Issue in using the DatabaseServerLoginModule for encrypting the password using MD5
Joined: Jul 11, 2005
I am using JBoss 4.2.2GA application server with Struts and EJB.
I am trying to encrypt the password using the message digest - MD5(given below) and store it in the mysql DB.
Using DatabaseServerLoginModule, I am trying to authenticate, but it's failing. Please help on this.
Please help whether any configuration setting needs to be done.
I want to know how to turn on the log for the DataBaseLogin module to see the log trace. Please help how to do it and what needs to added in jboss-log4j.xml.
I have added the below line in the jboss-log4j.xml, but no output is generated either at console or file.
Any help/advice/suggestion/input will be more helpful for me.
I am using the below program to encrypt the password using MD5 and storing the encrypted value "5f4dcc3b5aa765d61d8327deb882cf99" in mysql table
Just a guess, but it could be that you have to write some code. I say this because I see this method in DatabaseServerLoginModule:
To test out my theory, try providing '5f4dcc3b5aa765d61d8327deb882cf99' as the password for 'tiger'. If it lets you login, then my guess is correct, in which case you need to subclass DatabaseServerLoginModule, overwrite the convertRawPassword method, and then use your subclass in place of DatabaseServerLoginModule in the login-config.xml file.
Yes, you are correct. If I am login with '5f4dcc3b5aa765d61d8327deb882cf99', then I can able to successfully login.
So you mean to say that we need to write our own class which will extends the DatabaseServerLoginModule and override the convertRawPassword(String rawPassword) method.
I have few dobuts in it.
In the login-config.xml I have included the following configuration related to hashing the password which will be taken care by JBoss server.
I have noticed that the DatabaseServerLoginModule extends UsernamePasswordLoginModule.
The main purpose of configuration related to hasing password in login-config is, so that the UsernamePasswordLoginModule will use it hash the password (I am not sure. If not what is the purpose of above configuration related to hashing).
In that case, why I need to again encrypt/decrypt the password.
And If you look at the code in UsernamePasswordLoginModule, they are handling some hashing realted thing. But I am not sure what they are doing?
What I thought is if we done the configuration as like above, the JBoss will get the clear text password which user enters and if the hash related configration is enabled, it will encrypt the clear text password and then it will compare it against with DB encrypted password and authenticate.
I am using the below program to encrypt the password and I have read in one article that we can't able to decrypt the encrypted value using MD5 Message Digest.
I have encrypted the password "password" as "5f4dcc3b5aa765d61d8327deb882cf99" using MD5.
Is it possible to convert the "5f4dcc3b5aa765d61d8327deb882cf99" to "password"?
To trace the log I have modified the jboss-log4j.xml but I couldn't able to see any log details in either CONSOLE/FILE. Below is my jboss-lo4j.xml.
As far as I know, you will have to write a subclass.
I would have to look at the source code to see exactly how module-option is handled, but from prior experience in this area I do not think that it will do what you want. If it would work as you assume, why would there be a need for a convertRawPassword() method? (Granted, it could be old code...)
From what I could tell, there is some TRACE-level debugging code in DatabaseServerLoginModule. And it looks like you have set the category to print TRACE log entries for org.jboss.security, so whatever output you get is all there is. Personally, I would not set the threshold of CONSOLE to TRACE, nor would I set the category to output to CONSOLE. You will end up with way too much output on the console. Instead, let the trace log entries go to the FILE appender.
Joined: Jul 11, 2005
As suggessted by you, I have decided to subclass the DatabaseServerLoginModule.
But I am facing some issues. In the below implementation of DatabaseServerLoginModule, they are getting the password from the DB.
So the password will be MD5 encrypted value "5f4dcc3b5aa765d61d8327deb882cf99"
After getting the password, I am sending it to convertRawPassword(password) mehtod. The issue I am facing is I couldn't able to decrypt the encrypted value.
For example the clear password is "password" and encrypted one stored in DB is "5f4dcc3b5aa765d61d8327deb882cf99".
I have googled on decrypting the MD5 encrypted password, but everyone is telling it's one way encrytpion and can't decrypt the MD5.
In that case overriding the convertRawPassword(password) mehtod won't be useful.
So I have decided to do it in other way, instead of getting the decrypted value from DB and encrypt it(which is not possible with MD5) to match the clear password,
I decided to encrypt the user entered clear test password, so that it will matches the DB value.
So I have overridden the validatePassword(String inputPassword,String expectedPassword) method from UsernamePasswordLoginModule class.
But It's not invoking this method itself.
Anything I am missing?
Hmm, I recall that it was easier than this. For some reasons, I thought that the password the user entered was passed to convertRawPassword and it returned an encrypted password suitable to compare with the password from the database. But then the last time I looked into this was about 2 or so years ago.
Looks like you did the right thing by subclassing DatabaseServerLoginModule and overwritting the validatePassword() method.
Did you also change the login-config.xml file to use the SecurityCheck class in place of the DatabaseServerLoginModule for your TestDB login module?
Joined: Jul 11, 2005
Yes, I have already included the "SecurityCheck" as below.
I have restarted the JBoss Server in debug mode in MyEclispe and plasced the breakpoint insdie the SecurityCheck, but it's not going here.
I have put sysout in SecurityCheck and that's also not printing.
I noticed something else. Your login module has this option:
This will run the password stored in the database through the hashing algorithm before comparing it to the password entered. You do not want that - that password is store hashed. That is why it worked when you used "5f4dcc3b5aa765d61d8327deb882cf99" as the password - the server hashed both this and the stored password and the results matched. Try setting the above to false.
And the last piece of the puzzle. You algorithm to get the MD5 hash, and the MD5() functions in both MySQL and PostgreSQL, use the base16 (or hex) encoding. Thus also change this line in your login module: