Java - 从配置文件加密/解密用户名和密码 [英] Java - encrypt / decrypt user name and password from a configuration file
问题描述
-
将加密的用户名/密码存储在Web服务客户端上。从配置读取。客户端的文件,解密和发送。
-
将加密的用户名/密码存储在Web服务器上。从配置读取。文件在网络服务器上解密并在Web服务中使用。
用户名/密码由网络服务访问第三方应用程序。
客户端已经有提供此功能的类,但这种方法涉及将用户名/密码发送到清除(尽管在内部网)。他们更喜欢存储信息。在网络服务中,但不是真的要支付他们已经拥有的东西。 (安全性不是一个很大的考虑因素,因为它只在他们的内部网内)。
所以我们需要Java中的快捷方便。
任何建议?
服务器是Tomkat 5.5。 Web服务是Axis2。
- 我们应该使用什么加密/解密包?
- 一个关键商店?
- 我们应该使用什么配置机制?
- 这将很容易部署吗?
Store the encrypted user name / password on the web service client. Read from a config. file on the client side, decrypt and send.
Store the encrypted user name / password on the web server. Read from a config. file on the web server, decrypt and use in the web service.
- What encrypt / decrypt package should we use?
- What about a key store?
- What configuration mechanism should we use?
- Will this be easy to deploy?
在内联网上肯定不会驳回安全性的理由。内部人士对信息造成的损害最大。看看受保护的价值,并适当考虑安全性。
这听起来像是有第三方应用程序,您有一套凭据,以及一些在使用第三方应用程序时有效分享此身份的客户端。如果是这样,我建议采用以下方法。
不要将第三方密码分发到Web服务器之外。
最安全的方法是以交互方式将其提供给Web应用程序。这可能是ServletContextListener,它在应用程序启动时提示输入密码,或应用程序中的页面,以便管理员可以通过表单输入密码。密码存储在ServletContext中,用于验证对第三方服务的请求。
安全降级是将密码存储在服务器的文件系统上它只能由运行服务器的用户读取。这取决于服务器的文件系统保护权限。
尝试在客户端或服务器上存储密码的加密形式,只是向后退一步。当您尝试用另一个秘密保护秘密时,您将陷入无限的倒退。
此外,客户端应向服务器进行身份验证。如果客户端是交互式的,请让用户输入密码。然后,服务器可以决定该用户是否被授权访问第三方服务。如果客户端不具有交互性,则最好的安全措施是使用文件系统权限来保护客户端的密码。
为了保护客户端的凭据,客户端和您的Web服务器应使用SSL进行保护。在这里,在内部网上运行是有利的,因为您可以在服务器上使用自签名证书。
如果您将密码存储在文件中,请将其放入自己档案;它使得需要仔细管理权限更显眼,并最大限度地减少了许多用户编辑该文件并因此查看密码的需要。
We are busy developing a Java web service for a client. There are two possible choices:
The user name / password is used by the web service to access a third-party application.
The client already has classes that provide this functionality but this approach involves sending the user name / password in the clear (albeit within the intranet). They would prefer storing the info. within the web service but don't really want to pay for something they already have. (Security is not a big consideration because it's only within their intranet).
So we need something quick and easy in Java.
Any recommendations?
The server is Tomkat 5.5. The web service is Axis2.
Being on the intranet certainly does not justify dismissing security. Most damage done to information is by insiders. Look at the value of what's being protected, and give due consideration to security.
It sounds like there's a third-party application, for which you have one set of credentials, and some clients that effectively share this identity when using the third-party application. If that's the case, I recommend the following approach.
Don't distribute the third-party password beyond your web server.
The safest way to do this is to provide it to the web application interactively. This could be ServletContextListener that prompts for the password as the application starts, or a page in the application so that a admin can enter it through a form. The password is stored in the ServletContext and used to authenticate requests to the third-party service.
A step down in safety is to store the password on the server's file system so that it's readable only by the user running the server. This relies on the server's file system permissions for protection.
Trying to store an encrypted form of the password, on the client or the server, is just taking one step backward. You fall into an infinite regress when trying to protect a secret with another secret.
In addition, the clients should authenticate themselves to the server. If the client is interactive, have the users enter a password. The server can then decide if that user is authorized to access the third-party service. If the client is not interactive, the next best security is to protect the client's password using file system permissions.
To protect the clients' credentials, the channel between the client and your web server should be protected with SSL. Here, operating on an intranet is advantageous, because you can use a self-signed certificate on the server.
If you do store passwords in a file, put them in a file by themselves; it makes the need to manage permissions carefully more conspicuous, and minimizes the need for many users to be editing that file and thus seeing the password.
这篇关于Java - 从配置文件加密/解密用户名和密码的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
