karaf console command "jaas:adduser" with encrypted password
------------------------------------------------------------
Key: KARAF-1037
URL: https://issues.apache.org/jira/browse/KARAF-1037
Project: Karaf
Issue Type: Bug
Components: karaf-core
Affects Versions: 2.2.4
Environment: CentOS-5.7-x86_64, Mac OS X 10.7.2, Java 1.6.0_29
Reporter: Christoph
Priority: Minor
The karaf console shows a strange behavior when working with JAAS
authentication modules and password encryption
Line of actions that lead to the issue:
(1) First of all, we've created a blueprint service containing the JAAS
configuration
{noformat}
<blueprint xmlns="http://www.osgi.org/xmlns/blueprint/v1.0.0";
xmlns:jaas="http://karaf.apache.org/xmlns/jaas/v1.0.0";
xmlns:cm="http://aries.apache.org/blueprint/xmlns/blueprint-cm/v1.1.0";
xmlns:ext="http://aries.apache.org/blueprint/xmlns/blueprint-ext/v1.0.0";>
<type-converters>
<bean class="org.apache.karaf.jaas.modules.properties.PropertiesConverter"
/>
</type-converters>
<!-- Allow usage of System properties, especially the karaf.base property
-->
<ext:property-placeholder placeholder-prefix="$[" placeholder-suffix="]" />
<jaas:config name="myRealm">
<jaas:module
className="org.apache.karaf.jaas.modules.properties.PropertiesLoginModule"
flags="required">
users = $[karaf.base]/etc/myUser.properties
encryption.enabled = true
encryption.prefix = {CRYPT}
encryption.suffix = {CRYPT}
encryption.algorithm = MD5
encryption.encoding = hexadecimal
</jaas:module>
</jaas:config>
</blueprint>
{noformat}
(2) After installing the realm as a feature in our service gateway, we
configure two users with roles via the karaf command line interface
{noformat}
karaf@tesb> jaas:manage myRealm
karaf@tesb> jaas:useradd usr.app cert1
karaf@tesb> jaas:roleadd usr.app admin
karaf@tesb> jaas:roleadd usr.app dev
karaf@tesb> jaas:update
{noformat}
and can find something like the following entry in our myUser.properties file
{noformat}
usr.app = 510fd1dc93d0c601ad208ad700afc403,admin,dev
{noformat}
(3) When we execute a service call that triggers our authentication chain, the
myUser.properties file changes to something like:
{noformat}
usr.app = {CRYPT}b3bef7f3d410589d471f93f6d55db6d4{CRYPT},admin,dev
{noformat}
This behaviour lead's us to the assumption, that the configuration via the
karaf command line interface using JAAS commands does not create the encryption
tag's but an initial hash set. When the application is using than the hash the
first time, it does think that the password is not hashed yet, and creates a
second hash with the pre- and suffix but makes the initial password useless.
Workaround for that issue is to avoid pre- and suffix for custom JAAS
authentication modules
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators:
https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
