java 如何在 JSP 中以编程方式加密/解密纯文本凭据?
声明:本页面是StackOverFlow热门问题的中英对照翻译,遵循CC BY-SA 4.0协议,如果您需要使用它,必须同样遵循CC BY-SA许可,注明原文地址和作者信息,同时你必须将它归于原作者(不是我):StackOverFlow
原文地址: http://stackoverflow.com/questions/308609/
Warning: these are provided under cc-by-sa 4.0 license. You are free to use/share it, But you must attribute it to the original authors (not me):
StackOverFlow
How to programatically encrypt/decrypt plain text credentials in JSP?
提问by Nano Taboada
As as part of my daily routine, I have the misfortune of administering an ancient, once "just internal" JSP web application that relies on the following authentication schema:
作为我日常工作的一部分,我不幸管理了一个古老的、曾经“只是内部”的 JSP Web 应用程序,它依赖于以下身份验证模式:
...
// Validate the user name and password.
if ((user != null) && (password != null) && (
(user.equals("brianmay") && password.equals("queen")) ||
(user.equals("rogertaylor") && password.equals("queen")) ||
(user.equals("freddiemercury") && password.equals("queen")) ||
(user.equals("johndeacon") && password.equals("queen"))
)) {
// Store the user name as a session variable.
session.putValue("user", user);
...
As much as I would like to, the Queen members have never been users of the system but anyway it does make a great example, does it not?
正如我所希望的那样,Queen 成员从未成为该系统的用户,但无论如何它确实是一个很好的例子,不是吗?
Despite that by policy this client enforces security by domain authentication among other things, therefore this issue isn't seen as a security risk, still, my idea is to at least obfuscate that plain text credentials using perhaps a simple MD5 or SHA1 method, so such sensitive data is not visible to the naked eye.
尽管根据策略,该客户端通过域身份验证等方式强制执行安全性,因此这个问题不被视为安全风险,但我的想法是至少使用简单的 MD5 或 SHA1 方法混淆纯文本凭据,因此这种敏感数据是肉眼看不到的。
I'm a total newbie when it comes to JSP so I would really appreciate any piece of advice you'd be willing to share with me.
我是 JSP 的新手,所以我非常感谢您愿意与我分享的任何建议。
Thanks much in advance!
非常感谢!
回答by carson
It is hard to understand the exact scheme you are thinking about but I assume the password is coming in from a request and you want to calculate the MD5 hash in a JSP that the request is being sent to. After that you can compare it to the pre-computed MD5 version. You could even be more secure if it isn't being done with https and use a javascript MD5 libraryto hash the password before submitting it.
很难理解您正在考虑的确切方案,但我假设密码来自请求,并且您想计算请求发送到的 JSP 中的 MD5 哈希值。之后,您可以将其与预先计算的 MD5 版本进行比较。如果不使用 https 完成并在提交密码之前使用javascript MD5 库对密码进行散列,则您甚至可以更安全。
You can MD5 a string in java like this:
您可以像这样在 java 中对字符串进行 MD5:
try
{
String digestInput = "queen";
MessageDigest messageDigest = MessageDigest.getInstance("MD5");
messageDigest.update(digestInput.getBytes());
BASE64Encoder base64Encoder = new BASE64Encoder();
String digestString = base64Encoder.encode(messageDigest.digest());
// digestString now contains the md5 hashed password
}
catch (Exception e)
{
// do some type of logging here
}
回答by Marko
First of all you should move that logic from jsp to a separate class.
首先,您应该将该逻辑从 jsp 移动到一个单独的类。
Second, you shouldn't keep plain text password anywhere in the code. Use some kind of one way hash function (md5, sha1, ...) and keep only password hashes.
其次,你不应该在代码的任何地方保留纯文本密码。使用某种单向哈希函数(md5,sha1,...)并仅保留密码哈希。
When checking for user password, first hash it and then compare hashes.
检查用户密码时,首先对其进行散列,然后比较散列。
