com.sun.faces.ClientStateSavingPassword-有关实际密码的建议? [英] com.sun.faces.ClientStateSavingPassword - recommendations for actual password?
问题描述
在我发现的有关加密ViewState的所有参考页中,关于密码的唯一注释是您的密码在这里".
In all of the reference pages I've found with regards to encrypting the ViewState, the only comment on the password is "your password here".
关于我们应该使用的密码的长度/复杂度有什么建议吗?
Are there any recommendations regarding the length / complexity of the password that we should use?
推荐答案
取决于Mojarra版本.在早期版本中存在一些缺陷/失败.
Depends on Mojarra version. It had several flaws/fails in earlier versions.
在 Mojarra 1.2.x-2.1.18 中,它从未真正使用过.即,JNDI条目名称被错误地记录了.它被记录为com.sun.faces.ClientStateSavingPassword
(带有与web.xml
上下文参数),但代码
In Mojarra 1.2.x - 2.1.18, it was never actually used. The JNDI entry name was namely incorrectly documented. It was documented as com.sun.faces.ClientStateSavingPassword
(with same prefix as Mojarra's other web.xml
context parameters), but the code actually checks for ClientStateSavingPassword
. You should then register it on that name instead.
<env-entry>
<env-entry-name>ClientStateSavingPassword</env-entry-name>
<env-entry-type>java.lang.String</env-entry-type>
<env-entry-value>[Your Password]</env-entry-value>
</env-entry>
否则,客户端状态实际上未加密.
Otherwise, the client state is actually not encrypted.
在 Mojarra 1.2.x-2.0.3 中,密码 c3>种子生成真实世界"密码.只是,这很容易 如果密码太简单"并且攻击者成功猜出/暴力破解/篡改了密码,则表示已被入侵.
In Mojarra 1.2.x - 2.0.3, the password will be used as a SecureRandom
seed to generate a DES algorithm key. So, generally, the same rules apply as to "real world" passwords. Only, this can be easily compromised if the password is "too easy" and the attacker successfully guesses/bruteforces/figures the password.
在 Mojarra 2.0.4-2.1.x 中,他们不再使用提供的密码来生成密钥(以防止潜在的麻烦).相反,完全随机的密钥是
In Mojarra 2.0.4 - 2.1.x, they changed the algorithm from DES to AES and the code now don't actually use the provided password anymore to generate the key (to prevent potential comprisions). Instead, a completely random key is generated, which is more safe. The JNDI entry now basically controls whether the client state should be encrypted or not. In other words, it behaves now like a boolean configuration entry. It thus absolutely doesn't matter anymore which password you use.
<env-entry>
<env-entry-name>ClientStateSavingPassword</env-entry-name>
<env-entry-type>java.lang.String</env-entry-type>
<env-entry-value>[Any value is interpreted as boolean=true to enable encryption]</env-entry-value>
</env-entry>
In Mojarra 2.1.19 - 2.1.x, they fixed the code to align the documentation on JNDI entry name. So you could use the documented JNDI entry name:
<env-entry>
<env-entry-name>com.sun.faces.ClientStateSavingPassword</env-entry-name>
<env-entry-type>java.lang.String</env-entry-type>
<env-entry-value>[Any value is interpreted as boolean=true to enable encryption]</env-entry-value>
</env-entry>
但是,这仍然不会影响AES密钥(自2.0.4起已更改),它仍然基本上仅启用/禁用加密.
However, this still doesn't affect the AES key, which was changed since 2.0.4, it still basically only enables/disables the encryption.
在 Mojarra 2.2.0-2.3.x 中,作为 总是 加密.仅当web.xml
上下文参数静止结合使用AES算法和
In Mojarra 2.2.0 - 2.3.x, as part of JSF 2.2 specification (chapter 7.8.2), client side state is now by default always encrypted. It will only be disabled when web.xml
context parameter com.sun.faces.disableClientStateEncryption
is set with value true
. It still uses AES algorithm with a completely random key. The JNDI entry com.sun.faces.ClientStateSavingPassword
is now not used anymore.
在 Mojarra 2.2.6-2.3.x 中,它们按照 issue 3087 一个新的JNDI条目,允许您以Base64编码格式指定AES密钥,问题2557 中所述.
In Mojarra 2.2.6 - 2.3.x, they added as per issue 3087 a new JNDI entry which allows you to specify the AES key in Base64 encoded format, the jsf/ClientSideSecretKey
. This is part of the bugfix on failing client side state when a JSF webapp is used in cluster environment, because each server used a different AES key which would only cause a ERROR: MAC did not verify!
when state is restored in a different server than the one which saved the state, as described in issue 2557.
<env-entry>
<env-entry-name>jsf/ClientSideSecretKey</env-entry-name>
<env-entry-type>java.lang.String</env-entry-type>
<env-entry-value>[AES key in Base64 format]</env-entry-value>
</env-entry>
您可以使用此 AES密钥生成器来生成一个(刷新页面重新生成),或使用下面的代码片段生成您自己的 Base64 编码的 AES256 密钥:
You can use this AES key generator to generate one (refresh the page to regenerate), or use below snippet to generate your own Base64-encoded AES256 key:
KeyGenerator keyGen = KeyGenerator.getInstance("AES");
keyGen.init(256); // Use 128 for AES128 (when server don't have JCE installed).
String key = Base64.getEncoder().encodeToString(keyGen.generateKey().getEncoded());
System.out.println(key); // Prints AES key in Base64 format.
这篇关于com.sun.faces.ClientStateSavingPassword-有关实际密码的建议?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!