Java 使用 Spring/Hibernate 进行密码加密 - Jasypt 或其他什么?
声明:本页面是StackOverFlow热门问题的中英对照翻译,遵循CC BY-SA 4.0协议,如果您需要使用它,必须同样遵循CC BY-SA许可,注明原文地址和作者信息,同时你必须将它归于原作者(不是我):StackOverFlow
原文地址: http://stackoverflow.com/questions/1075128/
Warning: these are provided under cc-by-sa 4.0 license. You are free to use/share it, But you must attribute it to the original authors (not me):
StackOverFlow
Password encryption with Spring/Hibernate - Jasypt or something else?
提问by stevedbrown
In a Java application stack with Spring & Hibernate (JPA) in the Data Access Layer, what are good methods of applying the password encryption (hopefully using annotations), and where can you find out more about getting it done (tutorial, etc)?
在数据访问层中带有 Spring 和 Hibernate (JPA) 的 Java 应用程序堆栈中,应用密码加密(希望使用注释)的好方法是什么,您在哪里可以找到有关完成它的更多信息(教程等)?
It's understood that I would use a JCAsupported algorithm for encrypting the passwords, but I would prefer to not have to implement the wrapper logic if there is an easy way.
据了解,我将使用JCA支持的算法来加密密码,但如果有一种简单的方法,我宁愿不必实现包装器逻辑。
I was looking at Jasypt, and was a) wondering if that's a good option and how to do it and b) what else people are using for this. If anyone is using Jasypt or an alternative, details of your experience it would be great.
我正在查看 Jasypt,并且 a) 想知道这是否是一个好的选择以及如何做到这一点,以及 b) 人们还为此使用了什么。如果有人正在使用 Jasypt 或替代品,那么您的体验细节会很棒。
采纳答案by laz
Java has all of the required libraries already provided for you. Simply create a utility method that implements hashing with a salt as described at OWASP.
Java 已经为您提供了所有必需的库。只需创建一个实用方法,该方法使用盐实现散列,如OWASP 所述。
If you really don't want to own that code and don't mind an extra dependency, it seems that the Shirolibrary (formerly JSecurity) has an implementationof what is described by OWASP.
如果您真的不想拥有该代码并且不介意额外的依赖项,那么Shiro库(以前称为JSecurity)似乎已经实现了 OWASP 所描述的内容。
It also looks like the JASYPT library you mentioned has a similar utility.
看起来您提到的 JASYPT 库也有类似的实用程序。
I realize that this answer doesn't mention Spring or Hibernate but I'm not clear how you are hoping to utilize them in this scenario.
我意识到这个答案没有提到 Spring 或 Hibernate,但我不清楚您希望如何在这种情况下利用它们。
回答by JeeBee
I just use something similar to SHA-256(username + ":" + password + ":" + salt)and store it in the database in a 64-character column called passwd.
我只是使用类似的东西SHA-256(username + ":" + password + ":" + salt)并将其存储在数据库中名为 passwd 的 64 个字符的列中。
Wikipedia says, relating to salts: "Salt data complicates dictionary attacks that use pre-encryption of dictionary entries: each bit of salt used doubles the amount of storage and computation required. ... For best security, the salt value is kept secret, separate from the password database. This provides an advantage when a database is stolen, but the salt is not."
维基百科说,关于盐:“盐数据使使用字典条目预加密的字典攻击复杂化:使用的每一位盐都会使所需的存储量和计算量增加一倍。......为了最好的安全性,盐值是保密的,与密码数据库分开。这在数据库被盗时提供了一个优势,但盐不是。”
So to authenticate, get user from database with supplied username, then generate the same hash using the password provided via their login attempt, and compare to that in the database. Also add in some rate limiting for login attempts (e.g., 5 per 5 minute period). If the user forgets their password, NEVER email them the password (as you won't have it stored), nor email them a new generated password, but email them a link to change that password with a change password key/nonce/salt in the URL that you can check against.
因此,要进行身份验证,请使用提供的用户名从数据库中获取用户,然后使用通过他们的登录尝试提供的密码生成相同的哈希值,并与数据库中的密码进行比较。还要为登录尝试添加一些速率限制(例如,每 5 分钟 5 次)。如果用户忘记了他们的密码,切勿将密码通过电子邮件发送给他们(因为您不会将其存储),也不要将新生成的密码通过电子邮件发送给他们,而是通过电子邮件向他们发送一个链接以使用更改密码密钥/随机数/盐更改该密码您可以检查的 URL。
回答by Jesse
MD5 or SHA-256 would be fine, although MD5 is crackable now.
MD5 或 SHA-256 没问题,尽管 MD5 现在可以破解。
Maybe I misunderstood the problem, but it should be just comparing the hashed passwords.
也许我误解了这个问题,但它应该只是比较散列密码。
In hibernate, just store as a String. On the validation side, have a method like:
在休眠中,只需存储为字符串。在验证方面,有一个方法,如:
public validate(String user, String pass)
{
if(getUser(user).getPass().equals(getHash(pass)))
return true;
return false;
}
回答by Kevin
You can use Jasypt with Hibernateto encrypt or hash your properties on the fly if thats what you're looking for. The actual algorithm for computing digests (hashes) is pretty simple using the JCE if you want to roll your own as well.
如果这就是您要找的,您可以使用Jasypt 和 Hibernate来动态加密或散列您的属性。如果您也想推出自己的摘要,那么使用 JCE 计算摘要(散列)的实际算法非常简单。
回答by Will Sargent
There doesn't seem to be a Hibernate specific way to do it with Jasypt, but you can set up a password encryptor in Spring:
Jasypt 似乎没有特定于 Hibernate 的方法,但是您可以在 Spring 中设置密码加密器:
<!--
Set up string digester here so we can configure it for more pools if it's a problem...
-->
<bean id="stringDigester" class="org.jasypt.digest.PooledStringDigester">
<!-- same settings as StrongPasswordGenerator -->
<property name="poolSize" value="2"/>
<property name="algorithm" value="SHA-256"/>
<property name="iterations" value="100000"/>
<property name="saltGenerator">
<bean class="org.jasypt.salt.RandomSaltGenerator"/>
</property>
<property name="saltSizeBytes" value="16"/>
</bean>
<!-- ...and then we only have to deal with the passwordEncryptor interface in code. -->
<bean id="passwordEncryptor" class="com.myproject.util.StringPasswordEncryptor">
<property name="stringDigester" ref="stringDigester"/>
</bean>
After that, you call context.getBean("passwordEncryptor") to get the encryptor, and then call either encryptPassword() or checkPassword().
之后,您调用 context.getBean("passwordEncryptor") 以获取加密器,然后调用 encryptPassword() 或 checkPassword()。
回答by mwojtera
If you are using Spring in your application, then you can also use Spring Security,which provides you with several password encoders, i.e. ShaPasswordEncoderYou can find it on StackOverflow
如果你在你的应用程序中使用 Spring,那么你也可以使用Spring Security,它为你提供了几个密码编码器,即ShaPasswordEncoder你可以在StackOverflow上找到它
