I started a project setting up basic authentication. I now want to switch to Digest Authentication. The problem is that the authentication is validated only if I provide the hash of the actual password, and not the actual password.
I did the following to switch from BASIC to DIGEST:
changed in my web.xml the auth-method to DIGEST
changed the JAAS context of my JDBC Realm to "jdbcDigestRealm"
in my db, I used to have "password" as a password, I changed in to the result of MD5(webuser:postgres:webuser) (where webuser is the login, webuser is the password, and postgres is the realm), in other words I set the password in my table to c3c2681ed07a5a2a5cb772061a8385e8.
The problem I have is that the login popup is displayed by the browser when I try to access the resource, but using "webuser" as the password doesn't work. However, using "c3c2681ed07a5a2a5cb772061a8385e8" as the password works. It looks like I'm still in BASIC authentication mode.
Any clue ?
Thank you !
The DIGEST auth-method is same as HTTP Digest Authentication. It just encrypts the communication between the browser and the server. The server still has the password in plain text.
From http://java.boot.by/wcd-guide/ch05s03.html:
The difference between basic and digest authentication is that on the
network connection between the browser and the server, the password is
encrypted, even on a non-SSL connection. In the server, the password
can be stored in clear text or encrypted text, which is true for all
login methods and is independent of the choice that the application
deployer makes.
You should set the digest-algorithm property of your JDBC Realm to MD5. After that the JDBC Realm will hash the password.
Perhaps you may need to change the digest algorithm in the realm view from glassfish console to MD5. Default value from GlassFish 3.0.* is still MD5, but from GlassFish 3.1.* has changed to SHA-256. This could be solution.
Adem
Related
I'm trying to have secure passwords within my application but I'm having trouble with the authentication section. The code works for registering a user, generating a salt and hashing a password using the generated salt. But when i try to authenticate I always get a failed login. My problem is how to store the hashed password and salt in a mysql database and how to then retrieve it in java to do the authentication check. Any advice would be hugely appreciated!
Relating to my other question: UnboundID LDAP DIGEST-MD5 binding cause NPE
I'm using ApacheDS as the server and UnboundID as the API.
I followed the suggested answer and the NPE is gone. However, now I'm getting this error.
LDAPException(resultCode=49 (invalid credentials), errorMessage='INVALID_CREDENTIALS: DIGEST-MD5: cannot acquire password for 'dn:uid=blah,ou=dev,dc=blah,dc=com in realm : mizar.com', diagnosticMessage='INVALID_CREDENTIALS: DIGEST-MD5: cannot acquire password for dn:uid=blah,ou=dev,dc=blah,dc=com in realm : blah.com')
at com.unboundid.ldap.sdk.LDAPConnection.bind(LDAPConnection.java:1881)
at UnboundDemo.main(UnboundDemo.java:40)
Code as follows:
conn = new LDAPConnection("1.1.1.1",389);
mdBind = new DIGESTMD5BindRequest("dn:uid=blah,ou=dev,dc=blah,dc=com", null, "test", "blah.com",null);
bindResult = conn.bind(mdBind);
System.out.println("MD5 bind success!");
Here's the ApacheDS SASL configuration from the Directory Studio config page:
SASL Host: 1.1.1.1
SASL Principal: ldap/ldap.example.com#EXAMPLE.COM
Search Base Dn: ou=dev,dc=blah,dc=com
The ApacheDS doc didn't explain what the SASL Principal is so I'm starting to think that it may be a mis-config on my part. The main idea here is to test UnboundID against a number of SASL mechanism.
It is likely the case that the ApacheDS server isn't configured to store passwords in a format that allows it to determine the clear-text value for the password.
The primary attractive property of the DIGEST-MD5 and CRAM-MD5 SASL mechanisms is that the password is combined with other information and encoded with a one-way digest before being sent to the server. This ensures that the password is not transmitted in the clear, so that it is protected against anyone who can observe the communication without the need to secure the rest of the communication. However, the ability to authenticate with one of these mechanisms requires that the server be able to determine the clear-text version of the password so that it can perform the same cryptographic processing as the client.
If you're just looking to test the UnboundID LDAP SDK's ability to perform SASL authentication, then I'd recommend using the PLAIN mechanism, since it shouldn't impose any special requirements on the user entry. If you really want to use DIGEST-MD5, then you'll need to ensure that the server has access to the clear-text representations of the passwords for the users that need to authenticate with that mechanism.
