Freitag, 28. Februar 2014

Wildfly/JBoss: How to secure customer passwords

If you are familiar with Wildfly/JBoss you might now that you can easily configure your system to use JAAS database authentication for the login process of your customer. Because it is considered bad practice to store passwords in clear text a hash-algorithm (e.g. SHA256, MD5) can be specified to encrypt them. Further informations can be found under here.

The problem with that approach is that your passwords will be vulnerable to dictionary and rainbowtable attacks (refresh your knowlegde here).
One way to face this problem is to use salted hashed passwords but the standard DatabaseServerLoginModule does not support that. But you can use this extension of the DatabaseServerLoginModule.
The configuration is fairly easy:

Wildfly/JBoss Konfiguration

1. Create module
Create the new module and configure the module.xml like this
<?xml version="1.0" encoding="UTF-8"?>
<module xmlns="urn:jboss:module:1.1" name="">
        <resource-root path="PBKDF2-1.0.4.jar"/>
        <resource-root path="SaltedDatabaseLoginModule-1.0.4.jar"/>
        <module name="javax.api"/>
        <module name="javax.servlet.api"/>
        <module name=""/>
        <module name="org.jboss.logging"/>
        <module name="org.picketbox"/>
        <module name="sun.jdk"/>
Both declared jars must also be present in that folder.

2. Update module.xml of picketbox.

Every custom login module has to be declared as a dependencies in the module.xml of picketbox. So just add this line:
<module name=""/>
3. Update standalone.xml
<login-module code="" flag="required" module="">
 <module-option name="dsJndiName" value="java:jboss/datasources/ExampleDS"/>
 <module-option name="principalsQuery" value="select password from User where login=?"/>
 <module-option name="rolesQuery" value="select role, 'Roles' from UserRole where login=?"/>
 <module-option name="hmacAlgorithm" value="HMacSHA256"/>
 <module-option name="formatter" value=""/>
 <module-option name="engine" value=""/>
 <module-option name="engine-parameters" value=""/>

The password encryption can be done with the following function.
private String createPbKdF2Passwort(String password) throws NoSuchAlgorithmException
 PBKDF2Formatter formatter = new PBKDF2HexFormatter();
 SecureRandom sr = SecureRandom.getInstance("SHA1PRNG");
 byte[] salt = new byte[8];
 int iterations = 1000;
 PBKDF2Parameters p = new PBKDF2Parameters("HmacSHA256", "ISO-8859-1", salt, iterations);
 PBKDF2Engine e = new PBKDF2Engine(p);
 return formatter.toString(p);

Have fun coding.