de.rtner.security.auth.spi

Class SaltedDatabaseServerLoginModule

java.lang.Object

org.jboss.security.auth.spi.AbstractServerLoginModule

org.jboss.security.auth.spi.UsernamePasswordLoginModule

org.jboss.security.auth.spi.DatabaseServerLoginModule

de.rtner.security.auth.spi.SaltedDatabaseServerLoginModule

All Implemented Interfaces:

javax.security.auth.spi.LoginModule

public class SaltedDatabaseServerLoginModule
extends org.jboss.security.auth.spi.DatabaseServerLoginModule

A JBoss JDBC based login module that supports authentication, role mapping and salted iterated password hashing. Database connection and SQL are inherited from DatabaseServerLoginModule.

Actual check is deferred to pluggable cryptographic module.

Format of password depends on formatter. Default PBKDF2HexFormatter's format is: Salt(Hex):Iteration Count(decimal):hashed password(Hex)

See Also:

DatabaseServerLoginModule

Field Summary

Fields

Modifier and Type	Field and Description
java.lang.String	DEFAULT_ENGINE The default engine to use if not specified as a property.
java.lang.String	DEFAULT_FORMATTER The default formatter to use if not specified as a property.
java.lang.String	DEFAULT_PARAMETER The default engine parameter class to use if not specified as a property.
protected java.lang.String	engineClassName Class name of PBKDF2 engine to use.
protected PBKDF2Formatter	formatter Instantiation of formatter class.
protected java.lang.String	formatterClassName Class name of formatter to use.
protected java.lang.String	hashAlgorithm The message digest algorithm used to hash passwords (examples: HMacSHA1, HMacMD5).
protected java.lang.String	hashCharset The name of the charset/encoding to use when converting the password String to a byte array.
protected java.lang.String	parameterClassName Class name of PBKDF2 engine parameters to use.

Fields inherited from class org.jboss.security.auth.spi.DatabaseServerLoginModule

dsJndiName, principalsQuery, rolesQuery, suspendResume, tm, txManagerJndiName

Fields inherited from class org.jboss.security.auth.spi.AbstractServerLoginModule

callbackHandler, log, loginOk, options, principalClassName, sharedState, subject, unauthenticatedIdentity, useFirstPass

Constructor Summary

Constructors

Constructor and Description
SaltedDatabaseServerLoginModule()

Method Summary

Modifier and Type	Method and Description
protected PBKDF2	getEngine(PBKDF2Parameters parameters) Factory method: instantiate the PBKDF2 engine.
protected PBKDF2Parameters	getEngineParameters() Factory method: instantiate the PBKDF2 engine parameters.
protected PBKDF2Formatter	getFormatter() Factory method: instantiate the PBKDF2 formatter.
void	initialize(javax.security.auth.Subject subject, javax.security.auth.callback.CallbackHandler callbackHandler, java.util.Map<java.lang.String,?> sharedState, java.util.Map<java.lang.String,?> options)
protected <T> T	newInstance(java.lang.String name, java.lang.Class<T> clazz) Generic helper: Use JBoss SecurityActions to load a class, then create a new instance.
protected boolean	validatePassword(java.lang.String inputPassword, java.lang.String expectedPassword) Actual salt-enabled verification function.

Methods inherited from class org.jboss.security.auth.spi.DatabaseServerLoginModule

convertRawPassword, getRoleSets, getTransactionManager, getUsersPassword

Methods inherited from class org.jboss.security.auth.spi.UsernamePasswordLoginModule

createPasswordHash, getCredentials, getIdentity, getUnauthenticatedIdentity, getUsername, getUsernameAndPassword, getValidateError, login, safeClose, setValidateError

Methods inherited from class org.jboss.security.auth.spi.AbstractServerLoginModule

abort, addValidOptions, checkOptions, commit, createGroup, createIdentity, getCallerPrincipalGroup, getUseFirstPass, logout

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Field Detail

DEFAULT_FORMATTER

public final java.lang.String DEFAULT_FORMATTER

The default formatter to use if not specified as a property.

