4

I want to secure my webapp running on a WildFly 9 server.

I have a SQL database with 2 tables users(login, password) and roles(login, role).

First, I configured a BASIC authentication like this :

standalone.xml:

<security-domain name="mydomain" cache-type="default">
    <authentication>
      <login-module code="Database" flag="required">                      
         <module-option name="dsJndiName" value="java:jboss/datasources/myDS"/> 
         <module-option name="principalsQuery" value="select password from users where login=?"/> 
         <module-option name="rolesQuery" value="select role, 'Roles' from roles where login=?"/> 
      </login-module>
    </authentication>
</security-domain>

web.xml:

<security-constraint>
    <web-resource-collection>
        <web-resource-name>name</web-resource-name>
        <url-pattern>/*</url-pattern>
    </web-resource-collection>
    <auth-constraint>
        <role-name>*</role-name>
    </auth-constraint>
</security-constraint>

<login-config>
    <auth-method>BASIC</auth-method>
</login-config>

<security-role>
    <role-name>*</role-name>
</security-role>

jboss-web.xml:

<?xml version="1.0" encoding="UTF-8"?>
<jboss-web>
    <security-domain>java:/jaas/mydomain</security-domain>
</jboss-web>

It works fine but it's a bad practice because the password is sent in clear through the network and stored in database in the same way. So I tried to change BASIC for DIGEST doing this:

standalone.xml: added some option modules

<security-domain name="mydomain" cache-type="default">
    <authentication>
        <login-module code="Database" flag="required">
            <module-option name="dsJndiName" value="java:jboss/datasources/myDS"/> 
            <module-option name="principalsQuery" value="select password from users where login=?"/> 
            <module-option name="rolesQuery" value="select role, 'Roles' from roles where login=?"/> 
            <module-option name="hashAlgorithm" value="MD5"/> 
            <module-option name="hashEncoding" value="RFC2617"/> 
            <module-option name="hashUserPassword" value="false"/> 
        </login-module>
    </authentication>
</security-domain>

web.xml: changed the login-config section

<login-config>
    <auth-method>DIGEST</auth-method>
    <realm-name>MyRealm</realm-name>
</login-config>

But I have this error:

LoginModule Class: org.jboss.security.auth.spi.DatabaseServerLoginModule
ControlFlag: LoginModuleControlFlag: required
Options:
name=dsJndiName, value=java:jboss/datasources/proxysnmpDS
name=principalsQuery, value=select passwd from LOGIN where login=?
name=hashUserPassword, value=false
name=rolesQuery, value=select role, 'Roles' from USER_ROLES where login=?
name=hashEncoding, value=RFC2617
name=hashAlgorithm, value=MD5

15:03:06,676 TRACE [org.jboss.security 137] (default task-2) PBOX00236: Begin initialize method
15:03:06,676 DEBUG [org.jboss.security 154] (default task-2) PBOX00281: Password hashing activated, algorithm: MD5, encoding: RFC2617, charset: null, callback: null, storeCallBack: null
15:03:06,676 TRACE [org.jboss.security 133] (default task-2) PBOX00262: Module options [dsJndiName: java:jboss/datasources/proxysnmpDS, principalsQuery: select passwd from LOGIN where login=?, rolesQuery: select role, 'Roles' from USER_ROLES where login=?, suspendResume: true]
15:03:06,676 TRACE [org.jboss.security 186] (default task-2) PBOX00240: Begin login method
15:03:06,682 TRACE [org.jboss.security 182] (default task-2) PBOX00263: Executing query select passwd from LOGIN where login=? with username admin
15:03:06,693 DEBUG [org.jboss.security 287] (default task-2) PBOX00283: Bad password for username admin
15:03:06,694 TRACE [org.jboss.security 269] (default task-2) PBOX00244: Begin abort method, overall result: false
15:03:06,694 DEBUG [org.jboss.security 368] (default task-2) PBOX00206: Login failure: javax.security.auth.login.FailedLoginException: PBOX00070: Password invalid/Password required
    at org.jboss.security.auth.spi.UsernamePasswordLoginModule.login(UsernamePasswordLoginModule.java:286) [picketbox-4.9.2.Final.jar:4.9.2.Final]
    at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) [rt.jar:1.8.0_60]
    at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) [rt.jar:1.8.0_60]
    at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) [rt.jar:1.8.0_60]
...

I think it's because the hashed password received from webapp login system and the hashed password in database are not the same. My hashed password in database is the MD5 of login:realm:password.

Can someone tell me what is wrong ?

cheb1k4
  • 2,316
  • 7
  • 26
  • 39

0 Answers0