9 Replies Latest reply on Dec 17, 2012 12:53 PM by sguilhen

    Digest authentication with JBoss AS7

    philippe.ventrillon

      Hello,

       

      I am porting an application from JBoss 6 to JBoss 7, and I experience problems with setting up DIGEST authentication.

      Digest authentication never succeeds.

       

       

      I am using JBoss as 7.0.2-Final.

       

      As i have spent a lot of time googling around the problem, and trying lots of combinations, and because it works nearly as it with JBoss 6, I ask the following questions:

       

      • Is Digest authentication supposed to work with JBOSS 7 ?
      • Is this behavior a bug ?
      • Did I miss something related to JBoss 7 changes ?

       

       

      Digging further I also found 2 strange things:

      • the class RFC2617Digest is not included in JBoss AS 7
      • traces seems to indicate the LoginModule is never called

       

      Please help

       

       

      Follows some highlights of what my application is.

       

      I have a very little test case easy and straightfoward to deploy (at least with JBoss 7) with one servlet, one jsp and one static page.

       

      I set up the following authentication constraints in WEB.xml

       

      WEB.xml (extract)

      <security-constraint>

           <web-resource-collection>

                <web-resource-name>Snoop resources</web-resource-name>

                <url-pattern>/SnoopServlet</url-pattern>

           </web-resource-collection>

       

           <auth-constraint>

                <role-name>friend</role-name>

           </auth-constraint>

      </security-constraint>

       

      <security-role>

           <role-name>friend</role-name>

      </security-role>

       

      <login-config>

           <auth-method>DIGEST</auth-method>

           <realm-name>wtpTuto1Realm</realm-name>

      </login-config>

       

      Here is my jboss-web.xml

       

      jboss-web.xml

      <?xml version="1.0"?>

       

      <jboss-web>

          <context-root>wtpTuto1</context-root>

       

          <!-- Reference au domaine de securite -->

          <security-domain>java:/jaas/wtpTuto1</security-domain>

       

      </jboss-web>

       

       

      standalone.xml(extract)

      <security-domain name="wtpTuto1">

          <authentication>

              <login-module code="UsersRoles" flag="required">

                  <module-option name="usersProperties" value="props/users.properties" />

                  <module-option name="rolesProperties" value="props/roles.properties" />

                  <module-option name="unauthenticatedIdentity" value="anonymous" />

                  <module-option name="hashAlgorithm" value="MD5" />

                  <module-option name="hashEncoding" value="rfc2617" />

                  <module-option name="hashUserPassword" value="false" />

                  <module-option name="hashStorePassword" value="true" />

                  <module-option name="passwordIsA1Hash" value="true" />

                  <module-option name="storeDigestCallback"

                      value="org.jboss.security.auth.spi.RFC2617Digest" />

              </login-module>

          </authentication>

      </security-domain>

       

       

      Trace shows the following output after I enter login and password:

       

       

      14:31:42,739 DEBUG [org.apache.catalina.authenticator.AuthenticatorBase] (http--0.0.0.0-8080-1) Security checking request GET /wtpTuto1/SnoopServlet

      14:31:42,739 DEBUG [org.apache.catalina.realm.RealmBase] (http--0.0.0.0-8080-1)   Checking constraint 'SecurityConstraint[Snoop resources]' against GET /SnoopServlet --> true

      14:31:42,740 DEBUG [org.apache.catalina.authenticator.AuthenticatorBase] (http--0.0.0.0-8080-1)  Calling hasUserDataPermission()

      14:31:42,740 DEBUG [org.apache.catalina.realm.RealmBase] (http--0.0.0.0-8080-1)   User data constraint has no restrictions

      14:31:42,740 DEBUG [org.apache.catalina.authenticator.AuthenticatorBase] (http--0.0.0.0-8080-1)  Calling authenticate()

      14:31:42,742 DEBUG [org.apache.catalina.realm.RealmBase] (http--0.0.0.0-8080-1) Digest : 5ce5c01cd76610d80c389675e8a5db80 Username:mlo ClientSigest:5ce5c01cd76610d80c389675e8a5db80 nOnce:ce105e03e45722b0022e5a8d830c32fc nc:00000001 cnonce:8c76ad16afaeaac3 qop:auth realm:wtpTuto1Realmmd5a2:54b07f4a17d8f6ceb23410fc1309b1ac Server digest:13bc7742a1a0bb080686ed120d76c947

      14:31:42,742 DEBUG [org.apache.catalina.authenticator.AuthenticatorBase] (http--0.0.0.0-8080-1)  Failed authenticate() test

        • 1. Re: Digest authentication with JBoss AS7
          jaikiran

          <security-domain>java:/jaas/wtpTuto1</security-domain>

          This isn't right. Don't use the jndi name. Instead use the name of the security-domain:

           

          <security-domain>wtpTuto1</security-domain>

          • 2. Re: Digest authentication with JBoss AS7
            ericmacau

            If I want to put the users.properties and the roles.properties into the standalone/configuration, how can I define the module-option?

