[jboss-user] [Security] - MD5 Authentication Fails with JBoss 5.1

ssisDeveloper do-not-reply at jboss.com
Wed Nov 11 03:56:30 EST 2009


Hello everybody

I have a question regarding the MD5 Authentication in JBoss 5.1 GA.
I used the normal authentication without MD5 hashes so far, but now i have to migrate an old version to a new version and the passwords are stored as MD5 strings in the database.

So all I did was changing the login-config.xml and I was adding the following lines:


  | <module-option name="hashAlgorithm">MD5</module-option> 
  | <module-option name="hashEncoding">base64</module-option>

The other part of my login-config.xml looks like this. I have tested the queries and the rolename and the password (as hash) is returned:



<module-option name="principalsQuery">SELECT password FROM users WHERE username=? AND active=1</module-option>
  | 
  | <module-option name="rolesQuery">SELECT USERROLE.rolename, 'Roles' FROM USERS INNER JOIN (USERROLE INNER JOIN MAPUSERUSERROLE ON USERROLE.roleid = MAPUSERUSERROLE.roleid) ON USERS.userid = MAPUSERUSERROLE.userid where USERS.username=?</module-option>

Unfortunately, the login always fails and I have no idea why. I guess it's the MD5 Hash which jboss generates is not equal to this in the database. In the jboss-log4j.xml I enabled tracing for org.jboss.security, and that's all I get from the server.log file:

2009-11-02 11:25:14,314 TRACE [org.jboss.security.auth.spi.DatabaseServerLoginModule] (http-127.0.0.1-8084-1) initialize
  | 2009-11-02 11:25:14,314 TRACE [org.jboss.security.auth.spi.DatabaseServerLoginModule] (http-127.0.0.1-8084-1) Security domain: SSIS2-domain
  | 2009-11-02 11:25:14,314 TRACE [org.jboss.security.auth.spi.DatabaseServerLoginModule] (http-127.0.0.1-8084-1) Password hashing activated: algorithm = MD5, encoding = base64, charset = {default}, callback = null, storeCallback = null
  | 2009-11-02 11:25:14,315 TRACE [org.jboss.security.auth.spi.DatabaseServerLoginModule] (http-127.0.0.1-8084-1) DatabaseServerLoginModule, dsJndiName=java:SSIS2DSprod
  | 2009-11-02 11:25:14,315 TRACE [org.jboss.security.auth.spi.DatabaseServerLoginModule] (http-127.0.0.1-8084-1) principalsQuery=SELECT password FROM users WHERE username=? AND active=1
  | 2009-11-02 11:25:14,315 TRACE [org.jboss.security.auth.spi.DatabaseServerLoginModule] (http-127.0.0.1-8084-1) rolesQuery=SELECT USERROLE.rolename, 'Roles' FROM USERS INNER JOIN (USERROLE INNER JOIN MAPUSERUSERROLE ON USERROLE.roleid = MAPUSERUSERROLE.roleid) ON USERS.userid = MAPUSERUSERROLE.userid where USERS.username=?
  | 2009-11-02 11:25:14,315 TRACE [org.jboss.security.auth.spi.DatabaseServerLoginModule] (http-127.0.0.1-8084-1) suspendResume=true
  | 2009-11-02 11:25:14,319 TRACE [org.jboss.security.auth.spi.DatabaseServerLoginModule] (http-127.0.0.1-8084-1) login
  | 2009-11-02 11:25:14,326 TRACE [org.jboss.security.auth.spi.DatabaseServerLoginModule] (http-127.0.0.1-8084-1) suspendAnyTransaction
  | 2009-11-02 11:25:14,329 TRACE [org.jboss.security.auth.spi.DatabaseServerLoginModule] (http-127.0.0.1-8084-1) Excuting query: SELECT password FROM users WHERE username=? AND active=1, with username: tlubrpa1
  | 2009-11-02 11:25:15,116 TRACE [org.jboss.security.auth.spi.DatabaseServerLoginModule] (http-127.0.0.1-8084-1) Obtained user password
  | 2009-11-02 11:25:15,116 TRACE [org.jboss.security.auth.spi.DatabaseServerLoginModule] (http-127.0.0.1-8084-1) resumeAnyTransaction
  | 2009-11-02 11:25:15,116 DEBUG [org.jboss.security.auth.spi.DatabaseServerLoginModule] (http-127.0.0.1-8084-1) Bad password for username=tlubrpa1
  | 2009-11-02 11:25:15,116 TRACE [org.jboss.security.auth.spi.DatabaseServerLoginModule] (http-127.0.0.1-8084-1) abort

Does anyone have an idea how I can debug the MD5 Hash Jboss generates? Or can I do anything else to know why I can't login?

Thanks a lot!
Patrick

View the original post : http://www.jboss.org/index.html?module=bb&op=viewtopic&p=4264967#4264967

Reply to the post : http://www.jboss.org/index.html?module=bb&op=posting&mode=reply&p=4264967



More information about the jboss-user mailing list