The JBossAS 7 and its successor Wildfly 8 are shipped with several login modules suitable for different needs. One of them is the
DatabaseServerLoginModule
which can be configured with a SQL query to match the provided password with a
corresponding database entry. Other options of this module include choosing a hashing algorithm and an encoding for the hashed password.
The documentation isn't very clear about this, but it seems that every hashing algorithm requestable by
java.security.MessageDigest
can be used. Usually SHA-256
is recommended as
hashing algorithm today. This would indeed prevent the average administrator
with access to the password tables to recover a original (strong) password from an arbitrary account. Unfortunately there exists a
sophisticated method invented by Philippe Oechslin
called Rainbow Table which is a time-memory trade off for the reversal of hashed passwords. A trivial precalculated database
would have an entry for every plaintext password together with its hashed counterpart. To reverse a hashed password one would simply
search for the indexed hash in the database and retrieve the corresponding plaintext password.
This works fine if some careless users pick passwords which can be found in dictionaries. On the other hand if a sensible application
enforces the use of strong passwords a trivial precalculated database would have to need an enormous, that is unrealistic, size.
Hence methods are sought which reduce the size of the precalculated database by trading time. Oechslins method is an improvement of a method previously found by
Martin Hellman. More accessible explanations can be found in
Wikipedia and
here.
We can conclude from this that the provided DatabaseServerLoginModule
by JBossAS or Wildfly is insecure against
attacks which are applying a Rainbow Table. A countermeasure against such attacks is to produce hashed passwords concatenated with so called
salt. A hashed password with random salt has the additional
advantage that two equal passwords will lead to different hashes.
I will therefore present the class SaltedPasswordLoginModule
which is derived from the superclass of
DatabaseServerLoginModule
, that is UsernamePasswordLoginModule
. The superclass of
UsernamePasswordLoginModule
is in turn AbstractServerLoginModule
.
All three classes
DatabaseServerLoginModule
, UsernamePasswordLoginModule
and
AbstractServerLoginModule
come with
the JBoss subproject PicketBox.