如何在 Jboss 6 中使用 md5 哈希进行 JAAS WebAuthentication?

发布于 2024-10-19 00:31:23 字数 3194 浏览 4 评论 0原文

编写 Java EE 6 应用程序时,我需要一些使用 DatabaseServerLoginModule 和 md5 哈希的帮助。

设置:

login-config.xml:

 <application-policy name = "app">
      <authentication>
      <login-module code = "org.jboss.security.auth.spi.DatabaseServerLoginModule" flag = "required">
        <module-option name = "dsJndiName">java:/MySQLDS</module-option>
        <module-option name = "principalsQuery">Select password from user where email_current=?</module-option>
        <module-option name="rolesQuery">
            SELECT r.name, 'Roles' FROM role r, user_2_role ur, user u WHERE
            u.email_current=? AND u.id_user=ur.id_user AND ur.id_role=r.id_role
        </module-option> 
        <module-option name ="hashAlgorithm">md5</module-option>
        <module-option name="hashEncoding">base64</module-option>
        <module-option name="ignorePasswordCase">false</module-option>
        <module-option name="hashStorePassword">false</module-option>
        <module-option name="hashUserPassword">true</module-option>
     </login-module>
     <!-- login-module code="org.jboss.security.ClientLoginModule" flag="required" /-->
     </authentication>
 </application-policy>

web.xml:

<security-constraint>
    <web-resource-collection>
        <web-resource-name>Customer Content</web-resource-name>
        <url-pattern>/customer/*</url-pattern>
    </web-resource-collection>
    <auth-constraint>
        <role-name>AuthorizedUser</role-name>
        <role-name>customer</role-name>
    </auth-constraint>
    <user-data-constraint>
        <transport-guarantee>NONE</transport-guarantee>
    </user-data-constraint>
</security-constraint>
<login-config>
    <auth-method>DIGEST</auth-method>
    <realm-name>The Restricted Zone</realm-name>
    <form-login-config>
        <form-login-page>/login.html</form-login-page>
        <form-error-page>/login.html</form-error-page>
    </form-login-config>
</login-config>
<security-role>
    <description>The role required to access restricted content </description>
    <role-name>customer</role-name>
</security-role>

登录实现(重要部分):

// login
WebAuthentication pwl = new WebAuthentication();
if (pwl.login(aEmail, aPassword)) {
    return "customer/dashboard?faces-redirect=true";
} else {
    throw new IncorrectCredentialsException();
}

我使用存储密码以下实现:

final byte[] md5Hash = DigestUtils.md5(newPassword);
md5NewPassword = Hex.encodeHexString(md5Hash);

我使用互联网上的一些 md5 生成器检查了写入数据库的值,例如 http://www.miraclesalad.com/webtools/md5.php

写的都一样。

使用完全没有 md5 散列并且使用表单而不是摘要配置的身份验证方法是有效的。有什么想法吗?

提前致谢

writing a Java EE 6 application i need some help using the DatabaseServerLoginModule with md5 hashing.

Setup:

login-config.xml:

 <application-policy name = "app">
      <authentication>
      <login-module code = "org.jboss.security.auth.spi.DatabaseServerLoginModule" flag = "required">
        <module-option name = "dsJndiName">java:/MySQLDS</module-option>
        <module-option name = "principalsQuery">Select password from user where email_current=?</module-option>
        <module-option name="rolesQuery">
            SELECT r.name, 'Roles' FROM role r, user_2_role ur, user u WHERE
            u.email_current=? AND u.id_user=ur.id_user AND ur.id_role=r.id_role
        </module-option> 
        <module-option name ="hashAlgorithm">md5</module-option>
        <module-option name="hashEncoding">base64</module-option>
        <module-option name="ignorePasswordCase">false</module-option>
        <module-option name="hashStorePassword">false</module-option>
        <module-option name="hashUserPassword">true</module-option>
     </login-module>
     <!-- login-module code="org.jboss.security.ClientLoginModule" flag="required" /-->
     </authentication>
 </application-policy>

web.xml:

