通过解密用户认证 [英] User Authentication by Decryption
问题描述
我试图避免在认证DB访问来提高性能。
I'm trying to avoid DB access upon authentication to improve performance
很多搜索后一个有效的解决方案似乎是存储的cookie加密的字符串,并尝试在认证解密。
a valid solution after lots of searching seems to be storing an encrypted string in cookie and try to decrypt it upon authentication.
因此,我想知道如果下面是一个好主意:
Thus, I am wondering if the following is a good idea:
- 传输通过SSL一切(我懒..)
- 在我的程序中设置一个全局常量密钥
- 后生成的注册和密码更改一个新的随机验证字符串,并将其存储在用户对象
- 生成一个加密验证字符串,字符串验证和密钥
- 存储未加密和加密的字符串验证cookie中
- 当用户尝试登录,解密验证串和检查,对原来的验证字符串
如果它是一个OK的想法,我怎么真正使其工作,如:
if it is an "OK" idea, how do I actually make it work, like:
我应该用什么样的加密方法,AES-256?
what encryption method should I use, AES-256?
怎么做这样的加密/解密在Java中,使用BouncyCastle的?
how do I do this kind of encryption/decryption in Java, using Bouncycastle?
如果这不是一个好主意,我应该怎么做才能避免对认证查询数据库?
if it is not a good idea, what should I do to avoid querying DB on authentication?
thans提前!
推荐答案
在上面所描述的问题,被称为与rememberMe。
两种方法来解决问题:
The problem you describe above is called "RememberMe". Two approaches to solve your problem:
1)创建您自己的认证框架。
1) Create your own authentication framework.
一旦认证成功把一个cookie中的用户名的加密值(我强烈不建议使用散列;也请不要把用户密码值)。
Upon the successful authentication put in a cookie an encrypted value of a username (I strongly not recommend to use hashing; also please do not put the user password value).
该Cookie应该最多是持久的2周。
The cookie should be persistent at most for 2 weeks.
有关加密,请使用AES-256加密用BouncyCastle的:
<一href=\"http://stackoverflow.com/questions/2957513/how-to-use-bouncy-castle-lightweight-api-with-aes-and-pbe\">How使用充气城堡轻量级的API与AES和PBE
请不要把在Cookie中任何纯值。
如果你的框架成功解密该Cookie - 用户进行身份验证。如果你的框架无法解密的cookie或者cookie不存在 - 的用户没有通过验证。
一旦注销,请清除该cookie。
For encryption please use AES-256 encryption with BouncyCastle: How to use Bouncy Castle lightweight API with AES and PBE Please do not put any plain values in cookies. If your framework success to decrypt the cookie – the user is authenticated. If your framework cannot decrypt the cookie or the cookie does not exist - the user is not authenticated. Upon the logout please clean the cookie.
2)请考虑使用Spring的安全框架:
<一href=\"http://static.springsource.org/spring-security/site/docs/3.1.x/reference/springsecurity-single.html\" rel=\"nofollow\">http://static.springsource.org/spring-security/site/docs/3.1.x/reference/springsecurity-single.html
2) Please consider to use the Spring Security framework: http://static.springsource.org/spring-security/site/docs/3.1.x/reference/springsecurity-single.html
这是伟大的框架,解决了很多的认证/授权问题。
It is the great framework and solves a lot of authentication / authorization problems.
您的问题是由了rememberMe功能解决:
<一href=\"http://static.springsource.org/spring-security/site/docs/3.1.x/reference/springsecurity-single.html#ns-remember-me\" rel=\"nofollow\">http://static.springsource.org/spring-security/site/docs/3.1.x/reference/springsecurity-single.html#ns-remember-me
Your problem is solved by the "RememberMe" feature: http://static.springsource.org/spring-security/site/docs/3.1.x/reference/springsecurity-single.html#ns-remember-me
如果您需要任何额外的说明,请告诉我。
Please tell me if you need any additional clarifications.
最好的问候,
迈克尔
这篇关于通过解密用户认证的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!