Versions Compared

Old Version 5

changes.mady.by.user Mike Douglass

Saved on

compared with

New Version Current

changes.mady.by.user Mike Douglass

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

This is the standard jboss module. For jboss 5 add the following to the login-config.xml file 

Code Block
languagexml
titleJboss 5 database login
<application-policy name="bwselfreg">

...


      <authentication>
          <login-module code="org.jboss.security.auth.spi.DatabaseServerLoginModule" flag="required">

...


              <module-option name="dsJndiName"

...

>java:/

...

selfregDS</module-option>

...


             
 <module-option name="principalsQuery">select bw_pw from 
bw_accounts where bw_account=? and bw_enabled='T'</module-option>

...


             
 <module-option name="rolesQuery">select bw_role, 'Roles' from 
bw_roles where bw_account=?</module-option>

...


              <module-option name="hashAlgorithm">SHA</module-option>

...


              <module-option name="hashEncoding">base64</module-option>

...


          </login-module>

...


      </authentication>
  </application-policy>

  </application-policy>

For Wildfly add the following in the security-domains

Code Block
languagexml
titleWildfly database login config
<security-domain name="bwselfreg">
     <authentication>
          <login-module code="Database" flag="required">
             <module-option name="dsJndiName" value="java:/selfregDS"/>
             <module-option name="principalsQuery" value="select bw_pw from bw_accounts where bw_account=? and bw_enabled='T'"/>
             <module-option name="rolesQuery" value="select bw_role, 'Roles' from bw_roles where bw_account=?"/>
            <module-option name="hashAlgorithm" value="SHA"/>
            <module-option name="hashEncoding" value="base64"/>
        </login-module>
    </authentication>
 </security-domain>

 

Flow of messages

As usual with these we use a combination of web pages, captcha and email to try to produce a secure transaction. Fields of importance are the email, userid, a confirmation id (confid), current password (curPw), new password (newPw)

...

  • Go to register form.
  • Fill in all the details.
  • Submit to /newid
  • New entry added with a new confid and timestamp.
  • email sent to user with confirmation link.
  • user clicks on link - goes to /confirm
  • account enabled - confid changed to new random value.
  • response message sent.

Forgot password

  • Go to forgot password page
  • Enter account + submit to /fpw
  • New confid set in entry
  • email sent to user with confid
  • user clicks link
  • reaches page with usual details filled in  - except password.
  • submits - - submit to a newpw page configured in jmx with confid as request parameter and with new password input area.
  • submits to /setpw - need confid and password
  • password updated - message sent

...

  • Go to forgot id page (possibly the same page)
  • Enter their email address.
  • Submit to /fid
  • Email with userid sent to that email.
  • If they don't know the password can use the forgot password.

...