在ColdFusion中验证DotNetNuke用户 [英] Authenticating DotNetNuke Users in ColdFusion
问题描述
有没有办法使用DNN登录从其他网络应用程序验证用户?
我们有一个使用DNN的主网站,用户登录存储在asp net成员表中。从我正在阅读的,密码是使用机器密钥加密,然后盐化。我看到这个信息是在哪里,但似乎不能使用这种方法正确加密密码。
我在我们的DNN网站所在的同一台服务器上尝试使用ColdFusion Web应用程序,但它不想工作。你会认为它将是ColdFusion加密函数的前进:
加密(passwordstring,key [,algorithm,encoding, IVorSalt,iterations])
无论我尝试什么,我从来没有得到匹配的值。 >
任何帮助,洞察力或指向正确方向的人都会非常感激。
(编辑:原始答案在所有情况下都无效,基本修改...)
默认使用SHA1散列。线程 @barnyr 发布显示它简单地散列连接的盐和密码,但有一些扭曲。
- DNN使用 UTF-16LE 提取密码字节,而不是CF的典型UTF-8。
- 它还会分别提取盐和密码字节 ,这可能产生不同于将所有内容解码为单个字符串的结果,这是
hash()
。 (见下面的演示)
由于 Hash
不接受二进制,我不认为有可能重复的结果与原生CF功能单独。相反,我建议将字符串解码为二进制,然后直接使用java:
代码:
< cfscript>
thePassword =DT!@ 12;
base64Salt =+ muo6gAmjvvyy5doTdjyaA ==;
//提取盐和密码的字节
saltBytes = binaryDecode(base64Salt,base64);
passBytes = charsetDecode(thePassword,UTF-16LE);
//接下来组合字节。注意,返回的数组是不可变的,
//所以我们不能使用标准的CF技巧来合并
ArrayUtils = createObject(java,org.apache.commons.lang.ArrayUtils);
dataBytes = ArrayUtils.addAll(saltBytes,passBytes);
//散列二进制使用java
MessageDigest = createObject(java,java.security.MessageDigest)。getInstance(SHA-1);
MessageDigest.update(dataBytes);
theBase64Hash = binaryEncode(MessageDigest.digest(),base64);
WriteOutput(theBase64Hash =& theBase64Hash&< br />);
< / cfscript>
差异演示:
< cfscript&
theEncoding =UTF-16LE;
thePassword =DT!@ 12;
base64Salt =+ muo6gAmjvvyy5doTdjyaA ==;
//提取字节SEPARATELY
saltBytes = binaryDecode(base64Salt,base64);
passBytes = charsetDecode(thePassword,theEncoding);
ArrayUtils = createObject(java,org.apache.commons.lang.ArrayUtils);
separateBytes = ArrayUtils.addAll(saltBytes,passBytes);
//连接第一,THEN提取字节
theSalt = charsetEncode(binaryDecode(base64Salt,base64),theEncoding);
concatenatedBytes = charsetDecode(theSalt& thePassword,theEncoding);
//这些是原始字节BEFORE哈希
WriteOutput(separateBytes =& arrayToList(separateBytes,|)&< br>
WriteOutput(concatenatedBytes& arrayToList(concatenatedBytes,|));
< / cfscript>
结果:
separateBytes = -6 | 107 | -88 | -22 | 0 | 38 | -5 | -14 | -53 | -105 | 104 | 77 | -40 | -14 | 104 | 68 | 0 | 84 | 0 | 33 | 0 | 64 | 0 | 49 | 0 | 50 | 0
concatenatedBytes = -6 | 107 | -88 | -22 | 0 | 38 | -114 | -5 | -14 | -53 | -105 | 104 | -3 | -1 | 68 | 0 | 84 | 0 | 33 | 0 | 64 | 0 | 49 | 0 | 50 | 0
Is there any way to authenticate users from other web apps using the DNN logins?
We have a main site that is using DNN and user logins are stored in the asp net membership table. From what I have been reading, the passwords are encrypted using the machine key and then salted. I see where this info is, but can't seem to encrypt passwords correctly using this method.
I'm trying with a Coldfusion web application on the same server where our DNN site is, but it doesn't want to work. You'd think it would be strait forward with the ColdFusion encryption function:
Encrypt(passwordstring, key [, algorithm, encoding, IVorSalt, iterations])
No matter what I try, I never get a matching value.
Any help, insight or pointing me in the right direction would be greatly appreciated!
(Edit: Original answer did not work in all cases. Substantially revised ...)
From what I have read, DNN uses an "SHA1" hash by default. The thread @barnyr posted shows it simply hashes the concatenated salt and password, but with a few twists.
- DNN uses UTF-16LE to extract the password bytes, rather than CF's typical UTF-8.
- It also extracts the salt and password bytes separately, which may produce different results than just decoding everything as a single string, which is what
hash()
does. (See demo below)
Given that Hash
does not accept binary, I do not think it is possible to duplicate the results with native CF functions alone. Instead I would suggest decoding the strings into binary, then using java directly:
Code:
<cfscript>
thePassword = "DT!@12";
base64Salt = "+muo6gAmjvvyy5doTdjyaA==";
// extract bytes of the salt and password
saltBytes = binaryDecode(base64Salt, "base64");
passBytes = charsetDecode(thePassword, "UTF-16LE" );
// next combine the bytes. note, the returned arrays are immutable,
// so we cannot use the standard CF tricks to merge them
ArrayUtils = createObject("java", "org.apache.commons.lang.ArrayUtils");
dataBytes = ArrayUtils.addAll( saltBytes, passBytes );
// hash binary using java
MessageDigest = createObject("java", "java.security.MessageDigest").getInstance("SHA-1");
MessageDigest.update(dataBytes);
theBase64Hash = binaryEncode(MessageDigest.digest(), "base64");
WriteOutput("theBase64Hash= "& theBase64Hash &"<br/>");
</cfscript>
Demo of Differences:
<cfscript>
theEncoding = "UTF-16LE";
thePassword = "DT!@12";
base64Salt = "+muo6gAmjvvyy5doTdjyaA==";
// extract the bytes SEPARATELY
saltBytes = binaryDecode(base64Salt, "base64");
passBytes = charsetDecode(thePassword, theEncoding );
ArrayUtils = createObject("java", "org.apache.commons.lang.ArrayUtils");
separateBytes = ArrayUtils.addAll( saltBytes, passBytes );
// concatenate first, THEN extract the bytes
theSalt = charsetEncode( binaryDecode(base64Salt, "base64"), theEncoding );
concatenatedBytes = charsetDecode( theSalt & thePassword, theEncoding );
// these are the raw bytes BEFORE hashing
WriteOutput("separateBytes= "& arrayToList(separateBytes, "|") &"<br>");
WriteOutput("concatenatedBytes"& arrayToList(concatenatedBytes, "|") );
</cfscript>
Results:
separateBytes = -6|107|-88|-22|0|38|-114|-5|-14|-53|-105|104|77|-40|-14|104|68|0|84|0|33|0|64|0|49|0|50|0
concatenatedBytes = -6|107|-88|-22|0|38|-114|-5|-14|-53|-105|104|-3|-1|68|0|84|0|33|0|64|0|49|0|50|0
这篇关于在ColdFusion中验证DotNetNuke用户的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!