest, and compare the bytes to your stored digest. (The API
does most of this for you) . The digests to compare have to use the
same iterations, algo, salt size etc. I advise against storing the
salt as a separate column. This tutorial is a good start on the
subject:
http://throwingfire.com/storing-passwords-securely/
Another issue is Base64 conversion, typically you would convert the
encrypted String to Base64 before storing it to the db. Your code uses
Base64.decode, so make sure the String you pass to it is in Base64
format.
Finally, you are getting an NPE, so test all your vars for null at the
beginning of hash() before you use them. I can't tell from what you
pasted where PWCB.java:68 is.
- R
