one needs to patch or update the jdbc auth provider to do this. It should not be to hard to add there the option for a “salt” property. There is JiveSoftware and there are some freelancer coders (or maybe even you) who can do this.
I don’t think that the new code will be included in Openfire as such an authentication is very rare and thus hard to test and maintain.
I had the same problem trying to get this working with my Rails app. I am using the restful authentication plugin, and it turns out they hash the password like so: “saltpassword–”. I hacked the JDBCAuthProvider class to have another PasswordType called sha1salt that would work for restful authentication.
In my openfire.xml file I have:
<jdbcAuthProvider>
<passwordSQL>SELECT crypted_password, salt FROM users WHERE login=? LIMIT 1</passwordSQL>
<passwordType>sha1salt</passwordType>
</jdbcAuthProvider>
Now I am not really a java programmer so I am sure this code is ugly, but it appears to be working nicely for me. Download the source code and replace openfire_src/src/java/org/jivesoftware/openfire/auth/JDBCAuthProvider.java with the one I have attached and then compile it.
This class delievers options to salt your hashes and check them against an external database (ExtendedJDBCAuthProvider -> JDBCAuthProvider).
The following settings activate the salted authentication.
<saltJdbcAuthProvider>
<saltSQL>SELECT salt FROM user_account WHERE username=?</saltSQL>
<saltPosition>before</saltPosition>
<doubleHashed>true</doubleHashed>
</saltJdbcAuthProvider>
You can set the saltPosition setting (before and after), which defines where the salt will be inserted.
Additional you can set the doubleHashed setting, which activates the hashing of the password before adding the salt.
A full setup can look like the following:
<jive>
...
<provider>
<auth>
<className>org.jivesoftware.openfire.auth.SaltingJDBCAuthProvider</className>
</auth>
</provider>
<jdbcAuthProvider>
<passwordSQL>SELECT password FROM user_account WHERE username=?</passwordSQL>
<passwordType>plain</passwordType>
</jdbcAuthProvider>
<extJdbcAuthProvider>
<multiSource>true</multiSource>
</extJdbcAuthProvider>
<saltJdbcAuthProvider>
<saltSQL>SELECT salt FROM user_account WHERE username=?</saltSQL>
<saltPosition>before</saltPosition>
<doubleHashed>true</doubleHashed>
</saltJdbcAuthProvider>
...
</jive>
I was wondering if you could help me implement your salt+sha1 work. I have downloaded the your files and the Openfire source files to my server. I then copied your files into the “trunk/src/java/org/jivesoftware/openfire/auth” folder and built the source with “ant openfire.” I am not sure where I go from here. What do I need to do to take what I have done and update the Openfire server installation that I already have on the server? I shut down the original Openfire server and then I ran the openfire.sh file in the source build, however that runs locally and not at the server address. Do I need to modify something else so that the source build runs on the server (i.e. the admin console is accessible via a browser)?
Thanks for the help.
Okay, scratch all of that up to it being a long day. I was able to get the new setup running. However, I am struggling to wrap my head around the ofProperties settings and the SQL commands. Right now, our DB passwords are stored in the table “auth_user” under the column “password”. The values within the password are sha1$salt$hash. I am not sure what part of the password I should be sending to the SQL code you have. I have cut out the salt part and set that to “salt” under the saltJdbcAuthProvider.saltSQL and then cut and set the hash part to “password” under the jdbcAuthProvider.passwordSQL, with no success. I then thought that your code might want the salt prepended to the hash, so I cut the salt and hash and concatenated salt to the front of hash, and that did not seem to work either. I did notice that with either method I was not getting any errors from Openfire/SQL, only from my program saying that the proivded credentials were not authorized.
Also, I have set jdbcAuthProivder.passwordType to sha1 instead of your use of plain text. What am I doing wrong?