-1

I am new to jboss and jbpm; I need help for authentication with jboss7. we faced "Password Incorrect/Password Required" error.

the following is part of our jboss standlone.*.xml conf.

<security-domain name="other" cache-type="default">
        <authentication>
            <login-module code="org.jboss.security.auth.spi.DatabaseServerLoginModule" flag="required">
                 <module-option name="dsJndiName" value="java:jboss/datasources/jbpmDS"/>
                 <module-option name="principalsQuery" value="select passwd from users  where username=?"/>
                 <module-option name="rolesQuery" value="select userRoles 'Roles' from userroles where username=?"/>
                 <module-option name="hashAlgorithm" value="pbkdf2_sha256"/>
            </login-module>
        </authentication>
</security-domain>

We have the password with pbkdf2_sha256 encrypt, but don't know how to configure the "pbkdf2_sha256" parameters in standalone*.xml

We use the django(v1.4 pbkdf2_sha256 encrypt) framework to manage the users.

Can somebody help me?

AstroCB
  • 12,337
  • 20
  • 57
  • 73
user3876484
  • 21
  • 2
  • Can you post detailed stack trace? – Magic Wand Aug 20 '14 at 13:33
  • As far as I know, PASSWORD() function is irreversible (one-way), and DatabaseServerLoginModule is expecting that password is somehow returned back into original format. Can you explain how you use this database function, because DatabaseServerLoginModule already uses hashing algorithm when storing password into database? – Magic Wand Aug 20 '14 at 14:01
  • Thanks! I think the basic reason for this is I don't known procedure about the authentication. the question is updated, I wish to get advise from you. thanks.. – user3876484 Aug 21 '14 at 01:46
  • Maybe a duplicate of http://stackoverflow.com/questions/3078048/how-to-configure-jboss-databaseserverloginmodule-for-digest-authentication-in-a – Magic Wand Aug 21 '14 at 07:18
  • Also, please check your rolesQuery, i think you are missing a comma here: "select userRoles, 'Roles' from userroles where username=?" – Magic Wand Aug 21 '14 at 07:21
  • thanks, I am sure my rolesQuery is ok, because when i use the Non-encrypted password, i can login into my system. – user3876484 Aug 21 '14 at 07:54
  • Thank u every much, we have the idea to solve problem, but face new problem. I wish to get your help. question is updated. – user3876484 Aug 21 '14 at 07:58
  • Under the hood, DatabaseServerLoginModule uses java.security.MessageDigest that supports only algorithms named here: http://docs.oracle.com/javase/7/docs/technotes/guides/security/StandardNames.html#MessageDigest I guess that if you want to implement PBKDF2 with SHA-256 you have to extend class DatabaseServerLoginModule and override method convertRawPassword(). Please see http://stackoverflow.com/questions/22580853/reliable-implementation-of-pbkdf2-hmac-sha256-for-java and http://howtodoinjava.com/2013/07/22/how-to-generate-secure-password-hash-md5-sha-pbkdf2-bcrypt-examples/ – Magic Wand Aug 21 '14 at 08:16

1 Answers1

0

Based on information from here, here is the implementation that should work with Django pbkdf2_sha256 (you need to register this class with JBoss, not the original DatabaseServerLoginModule). Please bear in mind that I did not test it...

public class PBKDF2WithSha256DatabaseServerLoginModule extends DatabaseServerLoginModule {
    protected boolean validatePassword(String inputPassword, String expectedPassword) {
        if(inputPassword == null || expectedPassword == null) {
            return false;
        }
        String[] encodedPassword = expectedPassword.split("\\$");
        int encodedIterations = Integer.parseInt(encodedPassword[1]);
        byte[] encodedSalt = encodedPassword[2].getBytes(Charset.forName("UTF-8"));
        String encodedHash = encodedPassword[3];
        SecretKeyFactory f = null;
        try {
            f = SecretKeyFactory.getInstance("PBKDF2WithHmacSHA256");
        } catch (NoSuchAlgorithmException e) {
            throw new RuntimeException("Need a Java implementation with cryptography.");
        }
        KeySpec ks = new PBEKeySpec(inputPassword.toCharArray(), encodedSalt, encodedIterations, 256);
        SecretKey s = null;
        try {
            s = f.generateSecret(ks);
        } catch (InvalidKeySpecException e) {
            // Encoded password is corrupt
            return false;
        }
        if (encodedHash.equals(Base64.getEncoder().encodeToString(s.getEncoded()))) {
            return true;
        } else {
            return false;
        }
    }
}
Magic Wand
  • 1,572
  • 10
  • 9