9 Replies Latest reply: Dec 17, 2012 12:53 PM by Stefan Guilhen RSS

Digest authentication with JBoss AS7

philippe ventrillon Newbie

Hello,

 

I am porting an application from JBoss 6 to JBoss 7, and I experience problems with setting up DIGEST authentication.

Digest authentication never succeeds.

 

 

I am using JBoss as 7.0.2-Final.

 

As i have spent a lot of time googling around the problem, and trying lots of combinations, and because it works nearly as it with JBoss 6, I ask the following questions:

 

  • Is Digest authentication supposed to work with JBOSS 7 ?
  • Is this behavior a bug ?
  • Did I miss something related to JBoss 7 changes ?

 

 

Digging further I also found 2 strange things:

  • the class RFC2617Digest is not included in JBoss AS 7
  • traces seems to indicate the LoginModule is never called

 

Please help

 

 

Follows some highlights of what my application is.

 

I have a very little test case easy and straightfoward to deploy (at least with JBoss 7) with one servlet, one jsp and one static page.

 

I set up the following authentication constraints in WEB.xml

 

WEB.xml (extract)

<security-constraint>

     <web-resource-collection>

          <web-resource-name>Snoop resources</web-resource-name>

          <url-pattern>/SnoopServlet</url-pattern>

     </web-resource-collection>

 

     <auth-constraint>

          <role-name>friend</role-name>

     </auth-constraint>

</security-constraint>

 

<security-role>

     <role-name>friend</role-name>

</security-role>

 

<login-config>

     <auth-method>DIGEST</auth-method>

     <realm-name>wtpTuto1Realm</realm-name>

</login-config>

 

Here is my jboss-web.xml

 

jboss-web.xml

<?xml version="1.0"?>

 

<jboss-web>

    <context-root>wtpTuto1</context-root>

 

    <!-- Reference au domaine de securite -->

    <security-domain>java:/jaas/wtpTuto1</security-domain>

 

</jboss-web>

 

 

standalone.xml(extract)

<security-domain name="wtpTuto1">

    <authentication>

        <login-module code="UsersRoles" flag="required">

            <module-option name="usersProperties" value="props/users.properties" />

            <module-option name="rolesProperties" value="props/roles.properties" />

            <module-option name="unauthenticatedIdentity" value="anonymous" />

            <module-option name="hashAlgorithm" value="MD5" />

            <module-option name="hashEncoding" value="rfc2617" />

            <module-option name="hashUserPassword" value="false" />

            <module-option name="hashStorePassword" value="true" />

            <module-option name="passwordIsA1Hash" value="true" />

            <module-option name="storeDigestCallback"

                value="org.jboss.security.auth.spi.RFC2617Digest" />

        </login-module>

    </authentication>

</security-domain>

 

 

Trace shows the following output after I enter login and password:

 

 

14:31:42,739 DEBUG [org.apache.catalina.authenticator.AuthenticatorBase] (http--0.0.0.0-8080-1) Security checking request GET /wtpTuto1/SnoopServlet

14:31:42,739 DEBUG [org.apache.catalina.realm.RealmBase] (http--0.0.0.0-8080-1)   Checking constraint 'SecurityConstraint[Snoop resources]' against GET /SnoopServlet --> true

14:31:42,740 DEBUG [org.apache.catalina.authenticator.AuthenticatorBase] (http--0.0.0.0-8080-1)  Calling hasUserDataPermission()

14:31:42,740 DEBUG [org.apache.catalina.realm.RealmBase] (http--0.0.0.0-8080-1)   User data constraint has no restrictions

14:31:42,740 DEBUG [org.apache.catalina.authenticator.AuthenticatorBase] (http--0.0.0.0-8080-1)  Calling authenticate()

14:31:42,742 DEBUG [org.apache.catalina.realm.RealmBase] (http--0.0.0.0-8080-1) Digest : 5ce5c01cd76610d80c389675e8a5db80 Username:mlo ClientSigest:5ce5c01cd76610d80c389675e8a5db80 nOnce:ce105e03e45722b0022e5a8d830c32fc nc:00000001 cnonce:8c76ad16afaeaac3 qop:auth realm:wtpTuto1Realmmd5a2:54b07f4a17d8f6ceb23410fc1309b1ac Server digest:13bc7742a1a0bb080686ed120d76c947

14:31:42,742 DEBUG [org.apache.catalina.authenticator.AuthenticatorBase] (http--0.0.0.0-8080-1)  Failed authenticate() test

  • 1. Re: Digest authentication with JBoss AS7
    jaikiran pai Master

    <security-domain>java:/jaas/wtpTuto1</security-domain>

    This isn't right. Don't use the jndi name. Instead use the name of the security-domain:

     

    <security-domain>wtpTuto1</security-domain>

  • 2. Re: Digest authentication with JBoss AS7
    Eric Chow Apprentice

    If I want to put the users.properties and the roles.properties into the standalone/configuration, how can I define the module-option?

