Overview
JSCAPE MFT Server offers a variety of user authentication methods most of which could leverage existing authentication infrastructure such as LDAP, NTLM and PAM. If you don’t have such existing infrastructure but instead have an existing application that authenticate users using a database table which most web applications do then you may use that same table to authenticate JSCAPE MFT Server users using database query authentication method.
Setting up the JDBC driver
Before the JSCAPE MFT Server could use database query authentication an approriate JDBC driver must be installed on its “libs” directory and configured.
First download the JDBC driver for your database and copy the JDBC driver jar file into %installdir%/libs.
To configure the JDBC driver open JSCAPE MFT Server Manager and go to “File > Settings… > JDBC Drivers”. Click on the “Add” button and enter the JDBC driver class name. Check on the documentation that came with the JDBC driver to know the approriate class name, for MySQL Connector/J used below the class name is com.mysql.jdbc.Driver.
Configuring Database Query Authentication
Open JSCAPE MFT Server and click on “Authentication” under the domain you want to manage.
JDBC URL – The JDBC URL that will be used to connect to the database. This usually contains JDBC driver and database dependent information as well as the database server’s hostname/IP address and its name. The above screenshot shows a JDBC URL for MySQL database and Connector/J JDBC driver.
User - The database username used to authenticate with the database.
Password / Confirm password - The password used to authenticate with the database.
SQL query - The SQL query to perform to authenticate the user. The authentication process exposes the username and password entered by the user as expansion variables named %username% and %password% for use within the SQL query. The expansion variables %username% and %password% are treated as strings so they MUST be enclosed in single quotes.
Note: Plain SELECT statement or stored procedures may be used, however stored procedures that make use of output parameters CANNOT be used.
Hash password class - The Java class to use for hashing the password before passing to SQL query. If no class is specified then password will be passed to SQL query in clear text. While this is optional it is highly recommended that password hashing be used. See “Password Hashing” below.
Create account if not found using template - This allows for accounts to be created automatically upon successful authentication. If selected, an account will be created automatically (if it does not exist already) using the specified User Template.
Password Hashing
Database query authentication supports hashing of the password entered by the user before passing and using it within the SQL query used to authenticate a user. This entails that passwords be in an equivalent hash digest inside the underlying table for the authentication to succeed.
This is highly recommended to prevent anyone that has access to the database and has SELECT privilege on the underlying table from seeing everyone’s password in clear text.
MD5 and SHA1 are two widely used cryptographic hash functions and are supported by JSCAPE MFT Server using the following hashing provider classes, com.jscape.inet.mft.authentication.MD5Hasher for MD5 and com.jscape.inet.mft.authentication.SHA1Hasher for SHA1.
Creating a custom password hashing provider class
If MD5 and SHA1 is not option or if you have an existing authentication table that uses a different hashing function then you can create your own hashing provider class.
To someone familiar with Java programming it is trivial to implement a hashing provider class. Please follow the following steps to implement your own hashing provider:
1. Create a Java class that implements the com.jscape.inet.mft.authentication.Hasher class.
2. Overload the public String createHash(String login, String password) method, returning the hashed value.
3. Create a JAR file that contains the compiled class of your com.jscape.inet.mft.authentication.Hasher implementation.
To compile your hashing provider class you will need to include the ftpserver.jar in your classpath. The ftpserver.jar may be found in the libs directory for JSCAPE Secure FTP Server.
4. Place the JAR file created in step 3 into the libs directory of your JSCAPE MFT Server installation.
5. Shutdown any open instances of JSCAPE MFT Server Manager and restart the JSCAPE MFT Server service.
6. In the "Hash password class" field of the "Database Query Authentication" service enter the full class name, including package name of your hash provider.
Summary
Database query authentication is a viable alternative to LDAP, PAM and NTLM authentication methods especially if you don’t have any of those already running. Its ability to authenticate using hashed passwords makes it on par with those methods.
References
Database Query Authentication
Cryptographic hash function
MD5
SHA-1
Comments