Skip to end of metadata
Go to start of metadata

This module allows users to create their own accounts for use with the system. Two main modes of operation are

  • Create confirmed entries in an ldap directory
  • Keep entries in a database and mark them when confirmed

Unconfirmed entries cannot be used for authentication.


  • User goes to /selfreg/index.html and receives a form
  • Fills in the form receives an email.
  • Follows the link to confirm.


Selfreg requires a database to hold data about users. If ldap authentication is desired the ldap parameters need to be set in the configuration. In both cases ensure an appropriate database has been created and there is a datasource present. There are sample data sources in the bedework/config/datasources directory. The datasource is used both by the selfreg module and by the DatabaseServerLoginModule if db authentication is desired.

Create the schema in the usual manner via the jmx console:

  • set export true - apply changes
  • start schema operation.

Make sure the following properties are set correctly

  • Message Digest - set exactly to the value in the hashAlgorithm element below, SHA, MD5 are acceptable
  • Account prefix - the accounts created may be the only accounts for your system in which case leave this empty. If you have multiple sets of accounts you need to ensure they will not overlap. Set this to a value that ensures that. For example, if all your accounts are 2 letters + 4 digits then prefixing with any letter will work. Selfreg generates acounts of that form in the absence of a prefix.
  • ConfirmUrl - this is what prefixes the url to confirm the creation. Something of the form http://localhost:8080/selfreg - the host, port and context.


This is the standard jboss module. For jboss 5 add the following to the login-config.xml file

Jboss 5 database login
<application-policy name="bwselfreg">
          <login-module code="" flag="required">
              <module-option name="dsJndiName">java:/selfregDS</module-option>
 <module-option name="principalsQuery">select bw_pw from 
bw_accounts where bw_account=? and bw_enabled='T'</module-option>
 <module-option name="rolesQuery">select bw_role, 'Roles' from 
bw_roles where bw_account=?</module-option>
              <module-option name="hashAlgorithm">SHA</module-option>
              <module-option name="hashEncoding">base64</module-option>


For Wildfly add the following in the security-domains

Wildfly database login config
<security-domain name="bwselfreg">
          <login-module code="Database" flag="required">
             <module-option name="dsJndiName" value="java:/selfregDS"/>
             <module-option name="principalsQuery" value="select bw_pw from bw_accounts where bw_account=? and bw_enabled='T'"/>
             <module-option name="rolesQuery" value="select bw_role, 'Roles' from bw_roles where bw_account=?"/>
            <module-option name="hashAlgorithm" value="SHA"/>
            <module-option name="hashEncoding" value="base64"/>


Flow of messages

As usual with these we use a combination of web pages, captcha and email to try to produce a secure transaction. Fields of importance are the email, userid, a confirmation id (confid), current password (curPw), new password (newPw)

New unregistered user

  • Go to register form.
  • Fill in all the details.
  • Submit to /newid
  • New entry added with a new confid and timestamp.
  • email sent to user with confirmation link.
  • user clicks on link - goes to /confirm
  • account enabled - confid changed to new random value.
  • response message sent.

Forgot password

  • Go to forgot password page
  • Enter account + submit to /fpw
  • New confid set in entry
  • email sent to user with confid
  • user clicks link - submit to a newpw page configured in jmx with confid as request parameter and with new password input area.
  • submits to /setpw - need confid and password
  • password updated - message sent

If a malevolent user starts the process they need not only the account but access to the users email.

Forgot Id

  • Go to forgot id page (possibly the same page)
  • Enter their email address.
  • Submit to /fid
  • Email with userid sent to that email.
  • If they don't know the password can use the forgot password.


  • No labels