在ColdFusion中验证DotNetNuke用户 [英] Authenticating DotNetNuke Users in ColdFusion

问题描述

有没有办法使用DNN登录从其他网络应用程序验证用户？

我们有一个使用DNN的主网站，用户登录存储在asp net成员表中。从我正在阅读的，密码是使用机器密钥加密，然后盐化。我看到这个信息是在哪里，但似乎不能使用这种方法正确加密密码。

我在我们的DNN网站所在的同一台服务器上尝试使用ColdFusion Web应用程序，但它不想工作。你会认为它将是ColdFusion加密函数的前进：

 加密（passwordstring，key [，algorithm，encoding， IVorSalt，iterations]）
  

无论我尝试什么，我从来没有得到匹配的值。 >

任何帮助，洞察力或指向正确方向的人都会非常感激。

解决方案

（编辑：原始答案在所有情况下都无效，基本修改...）

默认使用SHA1散列。线程 @barnyr 发布显示它简单地散列连接的盐和密码，但有一些扭曲。

• DNN使用 UTF-16LE 提取密码字节，而不是CF的典型UTF-8。


• 它还会分别提取盐和密码字节 ，这可能产生不同于将所有内容解码为单个字符串的结果，这是 hash（）。 （见下面的演示）

由于 Hash 不接受二进制，我不认为有可能重复的结果与原生CF功能单独。相反，我建议将字符串解码为二进制，然后直接使用java：

代码：

 < cfscript> 
 thePassword =DT！@ 12; 
 base64Salt =+ muo6gAmjvvyy5doTdjyaA ==; 
 
 //提取盐和密码的字节
 saltBytes = binaryDecode（base64Salt，base64）; 
 passBytes = charsetDecode（thePassword，UTF-16LE）; 
 
 //接下来组合字节。注意，返回的数组是不可变的，
 //所以我们不能使用标准的CF技巧来合并
 ArrayUtils = createObject（java，org.apache.commons.lang.ArrayUtils）; 
 dataBytes = ArrayUtils.addAll（saltBytes，passBytes）; 
 
 //散列二进制使用java 
 MessageDigest = createObject（java，java.security.MessageDigest）。getInstance（SHA-1）; 
 MessageDigest.update（dataBytes）; 
 theBase64Hash = binaryEncode（MessageDigest.digest（），base64）; 
 
 WriteOutput（theBase64Hash =& theBase64Hash&< br />）; 
< / cfscript> 
  

差异演示：

 < cfscript& 
 theEncoding =UTF-16LE; 
 thePassword =DT！@ 12; 
 base64Salt =+ muo6gAmjvvyy5doTdjyaA ==; 
 
 //提取字节SEPARATELY 
 saltBytes = binaryDecode（base64Salt，base64）; 
 passBytes = charsetDecode（thePassword，theEncoding）; 
 ArrayUtils = createObject（java，org.apache.commons.lang.ArrayUtils）; 
 separateBytes = ArrayUtils.addAll（saltBytes，passBytes）; 
 
 //连接第一，THEN提取字节
 theSalt = charsetEncode（binaryDecode（base64Salt，base64），theEncoding）; 
 concatenatedBytes = charsetDecode（theSalt& thePassword，theEncoding）; 
 
 //这些是原始字节BEFORE哈希
 WriteOutput（separateBytes =& arrayToList（separateBytes，|）&< br> 
 WriteOutput（concatenatedBytes& arrayToList（concatenatedBytes，|））; 
< / cfscript> 
  

结果：

  separateBytes = -6 | 107 | -88 | -22 | 0 | 38 | -5 | -14 | -53 | -105 | 104 | 77 | -40 | -14 | 104 | 68 | 0 | 84 | 0 | 33 | 0 | 64 | 0 | 49 | 0 | 50 | 0 
 concatenatedBytes = -6 | 107 | -88 | -22 | 0 | 38 | -114 | -5 | -14 | -53 | -105 | 104 | -3 | -1 | 68 | 0 | 84 | 0 | 33 | 0 | 64 | 0 | 49 | 0 | 50 | 0 
  

Is there any way to authenticate users from other web apps using the DNN logins?

We have a main site that is using DNN and user logins are stored in the asp net membership table. From what I have been reading, the passwords are encrypted using the machine key and then salted. I see where this info is, but can't seem to encrypt passwords correctly using this method.

I'm trying with a Coldfusion web application on the same server where our DNN site is, but it doesn't want to work. You'd think it would be strait forward with the ColdFusion encryption function:

    Encrypt(passwordstring, key [, algorithm, encoding, IVorSalt, iterations])

No matter what I try, I never get a matching value.

Any help, insight or pointing me in the right direction would be greatly appreciated!

解决方案

(Edit: Original answer did not work in all cases. Substantially revised ...)

From what I have read, DNN uses an "SHA1" hash by default. The thread @barnyr posted shows it simply hashes the concatenated salt and password, but with a few twists.

• DNN uses UTF-16LE to extract the password bytes, rather than CF's typical UTF-8.
• It also extracts the salt and password bytes separately, which may produce different results than just decoding everything as a single string, which is what hash() does. (See demo below)

Given that Hash does not accept binary, I do not think it is possible to duplicate the results with native CF functions alone. Instead I would suggest decoding the strings into binary, then using java directly:

Code:

<cfscript>
    thePassword = "DT!@12";
    base64Salt = "+muo6gAmjvvyy5doTdjyaA==";

    // extract bytes of the salt and password
    saltBytes = binaryDecode(base64Salt, "base64");
    passBytes = charsetDecode(thePassword, "UTF-16LE" );

    // next combine the bytes. note, the returned arrays are immutable, 
    // so we cannot use the standard CF tricks to merge them    
    ArrayUtils = createObject("java", "org.apache.commons.lang.ArrayUtils");
    dataBytes = ArrayUtils.addAll( saltBytes, passBytes );

    // hash binary using java
    MessageDigest = createObject("java", "java.security.MessageDigest").getInstance("SHA-1");
    MessageDigest.update(dataBytes);    
    theBase64Hash = binaryEncode(MessageDigest.digest(), "base64");

    WriteOutput("theBase64Hash= "& theBase64Hash &"<br/>");
</cfscript>

Demo of Differences:

<cfscript>
    theEncoding = "UTF-16LE";
    thePassword = "DT!@12";
    base64Salt = "+muo6gAmjvvyy5doTdjyaA==";

    // extract the bytes SEPARATELY
    saltBytes = binaryDecode(base64Salt, "base64");
    passBytes = charsetDecode(thePassword, theEncoding );
    ArrayUtils = createObject("java", "org.apache.commons.lang.ArrayUtils");
    separateBytes = ArrayUtils.addAll( saltBytes, passBytes );

    // concatenate first, THEN extract the bytes 
    theSalt = charsetEncode( binaryDecode(base64Salt, "base64"), theEncoding );
    concatenatedBytes = charsetDecode( theSalt & thePassword, theEncoding );

    // these are the raw bytes BEFORE hashing
    WriteOutput("separateBytes= "& arrayToList(separateBytes, "|") &"<br>");        
    WriteOutput("concatenatedBytes"& arrayToList(concatenatedBytes, "|") );
</cfscript>

Results:

separateBytes     = -6|107|-88|-22|0|38|-114|-5|-14|-53|-105|104|77|-40|-14|104|68|0|84|0|33|0|64|0|49|0|50|0
concatenatedBytes = -6|107|-88|-22|0|38|-114|-5|-14|-53|-105|104|-3|-1|68|0|84|0|33|0|64|0|49|0|50|0 

这篇关于在ColdFusion中验证DotNetNuke用户的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！