<security-constraint>
    <web-resource-collection>
        <web-resource-name>Customer Content</web-resource-name>
        <url-pattern>/customer/*</url-pattern>
    </web-resource-collection>
    <auth-constraint>
        <role-name>AuthorizedUser</role-name>
        <role-name>customer</role-name>
    </auth-constraint>
    <user-data-constraint>
        <transport-guarantee>NONE</transport-guarantee>
    </user-data-constraint>
</security-constraint>
<login-config>
    <auth-method>DIGEST</auth-method>
    <realm-name>The Restricted Zone</realm-name>
    <form-login-config>
        <form-login-page>/login.html</form-login-page>
        <form-error-page>/login.html</form-error-page>
    </form-login-config>
</login-config>
<security-role>
    <description>The role required to access restricted content </description>
    <role-name>customer</role-name>
</security-role>

The login implementation(the important part):

// login
WebAuthentication pwl = new WebAuthentication();
if (pwl.login(aEmail, aPassword)) {
    return "customer/dashboard?faces-redirect=true";
} else {
    throw new IncorrectCredentialsException();
}

I store the passwords using the following implementation:

final byte[] md5Hash = DigestUtils.md5(newPassword);
md5NewPassword = Hex.encodeHexString(md5Hash);

I checked the value that was written into the database with some md5 generators from the internet like http://www.miraclesalad.com/webtools/md5.php

The write all the same.

Using the upon authentication method without md5 hashing at all and with form instead of digest configured works. Any idea?

Thanks in advance

如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。

扫码二维码加入Web技术交流群

发布评论

需要 登录 才能够评论, 你可以免费 注册 一个本站的账号。

评论(4

影子的影子 2024-10-26 00:31:23

md5 哈希现在被认为是不安全的。它在很多方面都被打破了。

最好使用 SHA。

md5 hash is now recognized as non-safe. It was broken in many ways.

Better use SHA.

留一抹残留的笑 2024-10-26 00:31:23

看一下 MessageDigest 类:

http://download.oracle.com/javase/1.4.2/docs/api/java/security/MessageDigest.html

不要使用 MD5。请改用 SHA-256 之类的东西,并迭代地散列字符串并在第一个散列之前添加盐。哈希函数不是为密码加密而设计的。

Take a look at the MessageDigest class:

http://download.oracle.com/javase/1.4.2/docs/api/java/security/MessageDigest.html

Don't use MD5. Use something like SHA-256 instead, and also hash the string iteratively and add salt before the first hash. Hashing functions are not designed for password encryption.

如梦初醒的夏天 2024-10-26 00:31:23

nogamawa,SHA算法的目的类似于MD5,它是一种单向加密,即没有办法解密消息。 SHA2 被证明要强大得多。 Java 加密扩展 (JCE) 支持这两种算法。
——基兰·库马尔

nogamawa ,purpose of SHA algorithm is similar to MD5, it is one way encryption , ie there is no way to decrypt the message. SHA2 is proven to be much stronger. Java Cryptographic Extentions (JCE) supports both the algo.
--kiran.kumar

马蹄踏│碎落叶 2024-10-26 00:31:23

除了 MD5 与 SHA2(这是一个好主意)之外,为每个密码添加随机生成的盐实际上要重要得多。它建议每个密码至少使用 128 位随机生成的盐。这可以防止彩虹表攻击(一种预先计算的密码哈希形式)。

您还应该多次迭代哈希算法,将每个哈希的结果提供给它。哈希算法被设计为快速,这意味着攻击者只需一台廉价的个人计算机和显卡即可每秒计算数百万或数十亿次哈希。建议对哈希算法进行 25,000 次以上迭代,将输出放回到输入中。在现代 CPU 上,这需要不到一秒的时间。如果这样做,破解密码的计算难度就会大大增加。

Beyond MD5 vs SHA2 (which is a good idea), It's actually MUCH more important to add a randomly generated salt to each password. It'd recommend at least 128 bits of randomly generated salt for each password. This prevents Rainbow table attacks (a form of pre-computed password hashes).

You should also iterate your hash algorithm many many many times, feeding it the results of each hash. Hash algorithms are designed to be FAST, this means an attacker can compute millions or billions of hashes a second with just a cheap personal computer and graphics card. The recommendation is to do upwards of 25,000 iterations of the hash algorithm putting the output back into the input. On a modern CPU this takes much less than a second. If you do this it makes cracking the password that much more computationally difficult.

~没有更多了~
我们使用 Cookies 和其他技术来定制您的体验包括您的登录状态等。通过阅读我们的 隐私政策 了解更多相关信息。 单击 接受 或继续使用网站,即表示您同意使用 Cookies 和您的相关数据。
原文