John, It seems as though utilizing the blackboard libraries was causing an issue with certain commands erroring out without a proper return, thus not passing along a "true" or "false" out of the class and causing the audit issue. I ended up having to kind of reverse-engineer their hashing and put a plain-jane command in the class. Basic testing is showing successful hashing comparisons.
Thanks for getting me on the right track. Jonathan Liedy Middleware Administrator The Florida State University 2035 East Paul Dirac Drive Sliger, Suite 113 Tallahassee, FL 32310 jli...@fsu.edu Voice: (850) 270-7368 From: John Gasper [mailto:jgas...@unicon.net] Sent: Wednesday, August 20, 2014 11:37 AM To: cas-user@lists.jasig.org Subject: Re: [cas-user] Comparing dynamically salted SHA512 encoded passwords from a database Someone else my have an idea of what to look for, but when I hit something like this I attach a debugger to Tomcat and put a break point on my code and step through it. Perhaps there is an issue connecting to or querying the db that isn't being logged? On 8/20/14 7:57 AM, Liedy, Jonathan wrote: John & Dmitriy, Thanks for the pointers. Derek and I ended up grabbing a library from Blackboard and have used their classes to verify the password hashing. I'll put the file and the subsequent configuration and the error we're getting in hopes of getting pointed in the right direction. The java file is attached. The configuration is thus: <!-- BBDB Authentication Handler --> <bean id="bb_bb60AuthenticationHandler" class="edu.fsu.cas.authentication.handler.BBDBAuthenticationHandler" p:name="bb_bb60AuthenticationHandler" p:dataSource-ref="dataSource" p:sql="select passwd from bb_bb60.users where user_id = ?" /> Now, you'll see a test that we run at the end of the file and it looks to run correctly when we put it through eclipse. The error we get in Tomcat is: Aug 20, 2014 10:48:54 AM org.apache.catalina.core.StandardWrapperValve invoke SEVERE: Servlet.service() for servlet [cas] in context with path [/cas] threw exception [Request processing failed; nested exception is org.springframework.webflow.execution.ActionExecutionException: Exception thrown executing [AnnotatedAction@2bd1c812 targetAction = [EvaluateAction@b3163dd expression = authenticationViaFormAction.submit(flowRequestContext, flowScope.credentials, messageContext), resultExpression = [null]], attributes = map[[empty]]] in state 'realSubmit' of flow 'login' -- action execution attributes were 'map[[empty]]'] with root cause java.lang.IllegalArgumentException: 'principal' cannot be null. Check the correctness of @Audit annotation at the following audit point: execution(public abstract org.jasig.cas.authentication.Authentication org.jasig.cas.authentication.AuthenticationManager.authenticate(org.jasig.cas.authentication.principal.Credentials)) at com.github.inspektr.audit.AuditActionContext.assertNotNull(AuditActionContext.java:81) at com.github.inspektr.audit.AuditActionContext.<init>(AuditActionContext.java:63) at com.github.inspektr.audit.AuditTrailManagementAspect.executeAuditCode(AuditTrailManagementAspect.java:149) at com.github.inspektr.audit.AuditTrailManagementAspect.handleAuditTrail(AuditTrailManagementAspect.java:139) blahblahblahmorestacktrace... Jonathan Liedy Middleware Administrator The Florida State University 2035 East Paul Dirac Drive Sliger, Suite 113 Tallahassee, FL 32310 jli...@fsu.edu<mailto:jli...@fsu.edu> Voice: (850) 270-7368 From: Dmitriy Kopylenko [mailto:dkopyle...@unicon.net] Sent: Tuesday, August 19, 2014 11:48 AM To: cas-user@lists.jasig.org<mailto:cas-user@lists.jasig.org> Subject: Re: [cas-user] Comparing dynamically salted SHA512 encoded passwords from a database Another option is to use Shiro's HashService API which supports multiple MessageDigest algorithms. There is a CAS' PasswordEncoder implementation on top of it (but only currently with static config options for salt and iterations): https://github.com/Unicon/cas-addons/wiki/Configuring%20ShiroHashServicePasswordEncoder The idea would be to come up with an abstraction API, let's say DigestConfigurationSource and implementation(s) that could pull values from a variety of back end stores e.g. RDBMS - for algorithm, salt, number of iterations, etc. and wire that into this PE impl (which of course would need to be refactored to use this abstraction, etc.) Best, Dmitriy. On Aug 19, 2014, at 11:36 AM, John Gasper <jgas...@unicon.net<mailto:jgas...@unicon.net>> wrote: Hi Jonathan, I hope all is well at FSU. I haven't seen any complete DB salted hashing solutions out there. I'm attaching a class (org.apache.directory.studio.ldapbrowser.core.model.password) that I borrowed from the Apache DS project. I basically stripped it down to be a single class that produces the SSHA hashes. I believe the original class has a password verify routine. Using that, this and a JDBC Auth Handler, you (or a dev at FSU) should probably be able to get something working for SSHA512. Good luck! On 8/17/14 10:14 PM, Liedy, Jonathan wrote: Hey all, ? Does anyone have an implementation of pulling a salt from a database and comparing the given encoded password with a database stored password? ? The latest release of Blackboard uses SHA512 encoded passwords with a dynamically generated salt.? The salt, iterations and hash are all in the same table.? I?m no java dev, but if someone has a similar implementation they could share, I could probably hack through it. ? Thanks, ? Jonathan Liedy Middleware Administrator The Florida State University 2035 East Paul Dirac Drive Sliger, Suite 113 Tallahassee, FL 32310 jli...@fsu.edu<mailto:jli...@fsu.edu> Voice: (850) 270-7368 ? -- You are currently subscribed to cas-user@lists.jasig.org<mailto:cas-user@lists.jasig.org> as: jgas...@unicon.net<mailto:jgas...@unicon.net> To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user -- John Gasper IAM Consultant Unicon, Inc. PGP/GPG Key: 0xbafee3ef -- You are currently subscribed to cas-user@lists.jasig.org<mailto:cas-user@lists.jasig.org> as: dkopyle...@unicon.net<mailto:dkopyle...@unicon.net> To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user <Password.java> -- You are currently subscribed to cas-user@lists.jasig.org<mailto:cas-user@lists.jasig.org> as: jli...@fsu.edu<mailto:jli...@fsu.edu> To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user -- You are currently subscribed to cas-user@lists.jasig.org<mailto:cas-user@lists.jasig.org> as: jgas...@unicon.net<mailto:jgas...@unicon.net> To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user -- John Gasper IAM Consultant Unicon, Inc. PGP/GPG Key: 0xbafee3ef -- You are currently subscribed to cas-user@lists.jasig.org<mailto:cas-user@lists.jasig.org> as: jli...@fsu.edu<mailto:jli...@fsu.edu> To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user -- You are currently subscribed to cas-user@lists.jasig.org as: arch...@mail-archive.com To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user