Home/ Questions/Q 3984942
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-05-20T05:49:51+00:00

writing a Java EE 6 application i need some help using the DatabaseServerLoginModule with

  • 0

writing a Java EE 6 application i need some help using the DatabaseServerLoginModule with md5 hashing.

Setup:

login-config.xml:

 <application-policy name = "app">
      <authentication>
      <login-module code = "org.jboss.security.auth.spi.DatabaseServerLoginModule" flag = "required">
        <module-option name = "dsJndiName">java:/MySQLDS</module-option>
        <module-option name = "principalsQuery">Select password from user where email_current=?</module-option>
        <module-option name="rolesQuery">
            SELECT r.name, 'Roles' FROM role r, user_2_role ur, user u WHERE
            u.email_current=? AND u.id_user=ur.id_user AND ur.id_role=r.id_role
        </module-option> 
        <module-option name ="hashAlgorithm">md5</module-option>
        <module-option name="hashEncoding">base64</module-option>
        <module-option name="ignorePasswordCase">false</module-option>
        <module-option name="hashStorePassword">false</module-option>
        <module-option name="hashUserPassword">true</module-option>
     </login-module>
     <!-- login-module code="org.jboss.security.ClientLoginModule" flag="required" /-->
     </authentication>
 </application-policy>

web.xml:

<security-constraint>
    <web-resource-collection>
        <web-resource-name>Customer Content</web-resource-name>
        <url-pattern>/customer/*</url-pattern>
    </web-resource-collection>
    <auth-constraint>
        <role-name>AuthorizedUser</role-name>
        <role-name>customer</role-name>
    </auth-constraint>
    <user-data-constraint>
        <transport-guarantee>NONE</transport-guarantee>
    </user-data-constraint>
</security-constraint>
<login-config>
    <auth-method>DIGEST</auth-method>
    <realm-name>The Restricted Zone</realm-name>
    <form-login-config>
        <form-login-page>/login.html</form-login-page>
        <form-error-page>/login.html</form-error-page>
    </form-login-config>
</login-config>
<security-role>
    <description>The role required to access restricted content </description>
    <role-name>customer</role-name>
</security-role>

The login implementation(the important part):

// login
WebAuthentication pwl = new WebAuthentication();
if (pwl.login(aEmail, aPassword)) {
    return "customer/dashboard?faces-redirect=true";
} else {
    throw new IncorrectCredentialsException();
}

I store the passwords using the following implementation:

final byte[] md5Hash = DigestUtils.md5(newPassword);
md5NewPassword = Hex.encodeHexString(md5Hash);

I checked the value that was written into the database with some md5 generators from the internet like http://www.miraclesalad.com/webtools/md5.php

The write all the same.

Using the upon authentication method without md5 hashing at all and with form instead of digest configured works. Any idea?

Thanks in advance

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    md5 hash is now recognized as non-safe. It was broken in many ways.

    Better use SHA.

    • 0