             

             

            if I set the module-option as following:

             

            <module-option name="usersProperties" value="users.properties" />

            <module-option name="rolesProperties" value="roles.properties" />

             

            Where should I put those property files?

             

            Best regards,
            Eric

            • 3. Re: Digest authentication with JBoss AS7
              philippe.ventrillon

              Thank you Jaikiran.

               

              This is true, but it does not solve the issue.

               

              After removing the java:/jaas, the behavior is exactly the same.

               

               

              So my questions remain:

              • Is Digest authentication supposed to work with JBOSS 7 ?
              • Is this behavior a bug ?
              • Did I miss something related to JBoss 7 changes ?

               

              Any help is welcome.

               

              ---

              Philippe

              • 4. Re: Digest authentication with JBoss AS7
                philippe.ventrillon

                Hi Eric

                 

                I've read this in the docs (JBoss AS 7 developper guide):

                         <login-module code="UsersRoles" flag="required">

                             <module-option name="usersProperties" value="${jboss.server.config.dir}/example-users.properties"/>

                             <module-option name="rolesProperties" value="${jboss.server.config.dir}/example-roles.properties"/>

                         </login-module>

                 

                Hope it helps

                 

                ---

                Philippe

                • 5. Re: Digest authentication with JBoss AS7
                  mmoyses

                  There is an issue with digest authentication with AS7. I'm working on it this week. I'll comment here once I get things working. Please bear with me.

                  • 6. Re: Digest authentication with JBoss AS7
                    mmoyses

                    Last night my fix was merged into the nightly build. This is what you need to do to get digest authentication working with the latest version of AS7:

                    In standalone.xml configure the security domain:

                     

                    <security-domain name="wtpTuto1" cache-type="default">
                        <authentication>
                            <login-module code="UsersRoles" flag="required">
                                <module-option name="hashAlgorithm" value="MD5"/>
                                <module-option name="hashEncoding" value="RFC2617"/>
                                <module-option name="hashUserPassword" value="false"/>
                                <module-option name="hashStorePassword" value="true"/>
                                <module-option name="passwordIsA1Hash" value="true"/>
                                <module-option name="storeDigestCallback" value="org.jboss.security.auth.callback.RFC2617Digest"/>
                            </login-module>
                        </authentication>
                    </security-domain>
                    

                     

                    You need to include the users.properties and roles.properties file in your WEB-INF/classes/ folder so they can be found in the classpath of the web app.

                    To get the password to store in users.properties run:

                     

                    java -cp picketbox-4.0.5.Final.jar org.jboss.security.auth.callback.RFC2617Digest <username> <realm name> <password>

                     

                    from $JBOSS_HOME/modules/org/picketbox/main/

                    • 7. Re: Digest authentication with JBoss AS7
                      philippe.ventrillon

                      Thank you for the details. It is now working.

                      I was able to proceed to digest authentication with the night build of the 20th of october.

                      • 8. Re: Digest authentication with JBoss AS7
                        mgencur

                        Hi,

                        I have the following problem with DIGEST authentication:

                         

                        I'm using the security domain configured similar to what Marcus posted. However, the server login module is screaming that passwordIsA1Hash is not a valid option:

                         

                        WARN  [org.jboss.security.auth.spi.UsersRolesLoginModule] (http-/127.0.0.1:8080-1) Invalid or misspelled option: passwordIsA1Hash

                         

                        but... it works in the end. If I don't specify this option, my authentication fails because I'm passing a password in a plain form and the matching value is stored in application-users.properties on server side in a form of a hash, something like this: testuser=25c1b3ab33b68906816606d1c0fe3048.

                         

                        So my guess is that for me to be abe to pass a plain password to the client, I have to specify passwordIsA1Hash option but there is an incorrect warning. None of these classes contain this option in their "valid" options: AbstractServerLoginModule, UsernamePasswordLoginModule, UsersRolesLoginModule . And I'm using UsersRolesLoginModule which is the last descendant of these classes. This is a bug I guess ? (using picketbox-4.0.9.Final-redhat-1)

                        • 9. Re: Digest authentication with JBoss AS7
                          sguilhen

                          This property is indirectly used by the UsernamePasswordLoginModule, so I've added it to the set of valid options for this module. I'm releasing PicketBox 4.0.15.Final later today and this version will have the fix.