Sunday, October 14, 2012

Digest Authentication in JBOSS


This authentication mechanism is almost same as the basic authentication. But the different is, in basic authentication, we store password as plaintext. In digest, we store password after encrypted using encryption algorithm such as MD5. Let’s see how to create digest authentication login module.
First we have to change web.xml file. We have to add following code instead of basic authentication code.


<login-config>                                                                                                                                          
  <auth-method>DIGEST</auth-method>                                                                                                                    
  <realm-name> My Secure Content Authentication </realm-name>                                                                                                          
</login-config>


Then we should create new application policy for digest authentication. So we have to edit           login-config.xml file. So add following application-policy to the login-config.xml file.


<application-policy name="MyApp">
 <authentication>
 <login-module code="org.jboss.security.auth.spi.UsersRolesLoginModule" flag="required">
 <module-option name="usersProperties">props/digest-users.properties</module-option>
 <module-option name="rolesProperties">props/digest-roles.properties</module-option>
 <module-option name="hashAlgorithm">MD5</module-option>
 <module-option name="hashEncoding">rfc2617</module-option>
 <module-option name="hashUserPassword">false</module-option>
 <module-option name="hashStorePassword">true</module-option>
 <module-option name="passwordIsA1Hash">true</module-option>
 <module-option name="storeDigestCallback">
 org.jboss.security.auth.spi.RFC2617Digest
            </module-option>
 </login-module>
 </authentication>
</application-policy>


According to the application policy name, edit the security domain in jboss-web.xml. In my case, security domain in MyApp.
Then we should encrypt the password. Because we need to store encrypted password. Then type following command. Then you will get encrypted password.

java –cp C:\jboss\jboss-eap-5.1\jboss-as\common\lib\jbosssx-server.jar / org.jboss.security.auth.spi.RFC2617Digest username "Realm name" password

Username= we have to give username
Password=Real password
Realm name= the realm name that we specify in web.xml.

Finally you have to store the hashed password as opposed to the plaintext password, in the users.properties file specified in the application policy. roles.properties file   remains same as that of basic authentication implemented with UserRolesLoginModule. 

Posted by at
Labels:

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)