用户通过解密认证 [英] User Authentication by Decryption
问题描述
我试图通过身份验证来避免数据库访问,以提高性能
一个有效的解决方案,经过大量的搜索似乎是将加密的字符串存储在cookie中,并尝试
因此,我想知道如果以下是一个好主意:
- 通过SSL发送所有内容(我很懒惰)
- 在我的程序中设置全局常量密钥
- 生成一个新的随机验证字符串注册和密码更改后,将其存储在用户对象中
- 生成带有验证字符串和密钥的加密验证字符串
- 当用户尝试登录,解密验证字符串并检查原始验证字符串
时,cookie中的未加密和加密的验证字符串
如果它是一个OK的想法,我该如何实际使其工作,如:
什么加密方法应该我使用AES-256?
如何使用Bouncycastle在Java中进行这种加密/解密?
如果不是一个好主意,应该怎么做才能避免在验证时查询DB?
提前!
以上描述的问题称为RememberMe。
解决问题的两种方法:
1)创建自己的认证框架。成功的认证成功后,将cookie加密为一个用户名(我强烈建议不要使用哈希;也请不要输入用户密码)。
Cookie应该持续至多2周。
对于加密,请使用AES-256加密BouncyCastle:
如何使用Bouncy具有AES和PBE的城堡轻量级API
请勿在Cookie中放置任何简单的值。
如果你的框架成功解密了cookie - 用户被认证。如果您的框架无法解密cookie或Cookie不存在 - 用户未通过身份验证。
注销后请清理cookie。
2)请考虑使用Spring Security框架:
http://static.springsource.org/spring-security/site/ docs / 3.1.x / reference / springsecurity-single.html
这是一个很棒的框架,解决了很多身份验证/授权问题。 >
您的问题由RememberMe功能解决:
http://static.springsource.org/spring-security/site/docs/3.1.x/reference/springsecurity -single.html#ns-remember-me
请告诉我是否需要任何其他说明。
祝福,
Michael
I'm trying to avoid DB access upon authentication to improve performance
a valid solution after lots of searching seems to be storing an encrypted string in cookie and try to decrypt it upon authentication.
Thus, I am wondering if the following is a good idea:
- transmit everything via SSL (I'm lazy..)
- set a global constant secret key in my program
- generate a new random verification string upon registration and password change, store it in the User object
- generate an encrypted verification string with verification string and secret key
- store the unencrypted and encrypted verification strings in the cookie
- when user tries to login, decrypt the verification string and check against the original verification string
if it is an "OK" idea, how do I actually make it work, like:
what encryption method should I use, AES-256?
how do I do this kind of encryption/decryption in Java, using Bouncycastle?
if it is not a good idea, what should I do to avoid querying DB on authentication?
thans in advance!
The problem you describe above is called "RememberMe". Two approaches to solve your problem:
1) Create your own authentication framework.
Upon the successful authentication put in a cookie an encrypted value of a username (I strongly not recommend to use hashing; also please do not put the user password value).
The cookie should be persistent at most for 2 weeks.
For encryption please use AES-256 encryption with BouncyCastle: How to use Bouncy Castle lightweight API with AES and PBE Please do not put any plain values in cookies. If your framework success to decrypt the cookie – the user is authenticated. If your framework cannot decrypt the cookie or the cookie does not exist - the user is not authenticated. Upon the logout please clean the cookie.
2) Please consider to use the Spring Security framework: http://static.springsource.org/spring-security/site/docs/3.1.x/reference/springsecurity-single.html
It is the great framework and solves a lot of authentication / authorization problems.
Your problem is solved by the "RememberMe" feature: http://static.springsource.org/spring-security/site/docs/3.1.x/reference/springsecurity-single.html#ns-remember-me
Please tell me if you need any additional clarifications.
Best regards,
Michael
这篇关于用户通过解密认证的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
