CODEWITHSUNDEEP
javasecurityjbosssubsystemcontainer-managed
KorobOK
KorobOK

Reputation: 59

Cannot authenticate through JBoss AS 7 security subsystem

I do not understand how to use passwords' hashes instead of open passwords. When I obtain open password from my MS SQL database everything works fine. standalone.xml:

<security-domain name="SD" cache-type="default">
 <authentication>
  <login-module code="Database" flag="required">
   <module-option name="dsJndiName" value="<jndi>"/>
   <module-option name="principalsQuery" value="select <open_pass> from <table> where <username> = ?"/>
   <module-option name="rolesQuery" value="select <role>, 'Roles' from <table> where <username> = ?"/>       
  </login-module>
 </authentication>
</security-domain>

web.xml:

<security-constraint>
    <display-name>General</display-name>
    <web-resource-collection>
        <web-resource-name>/</web-resource-name>
        <description/>
        <url-pattern>/</url-pattern>
    </web-resource-collection>
    <auth-constraint>
        <description/>
        <role-name>administrators</role-name>
    </auth-constraint>
</security-constraint>
<login-config>
    <auth-method>BASIC</auth-method>
</login-config>
<security-role>
    <description/>
    <role-name>administrators</role-name>
</security-role>

But when I try use something like the following:

<security-domain name="SD" cache-type="default">
 <authentication>
  <login-module code="Database" flag="required">
   <module-option name="dsJndiName" value="<jndi>"/>
   <module-option name="principalsQuery" value="select <pass_hash> from <table> where <username> = ?"/>
   <module-option name="rolesQuery" value="select <role>, 'Roles' from <table> where <username> = ?"/>
   <module-option name="hashAlgorithm" value="SHA-1"/>
   <module-option name="hashEncoding" value="base64"/>       
  </login-module>
 </authentication>
</security-domain>

I obtain Login failure: javax.security.auth.login.FailedLoginException: Password Incorrect/Password Required even if I enter correct password. pass_hash field have varbinary(64) type in database. What I missed?

Upvotes: 0

Views: 127

Answers (1)

Sachin
Sachin

Reputation: 394

Please check the DatabaseServerLoginModule

Also are you storing the base64 encoded password in the users table.

Upvotes: 1

Related Questions