jboss 4.3 DatabaseServerLoginModule doesn't work if passwords are MD5 and hex-ed

Question

I have a problem with authorization when my login-conf is

<login-module code="org.jboss.security.auth.spi.DatabaseServerLoginModule" flag="optional">
    <module-option name="dsJndiName">java:/myDS</module-option>
    <module-option name="hashAlgorithm">MD5</module-option>
    <module-option name="hashEncoding">hex</module-option>
    <module-option name="principalsQuery">SELECT PASSWORD FROM PASS_TABLE WHERE LOGINNAME=?</module-option>
    <module-option name="rolesQuery">SELECT VALUE, 'Roles' FROM PASSWD_TABLE_PROPERTY WHERE LOGINNAME=? AND NAME='profile'</module-option>
</login-module>

It works fine when hasEnchoding is changed to base64. And both works fine on JBoss 4.2. But hex in JBoss4.3 doesn't work.

Example of hash that is saved into database is like this: echo -n password | openssl dgst -md5

what means: 5f4dcc3b5aa765d61d8327deb882cf99

Any help?

Answer 1

I'd suggest using a bit of remote debugging to track this one down.

The relevant bits of the code are the createPasswordHash method of org.jboss.security.Util, which is invoked via the createPasswordHash method of org.jboss.security.auth.spi.UsernamePasswordLoginModule.

It's possible the hashing was broken/changed between 4.2 and 4.3, and remote debugging show show you what hash is being generated, which you can compare to your expected value.