Configuring container-based authentication with alternative digest methods

views:

157

answers:

+2 Q:

Configuring container-based authentication with alternative digest methods

Following up on a prior question, I'm trying to figure out how to set up container-based authentication for a J2EE application. Specifically, I need to be able to apply a password digest algorithm other than the ones supported by the java.security.MessageDigest (which are SHA, MD2, or MD5 - here's where I think that limitation is documented). In this case my database stores Blowfish-encrypted passwords.

I already have the Java code written to get the encrypted password from my database, and compare the user-entered password with the database one by performing the Blowfish encryption. How do I set it up so that the container just uses my own Java class(es) to perform user authentication?

I'm using JBoss AS 5.1 (which I think means my Tomcat version is 6).

+2 A:

You're going to need to write a custom LoginModule for JBoss.

In your case it should be trivial as all you want to do is to change how password gets encoded so you'll just extend the DatabaseServerLoginModule and override a single method like the example in the above link shows.

If you were to do it for a standalone Tomcat, you'd have to write your own Realm. Again, reasonably straightforward as you can extend JDBC or Data Source realm

ChssPly76 2009-11-24 22:32:38

Can I do it without changing conf/login-config.xml? It's really ugly to have the select written into that file, especially when I already have some very nice Java code (EJB3 + a POJO) that grabs the user info.

Matt Ball 2009-11-24 22:55:59

You can certainly implement `LoginModule` by yourself instead of extending `DatabaseServerLoginModule` and retrieve user info however you want. I'm not sure whether EJB is going to be accessible from LoginModule, though - but it's been a (long) while since I've worked with JBoss; that may have changed.

ChssPly76 2009-11-24 23:07:28

Given the difficulty in finding usable documentation on any of this, I'll stick with extending DatabaseServerLoginModule for now. Do you have any links about what the `rolesQuery` module option should contain? I don't have a database table containing any "role" data so I'm lost as to how to handle this. I tried returning a constant string equal to the security-role defined in my DD, and I also tried omitting the line completely, but either way logging in throws an IOException: `No properties file: users.properties or defaults: defaultUsers.properties found`.

Matt Ball 2009-11-24 23:44:24

This is all reasonably well described in JBoss docs. Writing a custom login module: http://docs.jboss.org/jbossas/jboss4guide/r3/html/ch8.chapter.html#ch8.custom.sectYou can also take a look at `DatabaseServerLoginModule` source; you should be able to reuse lots of code from there. If you want to hardcode your role to some value (e.g. "role1"), you can define rolesQuery as `SELECT 'role1', 'Roles' FROM dual` (adjust as needed for your DB). The 2nd column must always be 'Roles' and 1st should match the `role-name` within `auth-constraint` in `web.xml`

ChssPly76 2009-11-25 00:14:31

All the documentation I have been able to find online related to writing a custom login module only pertains to JBoss v4 or earlier. I have not been able to locate a single working example of doing this in JBoss v5.1. It is very frustrating. There are no javadocs for JBoss v5.1 that I can locate on the official JBoss website; in fact, there are no current security documents relating to custom modules at all, anywhere on the net. I have searched through every book I have access to in the Barnes & Noble, still no luck. At this point, we are looking into moving off of JBoss, b/c this lack of documentation is just unprofessional.

tharrisx 2010-07-26 20:31:30

ansaurus

tags:

views:

answers:

Configuring container-based authentication with alternative digest methods

related questions