[jboss-user] [Security & JAAS/JBoss] - Issue in encrypting the password using MD5

Thu May 7 23:59:19 EDT 2009

I am using JBoss 4.2.2GA application server with Struts and EJB.
I am trying to encrypt the password using the message digest - MD5(given below) and store it in the mysql DB. 
Using DatabaseServerLoginModule, I am trying to authenticate, but it's failing. Please help on this. 
Please help whether any configuration setting needs to be done.

login.config.xml
==================

  | <application-policy name="testDB">   
  |         <authentication>   
  |             <login-module code="org.jboss.security.auth.spi.DatabaseServerLoginModule"  
  |                              flag="required">   
  |                    
  |     <module-option name="hashAlgorithm">MD5</module-option>   
  |                 <module-option name="hashEncoding">base64</module-option>   
  |                 <module-option name="hashUserPassword">true</module-option>            
  |                 <module-option name="hashStorePassword">true</module-option>                   
  |                    
  |                 <module-option name="dsJndiName">java:/MySqlDS</module-option>   
  |                 <module-option name="principalsQuery">   
  |                     select passwd from Users username where username=?</module-option>   
  |                 <module-option name="rolesQuery">   
  |                     select userRoles, 'Roles' from UserRoles where username=?</module-option>   
  |             </login-module>   
  |         </authentication>   
  |     </application-policy>  
  | 

I am using the below program to encrypt the password using MD5 and storing the encrypted value "5f4dcc3b5aa765d61d8327deb882cf99" in mysql table

  | import java.security.MessageDigest;   
  | import java.security.NoSuchAlgorithmException;   
  |   
  | public class MainClass {   
  |   public static void main(String args[]) throws Exception {   
  |       String sessionid = "password";   
  |       byte[] defaultBytes = sessionid.getBytes();   
  |       System.out.println("defaultBytes ::"+defaultBytes);   
  |       try{   
  |         MessageDigest algorithm = MessageDigest.getInstance("MD5");   
  |         algorithm.reset();   
  |         algorithm.update(defaultBytes);   
  |         byte messageDigest[] = algorithm.digest();   
  |                      
  |         StringBuffer hexString = new StringBuffer();   
  |         for (int i=0;i<messageDigest.length;i++) {   
  |             hexString.append(Integer.toHexString(0xFF & messageDigest));   
  |         }   
  |         String foo = messageDigest.toString();   
  |         System.out.println("sessionid "+sessionid+" md5 version is "+hexString.toString());   
  |         System.out.println("foo "+foo);   
  |         sessionid=hexString+"";   
  |       }catch(NoSuchAlgorithmException nsae){   
  |                      
  |       }   
  |   }   
  | }   
  |   
  | output:   
  | -------   
  | defaultBytes ::[B at 192d342  
  | sessionid password md5 version is 5f4dcc3b5aa765d61d8327deb882cf99   
  | foo [B at 167d940  
  | 

my mysql tables

  | mysql> select * from userroles;   
  | +----------+-----------+   
  | | username | userRoles |   
  | +----------+-----------+   
  | | ram      | admin     |   
  | | sachin   | guest     |   
  | | tiger    | admin     |   
  | +----------+-----------+   
  | 3 rows in set (0.14 sec)   
  |   
  | mysql> select * from users;   
  | +----------+----------------------------------+   
  | | username | passwd                           |   
  | +----------+----------------------------------+   
  | | ram      | passwd                           |   
  | | sachin   | passwd                           |   
  | | tiger    | 5f4dcc3b5aa765d61d8327deb882cf99 |   
  | +----------+----------------------------------+   
  | 3 rows in set (0.17 sec)  
  | 

Geting the error message: 

  | 19:51:29,212 DEBUG [DatabaseServerLoginModule] Bad password for username=tiger  
  | 

web.xml
==========

  |  <security-constraint>   
  |         <web-resource-collection>   
  |             <web-resource-name>Testing</web-resource-name>   
  |             <url-pattern>/*</url-pattern>   
  |             <http-method>GET</http-method>   
  |             <http-method>POST</http-method>   
  |         </web-resource-collection>   
  |            
  |         <auth-constraint>   
  |             <role-name>admin</role-name>   
  |         </auth-constraint>       
  |            
  |         <user-data-constraint>   
  |             <transport-guarantee>CONFIDENTIAL</transport-guarantee>   
  |         </user-data-constraint>          
  |            
  |     </security-constraint>   
  |        
  |     <login-config>   
  |         <auth-method>FORM</auth-method>   
  |         <form-login-config>   
  |             <form-login-page>/login.jsp</form-login-page>   
  |             <form-error-page>/error.jsp</form-error-page>   
  |         </form-login-config>   
  |     </login-config>   
  |        
  |     <security-role>   
  |         <role-name>admin</role-name>   
  |     </security-role>  
  | 

But for the userid: ram and passwd, I am able to login. Whereas for the user "tiger" with the encrypted password, I couldn't able to login. 
Please throw some light on it. Please help to check the configuration in login-config.xml 

And I have an another doubt. If the user is attempting to enter invalid password for more than 5 times, we need to lock his account. 
Whether JBoss' DatabaseServerLoginModule or any other loginmodule is providing this functionality? If not, how to achieve?]

View the original post : http://www.jboss.org/index.html?module=bb&op=viewtopic&p=4229602#4229602

Reply to the post : http://www.jboss.org/index.html?module=bb&op=posting&mode=reply&p=4229602