     

     

    if I set the module-option as following:

     

    <module-option name="usersProperties" value="users.properties" />

    <module-option name="rolesProperties" value="roles.properties" />

     

    Where should I put those property files?

     

    Best regards,
    Eric

  • 3. Re: Digest authentication with JBoss AS7
    philippe ventrillon Newbie

    Thank you Jaikiran.

     

    This is true, but it does not solve the issue.

     

    After removing the java:/jaas, the behavior is exactly the same.

     

     

    So my questions remain:

    • Is Digest authentication supposed to work with JBOSS 7 ?
    • Is this behavior a bug ?
    • Did I miss something related to JBoss 7 changes ?

     

    Any help is welcome.

     

    ---

    Philippe

  • 4. Re: Digest authentication with JBoss AS7
    philippe ventrillon Newbie

    Hi Eric

     

    I've read this in the docs (JBoss AS 7 developper guide):

             <login-module code="UsersRoles" flag="required">

                 <module-option name="usersProperties" value="${jboss.server.config.dir}/example-users.properties"/>

                 <module-option name="rolesProperties" value="${jboss.server.config.dir}/example-roles.properties"/>

             </login-module>

     

    Hope it helps

     

    ---

    Philippe

  • 5. Re: Digest authentication with JBoss AS7
    Marcus Moyses Novice

    There is an issue with digest authentication with AS7. I'm working on it this week. I'll comment here once I get things working. Please bear with me.

  • 6. Re: Digest authentication with JBoss AS7
    Marcus Moyses Novice

    Last night my fix was merged into the nightly build. This is what you need to do to get digest authentication working with the latest version of AS7:

    In standalone.xml configure the security domain:

     

    <security-domain name="wtpTuto1" cache-type="default">
        <authentication>
            <login-module code="UsersRoles" flag="required">
                <module-option name="hashAlgorithm" value="MD5"/>
                <module-option name="hashEncoding" value="RFC2617"/>
                <module-option name="hashUserPassword" value="false"/>
                <module-option name="hashStorePassword" value="true"/>
                <module-option name="passwordIsA1Hash" value="true"/>
                <module-option name="storeDigestCallback" value="org.jboss.security.auth.callback.RFC2617Digest"/>
            </login-module>
        </authentication>
    </security-domain>
    

     

    You need to include the users.properties and roles.properties file in your WEB-INF/classes/ folder so they can be found in the classpath of the web app.

    To get the password to store in users.properties run:

     

    java -cp picketbox-4.0.5.Final.jar org.jboss.security.auth.callback.RFC2617Digest <username> <realm name> <password>

     

    from $JBOSS_HOME/modules/org/picketbox/main/

  • 7. Re: Digest authentication with JBoss AS7
    philippe ventrillon Newbie

    Thank you for the details. It is now working.

    I was able to proceed to digest authentication with the night build of the 20th of october.

  • 8. Re: Digest authentication with JBoss AS7
    Martin Gencur Novice

    Hi,

    I have the following problem with DIGEST authentication:

     

    I'm using the security domain configured similar to what Marcus posted. However, the server login module is screaming that passwordIsA1Hash is not a valid option:

     

    WARN  [org.jboss.security.auth.spi.UsersRolesLoginModule] (http-/127.0.0.1:8080-1) Invalid or misspelled option: passwordIsA1Hash

     

    but... it works in the end. If I don't specify this option, my authentication fails because I'm passing a password in a plain form and the matching value is stored in application-users.properties on server side in a form of a hash, something like this: testuser=25c1b3ab33b68906816606d1c0fe3048.

     

    So my guess is that for me to be abe to pass a plain password to the client, I have to specify passwordIsA1Hash option but there is an incorrect warning. None of these classes contain this option in their "valid" options: AbstractServerLoginModule, UsernamePasswordLoginModule, UsersRolesLoginModule . And I'm using UsersRolesLoginModule which is the last descendant of these classes. This is a bug I guess ? (using picketbox-4.0.9.Final-redhat-1)

  • 9. Re: Digest authentication with JBoss AS7
    Stefan Guilhen Apprentice

    This property is indirectly used by the UsernamePasswordLoginModule, so I've added it to the set of valid options for this module. I'm releasing PicketBox 4.0.15.Final later today and this version will have the fix.