[jboss-user] [Security & JAAS/JBoss] - Issue in encrypting the password using MD5
Tony Jim
do-not-reply at jboss.com
Thu May 7 23:59:19 EDT 2009
I am using JBoss 4.2.2GA application server with Struts and EJB.
I am trying to encrypt the password using the message digest - MD5(given below) and store it in the mysql DB.
Using DatabaseServerLoginModule, I am trying to authenticate, but it's failing. Please help on this.
Please help whether any configuration setting needs to be done.
login.config.xml
==================
| <application-policy name="testDB">
| <authentication>
| <login-module code="org.jboss.security.auth.spi.DatabaseServerLoginModule"
| flag="required">
|
| <module-option name="hashAlgorithm">MD5</module-option>
| <module-option name="hashEncoding">base64</module-option>
| <module-option name="hashUserPassword">true</module-option>
| <module-option name="hashStorePassword">true</module-option>
|
| <module-option name="dsJndiName">java:/MySqlDS</module-option>
| <module-option name="principalsQuery">
| select passwd from Users username where username=?</module-option>
| <module-option name="rolesQuery">
| select userRoles, 'Roles' from UserRoles where username=?</module-option>
| </login-module>
| </authentication>
| </application-policy>
|
I am using the below program to encrypt the password using MD5 and storing the encrypted value "5f4dcc3b5aa765d61d8327deb882cf99" in mysql table
| import java.security.MessageDigest;
| import java.security.NoSuchAlgorithmException;
|
| public class MainClass {
| public static void main(String args[]) throws Exception {
| String sessionid = "password";
| byte[] defaultBytes = sessionid.getBytes();
| System.out.println("defaultBytes ::"+defaultBytes);
| try{
| MessageDigest algorithm = MessageDigest.getInstance("MD5");
| algorithm.reset();
| algorithm.update(defaultBytes);
| byte messageDigest[] = algorithm.digest();
|
| StringBuffer hexString = new StringBuffer();
| for (int i=0;i<messageDigest.length;i++) {
| hexString.append(Integer.toHexString(0xFF & messageDigest));
| }
| String foo = messageDigest.toString();
| System.out.println("sessionid "+sessionid+" md5 version is "+hexString.toString());
| System.out.println("foo "+foo);
| sessionid=hexString+"";
| }catch(NoSuchAlgorithmException nsae){
|
| }
| }
| }
|
| output:
| -------
| defaultBytes ::[B at 192d342
| sessionid password md5 version is 5f4dcc3b5aa765d61d8327deb882cf99
| foo [B at 167d940
|
my mysql tables
| mysql> select * from userroles;
| +----------+-----------+
| | username | userRoles |
| +----------+-----------+
| | ram | admin |
| | sachin | guest |
| | tiger | admin |
| +----------+-----------+
| 3 rows in set (0.14 sec)
|
| mysql> select * from users;
| +----------+----------------------------------+
| | username | passwd |
| +----------+----------------------------------+
| | ram | passwd |
| | sachin | passwd |
| | tiger | 5f4dcc3b5aa765d61d8327deb882cf99 |
| +----------+----------------------------------+
| 3 rows in set (0.17 sec)
|
Geting the error message:
| 19:51:29,212 DEBUG [DatabaseServerLoginModule] Bad password for username=tiger
|
web.xml
==========
| <security-constraint>
| <web-resource-collection>
| <web-resource-name>Testing</web-resource-name>
| <url-pattern>/*</url-pattern>
| <http-method>GET</http-method>
| <http-method>POST</http-method>
| </web-resource-collection>
|
| <auth-constraint>
| <role-name>admin</role-name>
| </auth-constraint>
|
| <user-data-constraint>
| <transport-guarantee>CONFIDENTIAL</transport-guarantee>
| </user-data-constraint>
|
| </security-constraint>
|
| <login-config>
| <auth-method>FORM</auth-method>
| <form-login-config>
| <form-login-page>/login.jsp</form-login-page>
| <form-error-page>/error.jsp</form-error-page>
| </form-login-config>
| </login-config>
|
| <security-role>
| <role-name>admin</role-name>
| </security-role>
|
But for the userid: ram and passwd, I am able to login. Whereas for the user "tiger" with the encrypted password, I couldn't able to login.
Please throw some light on it. Please help to check the configuration in login-config.xml
And I have an another doubt. If the user is attempting to enter invalid password for more than 5 times, we need to lock his account.
Whether JBoss' DatabaseServerLoginModule or any other loginmodule is providing this functionality? If not, how to achieve?]
View the original post : http://www.jboss.org/index.html?module=bb&op=viewtopic&p=4229602#4229602
Reply to the post : http://www.jboss.org/index.html?module=bb&op=posting&mode=reply&p=4229602
More information about the jboss-user
mailing list