[jboss-user] [Security & JAAS/JBoss] - Re: Login encryption not working

ewade do-not-reply at jboss.com
Mon Dec 11 17:32:39 EST 2006


Ok. Then perhaps I am not being clear. That is precisely what I am trying to do. 

I have (correctly) encrypted and encoded passwords stored in my database. 

We are using the database server login module. It works fine for clear text passwords -- that is passwords stored and entered as plain text. However, when we try to turn on the encryption/encoding it does not work any differently than it did when we did not have these options enabled.

You can see my config set up in the first post.

Here is what happens. For purposes of this test, I have stored one user with a plain text password. 

Scenario 1:
User has plain text (clear) password stored.
Logon with correct plain text password works. 
It should not work with encryption turned on.
(I can provide a excerpt of the server log file if you need it, but it is lengthy.)

Scenario 2:
User has plain text password stored.
Logon with incorrect password.
It fails, which is the expected outcome. 
Here is an excerpt from the server log.

2006-12-11 15:58:13,656 DEBUG [org.jboss.security.auth.spi.DatabaseServerLoginModule] Bad password for username=E0andre
2006-12-11 15:58:13,656 DEBUG [org.jboss.seam.contexts.Lifecycle] >>> Begin web request
2006-12-11 15:58:13,656 DEBUG [org.jboss.seam.Component] instantiating Seam component: org.jboss.seam.core.manager
2006-12-11 15:58:13,656 DEBUG [org.jboss.seam.core.Manager] No stored conversation
2006-12-11 15:58:13,656 DEBUG [org.jboss.seam.contexts.Contexts] found in application context: org.jboss.seam.core.init
2006-12-11 15:58:13,656 DEBUG [org.jboss.seam.jsf.AbstractSeamPhaseListener] After restoring conversation context: ConversationContext(5)
2006-12-11 15:58:13,656 DEBUG [org.jboss.seam.Component] instantiating Seam component: facesMessages
2006-12-11 15:58:13,687 DEBUG [org.jboss.seam.core.Manager] Discarding conversation state: 5
2006-12-11 15:58:13,687 DEBUG [org.jboss.seam.contexts.Lifecycle] flushing page context
2006-12-11 15:58:13,687 DEBUG [org.jboss.seam.core.Manager] Discarding conversation state: 5
2006-12-11 15:58:13,687 DEBUG [org.jboss.seam.contexts.Lifecycle] flushing page context
2006-12-11 15:58:13,703 DEBUG [org.jboss.seam.contexts.Lifecycle] After render response, destroying contexts
2006-12-11 15:58:13,703 DEBUG [org.jboss.seam.contexts.Lifecycle] destroying event context
2006-12-11 15:58:13,703 DEBUG [org.jboss.seam.contexts.Contexts] destroying: javax.servlet.forward.request_uri
2006-12-11 15:58:13,703 DEBUG [org.jboss.seam.contexts.Contexts] destroying: javax.servlet.forward.context_path
2006-12-11 15:58:13,703 DEBUG [org.jboss.seam.contexts.Contexts] destroying: javax.servlet.forward.servlet_path
2006-12-11 15:58:13,703 DEBUG [org.jboss.seam.contexts.Contexts] destroying: org.jboss.seam.core.manager
2006-12-11 15:58:13,703 DEBUG [org.jboss.seam.contexts.Contexts] destroying: class org.apache.myfaces.renderkit.html.util.JavascriptUtils.OLD_VIEW_ID
2006-12-11 15:58:13,703 DEBUG [org.jboss.seam.contexts.Contexts] destroying: org.apache.myfaces.application.jsp.JspStateManagerImpl.SERIALIZED_VIEW
2006-12-11 15:58:13,703 DEBUG [org.jboss.seam.contexts.Contexts] destroying: com.sun.facelets.legacy.ELCONTEXT
2006-12-11 15:58:13,703 DEBUG [org.jboss.seam.contexts.Lifecycle] destroying conversation context
2006-12-11 15:58:13,703 DEBUG [org.jboss.seam.contexts.Contexts] destroying: facesMessages
2006-12-11 15:58:13,703 DEBUG [org.jboss.seam.contexts.Lifecycle] flushing server-side conversation context
2006-12-11 15:58:13,703 DEBUG [org.jboss.seam.contexts.Lifecycle] <<< End web request

