As I understand, for JBoss 4.0.5 password encryption is mainly configured in server/…/conf/login-config.xml:
<authentication>
<login-module code = "org.jboss.security.ClientLoginModule" flag = "required">
<module-option name = "password-stacking">useFirstPass</module-option>
<module-option name = "multi-threaded">true</module-option>
<module-option name = "ignorePasswordCase">false</module-option>
<module-option name = "hashAlgorithm">md5</module-option>
<module-option name = "hashEncoding">hex</module-option>
<module-option name = "hashCharset">UTF-8</module-option>
</login-module>
</authentication>
Is it possible to configure something stronger than md5? And if so, how?
OK, looks like I found the ultimate answer. Extend e.g.
org.jboss.security.auth.spi.UsernamePasswordLoginModuleand overrideto use whatever algorithm you like to create and return the hash.
The second parameter of the method is the password to be hashed.
Then set your class into the configuration (e.g. login-config.xml). Note that the configuration (e.g. login-config.xml) still needs an algorithm to be specified. I have just put
there.
Important note: To decide if a password is valid it is hashed and compared with the previously hashed password. This does not work for algorithms like bcrypt, which comes with its own check method, because typically each hashing on the same input creates a different salt and thus a different hash. For these algorithms you would have to override the
login()method.