在 ColdFusion 中对 DotNetNuke 用户进行身份验证 [英] Authenticating DotNetNuke Users in ColdFusion
问题描述
有没有办法使用 DNN 登录验证来自其他 Web 应用程序的用户?
Is there any way to authenticate users from other web apps using the DNN logins?
我们有一个使用 DNN 的主站点,用户登录信息存储在 asp 网络成员表中.从我一直在阅读的内容来看,密码是使用机器密钥加密的,然后加盐.我看到此信息在哪里,但似乎无法使用此方法正确加密密码.
We have a main site that is using DNN and user logins are stored in the asp net membership table. From what I have been reading, the passwords are encrypted using the machine key and then salted. I see where this info is, but can't seem to encrypt passwords correctly using this method.
我正在尝试在我们的 DNN 站点所在的同一台服务器上使用 Coldfusion Web 应用程序,但它不想工作.您会认为使用 ColdFusion 加密功能会很困难:
I'm trying with a Coldfusion web application on the same server where our DNN site is, but it doesn't want to work. You'd think it would be strait forward with the ColdFusion encryption function:
Encrypt(passwordstring, key [, algorithm, encoding, IVorSalt, iterations])
无论我尝试什么,我都没有得到匹配的值.
No matter what I try, I never get a matching value.
任何帮助、见解或指出我正确的方向将不胜感激!
Any help, insight or pointing me in the right direction would be greatly appreciated!
推荐答案
(原始答案并非在所有情况下都有效.大幅修改...)
根据我的阅读,DNN 默认使用SHA1"哈希.发布的线程 @barnyr 显示它只是对连接的盐和密码进行哈希处理,但有一些曲折.
From what I have read, DNN uses an "SHA1" hash by default. The thread @barnyr posted shows it simply hashes the concatenated salt and password, but with a few twists.
- DNN 使用 UTF-16LE 来提取密码字节,而不是 CF 的典型UTF-8.
- 它还分别提取盐和密码字节,这可能会产生不同的结果,而不仅仅是将所有内容解码为单个字符串,这就是
hash()所做的.(见下面的演示)
- DNN uses UTF-16LE to extract the password bytes, rather than CF's typical UTF-8.
- It also extracts the salt and password bytes separately, which may produce different results than just decoding everything as a single string, which is what
hash()does. (See demo below)
鉴于 CF9 的 Hash 函数不接受二进制(在 CF11 中支持),我认为单独使用原生 CF 函数无法复制结果.相反,我建议将字符串解码为二进制,然后直接使用 java:
Given that CF9's Hash function does not accept binary (supported in CF11), I do not think it is possible to duplicate the results with native CF functions alone. Instead I would suggest decoding the strings into binary, then using java directly:
代码:
<cfscript>
thePassword = "DT!@12";
base64Salt = "+muo6gAmjvvyy5doTdjyaA==";
// extract bytes of the salt and password
saltBytes = binaryDecode(base64Salt, "base64");
passBytes = charsetDecode(thePassword, "UTF-16LE" );
// next combine the bytes. note, the returned arrays are immutable,
// so we cannot use the standard CF tricks to merge them
ArrayUtils = createObject("java", "org.apache.commons.lang.ArrayUtils");
dataBytes = ArrayUtils.addAll( saltBytes, passBytes );
// hash binary using java
MessageDigest = createObject("java", "java.security.MessageDigest").getInstance("SHA-1");
MessageDigest.update(dataBytes);
theBase64Hash = binaryEncode(MessageDigest.digest(), "base64");
WriteOutput("theBase64Hash= "& theBase64Hash &"<br/>");
</cfscript>
差异演示:
<cfscript>
theEncoding = "UTF-16LE";
thePassword = "DT!@12";
base64Salt = "+muo6gAmjvvyy5doTdjyaA==";
// extract the bytes SEPARATELY
saltBytes = binaryDecode(base64Salt, "base64");
passBytes = charsetDecode(thePassword, theEncoding );
ArrayUtils = createObject("java", "org.apache.commons.lang.ArrayUtils");
separateBytes = ArrayUtils.addAll( saltBytes, passBytes );
// concatenate first, THEN extract the bytes
theSalt = charsetEncode( binaryDecode(base64Salt, "base64"), theEncoding );
concatenatedBytes = charsetDecode( theSalt & thePassword, theEncoding );
// these are the raw bytes BEFORE hashing
WriteOutput("separateBytes= "& arrayToList(separateBytes, "|") &"<br>");
WriteOutput("concatenatedBytes"& arrayToList(concatenatedBytes, "|") );
</cfscript>
结果:
separateBytes = -6|107|-88|-22|0|38|-114|-5|-14|-53|-105|104|77|-40|-14|104|68|0|84|0|33|0|64|0|49|0|50|0
concatenatedBytes = -6|107|-88|-22|0|38|-114|-5|-14|-53|-105|104|-3|-1|68|0|84|0|33|0|64|0|49|0|50|0
这篇关于在 ColdFusion 中对 DotNetNuke 用户进行身份验证的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
