PBEIdentityLoginModulepublic class PBEIdentityLoginModule extends AbstractPasswordCredentialLoginModule | An example of how one could encrypt the database password for a jca
connection factory. The corresponding login config entry illustrates
the usage:
sa
sa
3fp7R/7TMjyTTxhmePdJVk
true
PBEWithMD5AndDES
testPBEIdentityLoginModule
abcdefgh
19
jboss.jca:service=LocalTxCM,name=DefaultDS
This uses password based encryption (PBE) with algorithm parameters dervived
from pbealgo, pbepass, salt, iterationCount options:
+ pbealgo - the PBE algorithm to use. Defaults to PBEwithMD5andDES.
+ pbepass - the PBE password to use. Can use the JaasSecurityDomain {CLASS}
and {EXT} syntax to obtain the password from outside of the configuration.
Defaults to "jaas is the way".
+ salt - the PBE salt as a string. Defaults to {1, 7, 2, 9, 3, 11, 4, 13}.
+ iterationCount - the PBE iterationCount. Defaults to 37. |
| Fields Summary |
|---|
| private static final Logger | logClass logger | | private String | username | | private String | password | | private char[] | pbepassThe Blowfish key material | | private String | pbealgo | | private byte[] | salt | | private int | iterationCount | | private PBEParameterSpec | cipherSpec |
| Constructors Summary |
|---|
public PBEIdentityLoginModule()
| PBEIdentityLoginModule(String algo, char[] pass, byte[] pbesalt, int iter)
if( pass != null )
pbepass = pass;
if( algo != null )
pbealgo = algo;
if( pbesalt != null )
salt = pbesalt;
if( iter > 0 )
iterationCount = iter;
|
| Methods Summary |
|---|
| public boolean | abort()
username = null;
password = null;
return true;
| | public boolean | commit()
Principal principal = new SimplePrincipal(username);
SubjectActions.addPrincipals(subject, principal);
sharedState.put("javax.security.auth.login.name", username);
// Decode the encrypted password
try
{
char[] decodedPassword = decode(password);
PasswordCredential cred = new PasswordCredential(username, decodedPassword);
cred.setManagedConnectionFactory(getMcf());
SubjectActions.addCredentials(subject, cred);
}
catch(Exception e)
{
log.debug("Failed to decode password", e);
throw new LoginException("Failed to decode password: "+e.getMessage());
}
return true;
| | private char[] | decode(java.lang.String secret)
// Create the PBE secret key
cipherSpec = new PBEParameterSpec(salt, iterationCount);
PBEKeySpec keySpec = new PBEKeySpec(pbepass);
SecretKeyFactory factory = SecretKeyFactory.getInstance(pbealgo);
SecretKey cipherKey = factory.generateSecret(keySpec);
// Decode the secret
byte[] encoding = Util.fromb64(secret);
Cipher cipher = Cipher.getInstance(pbealgo);
cipher.init(Cipher.DECRYPT_MODE, cipherKey, cipherSpec);
byte[] decode = cipher.doFinal(encoding);
return new String(decode).toCharArray();
| | private java.lang.String | encode(java.lang.String secret)
// Create the PBE secret key
cipherSpec = new PBEParameterSpec(salt, iterationCount);
PBEKeySpec keySpec = new PBEKeySpec(pbepass);
SecretKeyFactory factory = SecretKeyFactory.getInstance(pbealgo);
SecretKey cipherKey = factory.generateSecret(keySpec);
// Decode the secret
Cipher cipher = Cipher.getInstance(pbealgo);
cipher.init(Cipher.ENCRYPT_MODE, cipherKey, cipherSpec);
byte[] encoding = cipher.doFinal(secret.getBytes());
return Util.tob64(encoding);
| | protected java.security.Principal | getIdentity()
log.trace("getIdentity called, username="+username);
Principal principal = new SimplePrincipal(username);
return principal;
| | protected java.security.acl.Group[] | getRoleSets()
Group[] empty = new Group[0];
return empty;
| | public void | initialize(javax.security.auth.Subject subject, javax.security.auth.callback.CallbackHandler handler, java.util.Map sharedState, java.util.Map options)
super.initialize(subject, handler, sharedState, options);
// NR : we keep this username for compatibility
username = (String) options.get("username");
if( username == null )
{
// NR : try with userName
username = (String) options.get("userName");
if( username == null )
{
throw new IllegalArgumentException("The user name is a required option");
}
}
password = (String) options.get("password");
if( password == null )
{
throw new IllegalArgumentException("The password is a required option");
}
// Look for the cipher password and algo parameters
String tmp = (String) options.get("pbepass");
if( tmp != null )
{
try
{
pbepass = Util.loadPassword(tmp);
}
catch(Exception e)
{
throw new IllegalStateException(e);
}
}
tmp = (String) options.get("pbealgo");
if( tmp != null )
pbealgo = tmp;
tmp = (String) options.get("salt");
if( tmp != null )
salt = tmp.substring(0, 8).getBytes();
tmp = (String) options.get("iterationCount");
if( tmp != null )
iterationCount = Integer.parseInt(tmp);
| | public boolean | login()
log.trace("login called");
if( super.login() == true )
return true;
super.loginOk = true;
return true;
| | public static void | main(java.lang.String[] args)Main entry point to encrypt a password using the hard-coded pass phrase
String algo = null;
char[] pass = "jaas is the way".toCharArray();
byte[] salt = null;
int iter = -1;
if( args.length >= 2 )
pass = args[1].toCharArray();
if( args.length >= 3 )
salt = args[2].getBytes();
if( args.length >= 4 )
iter = Integer.decode(args[3]).intValue();
if( args.length >= 5 )
algo = args[4];
PBEIdentityLoginModule pbe = new PBEIdentityLoginModule(algo, pass, salt, iter);
String encode = pbe.encode(args[0]);
System.out.println("Encoded password: "+encode);
|
|
