Question

Following up on a prior question, I m trying to figure out how to set up container-based authentication for a J2EE application. Specifically, I need to be able to apply a password digest algorithm other than the ones supported by the java.security.MessageDigest (which are SHA, MD2, or MD5 - here s where I think that limitation is documented). In this case my database stores Blowfish-encrypted passwords.

I already have the Java code written to get the encrypted password from my database, and compare the user-entered password with the database one by performing the Blowfish encryption. How do I set it up so that the container just uses my own Java class(es) to perform user authentication?

I m using JBoss AS 5.1 (which I think means my Tomcat version is 6).

Answer 1

You re going to need to write a custom LoginModule for JBoss.

In your case it should be trivial as all you want to do is to change how password gets encoded so you ll just extend the DatabaseServerLoginModule and override a single method like the example in the above link shows.

If you were to do it for a standalone Tomcat, you d have to write your own Realm. Again, reasonably straightforward as you can extend JDBC or Data Source realm

Answer 2

All the documentation I have been able to find online related to writing a custom login module only pertains to JBoss v4 or earlier. I have not been able to locate a single working example of doing this in JBoss v5.1. It is very frustrating. There are no javadocs for JBoss v5.1 that I can locate on the official JBoss website; in fact, there are no current security documents relating to custom modules at all, anywhere on the net. I have searched through every book I have access to in the Barnes & Noble, still no luck. At this point, we are looking into moving off of JBoss, b/c this lack of documentation is just unprofessional.

友情链接