See Also:

Constant Field Values

DEFAULT_ENGINE

public final java.lang.String DEFAULT_ENGINE

The default engine to use if not specified as a property.

See Also:

Constant Field Values

DEFAULT_PARAMETER

public final java.lang.String DEFAULT_PARAMETER

The default engine parameter class to use if not specified as a property.

See Also:

Constant Field Values

hashAlgorithm

protected java.lang.String hashAlgorithm

The message digest algorithm used to hash passwords (examples: HMacSHA1, HMacMD5). Defaults to HMacSHA1 if unset.

hashCharset

protected java.lang.String hashCharset

The name of the charset/encoding to use when converting the password String to a byte array. Default is the platform's default encoding.

formatterClassName

protected java.lang.String formatterClassName

Class name of formatter to use.

See Also:

PBKDF2Formatter, PBKDF2HexFormatter

formatter

protected PBKDF2Formatter formatter

Instantiation of formatter class. Implementation should be multi-thread safe as this object may be used concurrently by multiple threads inside JBoss.

engineClassName

protected java.lang.String engineClassName

Class name of PBKDF2 engine to use.

See Also:

PBKDF2

parameterClassName

protected java.lang.String parameterClassName

Class name of PBKDF2 engine parameters to use.

See Also:

PBKDF2Parameters

Constructor Detail

SaltedDatabaseServerLoginModule

public SaltedDatabaseServerLoginModule()

Method Detail

initialize

public void initialize(javax.security.auth.Subject subject,
                       javax.security.auth.callback.CallbackHandler callbackHandler,
                       java.util.Map<java.lang.String,?> sharedState,
                       java.util.Map<java.lang.String,?> options)

Specified by:

initialize in interface javax.security.auth.spi.LoginModule

Overrides:

initialize in class org.jboss.security.auth.spi.DatabaseServerLoginModule

validatePassword

protected boolean validatePassword(java.lang.String inputPassword,
                                   java.lang.String expectedPassword)

Actual salt-enabled verification function. Get parameters from database 'password', then compute candidate derived key from user-supplied password and parameters, then compare database derived key and candidate derived key. Login if match.

Overrides:

validatePassword in class org.jboss.security.auth.spi.UsernamePasswordLoginModule

Parameters:

inputPassword - Password that was supplied by user (candidate password)

expectedPassword - Actually the encoded PBKDF2 string which contains the expected/reference password implicitly. Not a clear-text password. Parameter is named like this because of inherited method parameter name.

Returns:

true if the inputPassword is valid, false otherwise.

getEngineParameters

protected PBKDF2Parameters getEngineParameters()

Factory method: instantiate the PBKDF2 engine parameters. Override or change the class via attribute.

Returns:

Engine parameter object, initialized. On error/exception, this method registers the exception via { UsernamePasswordLoginModule.setValidateError(Throwable) and returns null.

getEngine

protected PBKDF2 getEngine(PBKDF2Parameters parameters)

Factory method: instantiate the PBKDF2 engine. Override or change the class via attribute.

Parameters:

parameters - Parameters

Returns:

Engine object. On error/exception, this method registers the exception via {UsernamePasswordLoginModule.setValidateError(Throwable) and returns null.

getFormatter

protected PBKDF2Formatter getFormatter()

Factory method: instantiate the PBKDF2 formatter. Override or change the class via attribute. The instance is cached.

Returns:

Engine formatter. On error/exception, this method registers the exception via {UsernamePasswordLoginModule.setValidateError(Throwable) and returns null.

newInstance

protected <T> T newInstance(java.lang.String name,
                            java.lang.Class<T> clazz)

Generic helper: Use JBoss SecurityActions to load a class, then create a new instance.

Type Parameters:

T - generic return type

Parameters:

name - FQCN of the class to instantiate.

clazz - Expected type, used for PicketBox logging.

Returns:

Insance. On error/exception, this method registers the exception via {UsernamePasswordLoginModule.setValidateError(Throwable) and returns null.