[jboss-user] [Security & JAAS/JBoss] - Issue in encrypting the password using MD5

Thu, 07 May 2009 21:01:20 -0700 

I am using JBoss 4.2.2GA application server with Struts and EJB.
I am trying to encrypt the password using the message digest - MD5(given below) 
and store it in the mysql DB. 
Using DatabaseServerLoginModule, I am trying to authenticate, but it's failing. 
Please help on this. 
Please help whether any configuration setting needs to be done.


login.config.xml
==================

  | <application-policy name="testDB">   
  |         <authentication>   
  |             <login-module 
code="org.jboss.security.auth.spi.DatabaseServerLoginModule"  
  |                              flag="required">   
  |                    
  |     <module-option name="hashAlgorithm">MD5</module-option>   
  |                 <module-option name="hashEncoding">base64</module-option>   
  |                 <module-option name="hashUserPassword">true</module-option> 
           
  |                 <module-option 
name="hashStorePassword">true</module-option>                   
  |                    
  |                 <module-option 
name="dsJndiName">java:/MySqlDS</module-option>   
  |                 <module-option name="principalsQuery">   
  |                     select passwd from Users username where 
username=?</module-option>   
  |                 <module-option name="rolesQuery">   
  |                     select userRoles, 'Roles' from UserRoles where 
username=?</module-option>   
  |             </login-module>   
  |         </authentication>   
  |     </application-policy>  
  | 

I am using the below program to encrypt the password using MD5 and storing the 
encrypted value "5f4dcc3b5aa765d61d8327deb882cf99" in mysql table

  | import java.security.MessageDigest;   
  | import java.security.NoSuchAlgorithmException;   
  |   
  | public class MainClass {   
  |   public static void main(String args[]) throws Exception {   
  |       String sessionid = "password";   
  |       byte[] defaultBytes = sessionid.getBytes();   
  |       System.out.println("defaultBytes ::"+defaultBytes);   
  |       try{   
  |         MessageDigest algorithm = MessageDigest.getInstance("MD5");   
  |         algorithm.reset();   
  |         algorithm.update(defaultBytes);   
  |         byte messageDigest[] = algorithm.digest();   
  |                      
  |         StringBuffer hexString = new StringBuffer();   
  |         for (int i=0;i<messageDigest.length;i++) {   
  |             hexString.append(Integer.toHexString(0xFF & messageDigest));   
  |         }   
  |         String foo = messageDigest.toString();   
  |         System.out.println("sessionid "+sessionid+" md5 version is 
"+hexString.toString());   
  |         System.out.println("foo "+foo);   
  |         sessionid=hexString+"";   
  |       }catch(NoSuchAlgorithmException nsae){   
  |                      
  |       }   
  |   }   
  | }   
  |   
  | output:   
  | -------   
  | defaultBytes ::[...@192d342  
  | sessionid password md5 version is 5f4dcc3b5aa765d61d8327deb882cf99   
  | foo [...@167d940  
  | 

my mysql tables

  | mysql> select * from userroles;   
  | +----------+-----------+   
  | | username | userRoles |   
  | +----------+-----------+   
  | | ram      | admin     |   
  | | sachin   | guest     |   
  | | tiger    | admin     |   
  | +----------+-----------+   
  | 3 rows in set (0.14 sec)   
  |   
  | mysql> select * from users;   
  | +----------+----------------------------------+   
  | | username | passwd                           |   
  | +----------+----------------------------------+   
  | | ram      | passwd                           |   
  | | sachin   | passwd                           |   
  | | tiger    | 5f4dcc3b5aa765d61d8327deb882cf99 |   
  | +----------+----------------------------------+   
  | 3 rows in set (0.17 sec)  
  | 

Geting the error message: 

  | 19:51:29,212 DEBUG [DatabaseServerLoginModule] Bad password for 
username=tiger  
  | 

web.xml
==========

  |  <security-constraint>   
  |         <web-resource-collection>   
  |             <web-resource-name>Testing</web-resource-name>   
  |             <url-pattern>/*</url-pattern>   
  |             <http-method>GET</http-method>   
  |             <http-method>POST</http-method>   
  |         </web-resource-collection>   
  |            
  |         <auth-constraint>   
  |             <role-name>admin</role-name>   
  |         </auth-constraint>       
  |            
  |         <user-data-constraint>   
  |             <transport-guarantee>CONFIDENTIAL</transport-guarantee>   
  |         </user-data-constraint>          
  |            
  |     </security-constraint>   
  |        
  |     <login-config>   
  |         <auth-method>FORM</auth-method>   
  |         <form-login-config>   
  |             <form-login-page>/login.jsp</form-login-page>   
  |             <form-error-page>/error.jsp</form-error-page>   
  |         </form-login-config>   
  |     </login-config>   
  |        
  |     <security-role>   
  |         <role-name>admin</role-name>   
  |     </security-role>  
  | 

But for the userid: ram and passwd, I am able to login. Whereas for the user 
"tiger" with the encrypted password, I couldn't able to login. 
Please throw some light on it. Please help to check the configuration in 
login-config.xml 

And I have an another doubt. If the user is attempting to enter invalid 
password for more than 5 times, we need to lock his account. 
Whether JBoss' DatabaseServerLoginModule or any other loginmodule is providing 
this functionality? If not, how to achieve?]

View the original post : 
http://www.jboss.org/index.html?module=bb&op=viewtopic&p=4229602#4229602

Reply to the post : 
http://www.jboss.org/index.html?module=bb&op=posting&mode=reply&p=4229602
_______________________________________________
jboss-user mailing list
[email protected]
https://lists.jboss.org/mailman/listinfo/jboss-user

Reply via email to