...
This is the standard jboss module. For jboss 5 add the following to the login-config.xml file
Code Block | ||||
---|---|---|---|---|
| ||||
<application-policy name="bwselfreg"> |
...
<authentication> <login-module code="org.jboss.security.auth.spi.DatabaseServerLoginModule" flag="required"> |
...
<module-option name="dsJndiName" |
...
>java:/ |
...
selfregDS</module-option> |
...
<module-option name="principalsQuery">select bw_pw from bw_accounts where bw_account=? and bw_enabled='T'</module-option> |
...
<module-option name="rolesQuery">select bw_role, 'Roles' from bw_roles where bw_account=?</module-option> |
...
<module-option name="hashAlgorithm">SHA</module-option> |
...
<module-option name="hashEncoding">base64</module-option> |
...
</login-module> |
...
</authentication> </application-policy> |
</application-policy>
For Wildfly add the following in the security-domains
Code Block | ||||
---|---|---|---|---|
| ||||
<security-domain name="bwselfreg">
<authentication>
<login-module code="Database" flag="required">
<module-option name="dsJndiName" value="java:/selfregDS"/>
<module-option name="principalsQuery" value="select bw_pw from bw_accounts where bw_account=? and bw_enabled='T'"/>
<module-option name="rolesQuery" value="select bw_role, 'Roles' from bw_roles where bw_account=?"/>
<module-option name="hashAlgorithm" value="SHA"/>
<module-option name="hashEncoding" value="base64"/>
</login-module>
</authentication>
</security-domain> |
Flow of messages
As usual with these we use a combination of web pages, captcha and email to try to produce a secure transaction. Fields of importance are the email, userid, a confirmation id (confid), current password (curPw), new password (newPw)
...
- Go to register form.
- Fill in all the details.
- Submit to /newid
- New entry added with a new confid and timestamp.
- email sent to user with confirmation link.
- user clicks on link - goes to /confirm
- account enabled - confid changed to new random value.
- response message sent.
Forgot password
- Go to forgot password page
- Enter account + submit to /fpw
- New confid set in entry
- email sent to user with confid
- user clicks link
- reaches page with usual details filled in - except password.
- submits - - submit to a newpw page configured in jmx with confid as request parameter and with new password input area.
- submits to /setpw - need confid and password
- password updated - message sent
...
- Go to forgot id page (possibly the same page)
- Enter their email address.
- Submit to /fid
- Email with userid sent to that email.
- If they don't know the password can use the forgot password.
...