The JBossAS 7 and its successor Wildfly 8 are shipped with several login modules suitable for different needs. One of them is the DatabaseServerLoginModule which can be configured with a SQL query to match the provided password with a corresponding database entry. Other options of this module include choosing a hashing algorithm and an encoding for the hashed password. The documentation isn't very clear about this, but it seems that every hashing algorithm requestable by java.security.MessageDigest can be used. Usually SHA-256 is recommended as hashing algorithm today. This would indeed prevent the average administrator with access to the password tables to recover a original (strong) password from an arbitrary account. Unfortunately there exists a sophisticated method invented by Philippe Oechslin called Rainbow Table which is a time-memory trade off for the reversal of hashed passwords. A trivial precalculated database would have an entry for every plaintext password together with its hashed counterpart. To reverse a hashed password one would simply search for the indexed hash in the database and retrieve the corresponding plaintext password. This works fine if some careless users pick passwords which can be found in dictionaries. On the other hand if a sensible application enforces the use of strong passwords a trivial precalculated database would have to need an enormous, that is unrealistic, size. Hence methods are sought which reduce the size of the precalculated database by trading time. Oechslins method is an improvement of a method previously found by Martin Hellman. More accessible explanations can be found in Wikipedia and here.

We can conclude from this that the provided DatabaseServerLoginModule by JBossAS or Wildfly is insecure against attacks which are applying a Rainbow Table. A countermeasure against such attacks is to produce hashed passwords concatenated with so called salt. A hashed password with random salt has the additional advantage that two equal passwords will lead to different hashes. I will therefore present the class SaltedPasswordLoginModule which is derived from the superclass of DatabaseServerLoginModule, that is UsernamePasswordLoginModule. The superclass of UsernamePasswordLoginModule is in turn AbstractServerLoginModule. All three classes DatabaseServerLoginModule, UsernamePasswordLoginModule and AbstractServerLoginModule come with the JBoss subproject PicketBox.