Neil
Need to send a hashed or encrypted password when creating the db connection, see details below:
We have a Spring application that connects to a DB2 AS400 database. We are currently using configuration files (.properties) to store the connection details, Spring reads thes files in the context creation phase and creates the datasource accordingly.
...
database.driverClassName=com.ibm.as400.access.AS400JDBCDriver
database.url=jdbc:as400:<host>:naming=sql;libraries=*LIBL,...;transaction isolation=none
database.username=<user>
database.password=<password>
database.initialPoolSize=2
database.maxPoolSize=5
...
This .properties file lives in the application/web server's file sytem.
I have a requirement to store a hashed password instead of the password directly, that way if someone looks at the file content cannot know what the real password is.
Like this using SHA:
...
database.password=5baa61e4c9b93f3f0682250b6cf8331b7ee68fd8
...
There must be a way for telling AS400 that the password being sent is hashed.
In my research I found that AS400 stores passwords using an index QSYUPTBL in the library QSYS, which is able to use DES or SHA hashing algorithms. So it will encrypt the received password and will compare the resulting hash with the one stored in the index. But is it possible to tell the DB's authentication process to expect the password being hashed and compare it directly?
New finding:
The documentation from IBM mentions one keyword: RMTAUTMTH for setting the remote authentication method, using the *ENCRYPTED value in that param will activate the encryption in user id and password:
...User ID and associated encrypted password is sent on a DDM connection request. Cryptographic support must be available on both systems for this authentication method to be used... extracted from http://publib.boulder.ibm.com/infocenter/iseries/v5r3/topic/cl/chgrdbdire.htm
So it seems that it can be configured in the AS400 side, but does not mention anything about the encryption algorithm being used and if the jdbc driver supports it.
There is no mention of a property in the IBM Toolbox for Java JDBC properties to accept a special hashed/encrypted password.
You are going to have to manage the hashing/encryption of the password within your application and provide it to the JDBC connection as plaintext.
The secure property of the JDBC connection can be used to force an SSL connection to the AS/400, assuming SSL is enabled, to ensure that all data is encrypted between the application and the database.
is it possible in spring framework to have 2 login implementation at the same time for the login page? Form login and Certificate based login (x509). I've tried either one of these method but combining them at the same time, it is hard for me to do it. Any idea how to enable these two methods? Any book or site reference that I can refer to regarding this?
Thanks
Yes, it is possible, by making the SSL client-auth optional.
Here on Baeldung is a good tutorial on enabling SSL client authentication with X.509 certificates, with forced client-auth (not good for your case, with login form fallback)
Follow that tutorial and pay attention in the application.properties file to make the client-auth want instead of need. This will make the client-server SSL handshake attempt to ask for a certificate.
server.ssl.client-auth=want
If the browser does not provide a certificate (does not have any configured or the user clicks on cancel when prompted to select a certificate from a list), the SSL handshake will be done without the client certificate, and the user will have to login with username+password
If the user chooses a certificate, the SSL handshake is done with the client certificate. The server then verifies the given certificate in the trust-store. If the certificate is valid, the SSL handshake is successfully established. Otherwise, the connection is refused by the server.
Pay attention that
only the authentication is done with the x.509 certificate. For authorization, you must provide the X509Configurer an UserDetailsService implementation, to retrieve the UserDetails for the user that just authenticated via x.509
thus, if you have a database of users with their assigned roles, even if the certificate is in the trust-store, the user might not be in the user database, so you will have to treat this possibility in your application logic. I.e. when the SSL connection is mutual, but the user is not present in the user database.
Yes it is possible. All you need is to declare x509 support in your http config:
<http ...>
...
<x509 ... />
....
</http>
and configure SSL in Tomcat.
See this entry and this thread.
I am developing client-server application in Java which need user login. For that I need to show login screen to enter user name & password if username is not there in configuration file (initially it should should be "blank").
After filling the form and checking the Remember Password, I am going to send user name and digested password to server to check. If user is there at server I will get success message then I need to save the username and digested password in a secure file if he check the Remember password checkbox at userlogin screen. For that I need a secure place to store username and password in Windows environment. If I store it in a file, how to secure that file from other users who logged into Windows with other username.
For every Windows user I need a separate login and I am using SHA-256 digesting algorithm to digest password.
How can I do it using Java Swing.
Instead of a file, you should use the Preferences API. On Windows, it will store the data in the registry, in a branch not accessible to other (non-admin) users.