如何在JSP中编程加密/解密纯文本凭据？ [英] How to programatically encrypt/decrypt plain text credentials in JSP?

问题描述

作为我日常生活的一部分，我有一个不幸的是，管理一个古老的，一个内部的JSP Web应用程序，依赖于以下身份验证模式：

  ... 
 
 //验证用户名和密码。 
 if（（user！= null）&（password！= null）&&（
（user.equals（brianmay）&& password.equals ））|| 
（user.equals（rogertaylor）&& password.equals（queen））|| 
（user.equals（freddiemercury）& password.equals（queen））|| 
（user.equals（johndeacon）&& password.equals（queen））
））{
 //将用户名存储为会话变量。 
 session.putValue（user，user）; 
 
 ... 
  

尽可能多的，女王成员从来不是系统的用户，但无论如何，它确实是一个很好的例子，不是吗？

尽管通过策略，这个客户端通过域身份验证强制执行安全性，因此，这个问题并不被认为是一个安全隐患，但是我的想法至少是使用简单的MD5或SHA1方法来模糊那些纯文本凭据，所以这样敏感的数据是肉眼看不到的。 >

我是一个全新手，当涉及到JSP，所以我真的很感谢任何一个建议，你愿意与我分享。

提前多谢！

解决方案

很难理解您正在考虑的确切方案，我假设密码从请求进来，并且您想要计算发送请求的JSP中的MD5哈希值。之后，您可以将其与预先计算的MD5版本进行比较。如果没有使用https，您甚至可以更安全，并使用 javascript MD5库在提交密码之前哈希密码。

您可以使用Java中的MD5这样的字符串：

  try 
 {
 String digestInput =queen; 
 
 MessageDigest messageDigest = MessageDigest.getInstance（MD5）; 
 messageDigest.update（digestInput.getBytes（））; 
 
 BASE64Encoder base64Encoder = new BASE64Encoder（）; 
 String digestString = base64Encoder.encode（messageDigest.digest（））; 
 
 // digestString现在包含md5哈希值密码
} 
 catch（异常e）
 {
 //在某种类型的日志记录
} 
  

As as part of my daily routine, I have the misfortune of administering an ancient, once "just internal" JSP web application that relies on the following authentication schema:

...

// Validate the user name and password.
if ((user != null) && (password != null) && (
    (user.equals("brianmay") && password.equals("queen")) ||
    (user.equals("rogertaylor") && password.equals("queen")) ||
    (user.equals("freddiemercury") && password.equals("queen")) ||
    (user.equals("johndeacon") && password.equals("queen"))
   )) {
// Store the user name as a session variable.
    session.putValue("user", user);

...

As much as I would like to, the Queen members have never been users of the system but anyway it does make a great example, does it not?

Despite that by policy this client enforces security by domain authentication among other things, therefore this issue isn't seen as a security risk, still, my idea is to at least obfuscate that plain text credentials using perhaps a simple MD5 or SHA1 method, so such sensitive data is not visible to the naked eye.

I'm a total newbie when it comes to JSP so I would really appreciate any piece of advice you'd be willing to share with me.

Thanks much in advance!

解决方案

It is hard to understand the exact scheme you are thinking about but I assume the password is coming in from a request and you want to calculate the MD5 hash in a JSP that the request is being sent to. After that you can compare it to the pre-computed MD5 version. You could even be more secure if it isn't being done with https and use a javascript MD5 library to hash the password before submitting it.

You can MD5 a string in java like this:

try
{
  String digestInput = "queen";

  MessageDigest messageDigest = MessageDigest.getInstance("MD5");
  messageDigest.update(digestInput.getBytes());

  BASE64Encoder base64Encoder = new BASE64Encoder();
  String digestString = base64Encoder.encode(messageDigest.digest());

  // digestString now contains the md5 hashed password
}
catch (Exception e)
{
  // do some type of logging here
}

这篇关于如何在JSP中编程加密/解密纯文本凭据？的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！