Scenario 3.
User has (correctly) encrypted password stored in the database.
Logon using matching plain text password.
It fails as it should not. Here is the excerpt from the server.log

2006-12-11 16:03:06,343 DEBUG [org.jboss.security.auth.spi.DatabaseServerLoginModule] Bad password for username=E0ewade
2006-12-11 16:03:06,343 DEBUG [org.jboss.seam.contexts.Lifecycle] >>> Begin web request
2006-12-11 16:03:06,343 DEBUG [org.jboss.seam.Component] instantiating Seam component: org.jboss.seam.core.manager
2006-12-11 16:03:06,343 DEBUG [org.jboss.seam.core.Manager] No stored conversation
2006-12-11 16:03:06,343 DEBUG [org.jboss.seam.contexts.Contexts] found in application context: org.jboss.seam.core.init
2006-12-11 16:03:06,343 DEBUG [org.jboss.seam.jsf.AbstractSeamPhaseListener] After restoring conversation context: ConversationContext(14)
2006-12-11 16:03:06,343 DEBUG [org.jboss.seam.Component] instantiating Seam component: facesMessages
2006-12-11 16:03:06,343 DEBUG [org.jboss.seam.core.Manager] Discarding conversation state: 14
2006-12-11 16:03:06,343 DEBUG [org.jboss.seam.contexts.Lifecycle] flushing page context
2006-12-11 16:03:06,359 DEBUG [org.jboss.seam.core.Manager] Discarding conversation state: 14
2006-12-11 16:03:06,359 DEBUG [org.jboss.seam.contexts.Lifecycle] flushing page context
2006-12-11 16:03:06,359 DEBUG [org.jboss.seam.contexts.Lifecycle] After render response, destroying contexts
2006-12-11 16:03:06,359 DEBUG [org.jboss.seam.contexts.Lifecycle] destroying event context
2006-12-11 16:03:06,359 DEBUG [org.jboss.seam.contexts.Contexts] destroying: javax.servlet.forward.request_uri
2006-12-11 16:03:06,359 DEBUG [org.jboss.seam.contexts.Contexts] destroying: javax.servlet.forward.context_path
2006-12-11 16:03:06,359 DEBUG [org.jboss.seam.contexts.Contexts] destroying: javax.servlet.forward.servlet_path
2006-12-11 16:03:06,359 DEBUG [org.jboss.seam.contexts.Contexts] destroying: org.jboss.seam.core.manager
2006-12-11 16:03:06,359 DEBUG [org.jboss.seam.contexts.Contexts] destroying: class org.apache.myfaces.renderkit.html.util.JavascriptUtils.OLD_VIEW_ID
2006-12-11 16:03:06,359 DEBUG [org.jboss.seam.contexts.Contexts] destroying: org.apache.myfaces.application.jsp.JspStateManagerImpl.SERIALIZED_VIEW
2006-12-11 16:03:06,359 DEBUG [org.jboss.seam.contexts.Contexts] destroying: com.sun.facelets.legacy.ELCONTEXT
2006-12-11 16:03:06,359 DEBUG [org.jboss.seam.contexts.Lifecycle] destroying conversation context
2006-12-11 16:03:06,359 DEBUG [org.jboss.seam.contexts.Contexts] destroying: facesMessages
2006-12-11 16:03:06,359 DEBUG [org.jboss.seam.contexts.Lifecycle] flushing server-side conversation context
2006-12-11 16:03:06,359 DEBUG [org.jboss.seam.contexts.Lifecycle] <<< End web request

Scenario 4:
User has encrypted password stored in the database.
Logon is done with the encrypted string.
Result: Logon succeeds when it should fail.
(Again this is a really long log entry. But it is exactly like scenario 1)

In summary, even though I have done my very best to enable ecryption (hashing) and encoding, the login module is behaving as though these things are not turned on. What do I need to do to get it to work?

Elise

View the original post : http://www.jboss.com/index.html?module=bb&op=viewtopic&p=3992922#3992922

Reply to the post : http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&p=3992922



More information about the jboss-user mailing list