WildFly(8.2)中处理随机盐值密码存储在数据库中的方法是什么?
org.jboss.crypto.digest.DigestCallback
的实现(在密码验证过程中)是否可以访问数据库中的盐值部分?
还是说我应该在将密码交给HttpServletRequest
的login
方法之前自行哈希和盐化密码?
modules/
下创建一个文件夹,添加一个模块到WildFly中,如下所示:
C:\WildFly\v8.2.0\modules\de\rtner\PBKDF2\main
将PBKDF2-1.1.0.jar
文件和以下内容的module.xml
文件放入其中:
<?xml version="1.0" encoding="UTF-8"?>
<module xmlns="urn:jboss:module:1.1" name="de.rtner.PBKDF2">
<resources>
<resource-root path="PBKDF2-1.1.0.jar"/>
</resources>
<dependencies>
<module name="org.picketbox"/>
<module name="javax.api"/>
</dependencies>
</module>`
然后,在 standalone.xml
中添加一个领域配置:
<subsystem xmlns="urn:jboss:domain:security:1.2">
<security-domains>
<!-- .... -->
<security-domain name="MyRealm">
<authentication>
<login-module code="de.rtner.security.auth.spi.SaltedDatabaseServerLoginModule" flag="required" module="de.rtner.PBKDF2">
<module-option name="dsJndiName" value="java:/jdbc/MyDS"/>
<module-option name="principalsQuery" value="SELECT password FROM users WHERE username = ?"/>
<module-option name="rolesQuery" value="SELECT roles.name AS groupid, 'Roles' FROM roles INNER JOIN user_roles ON roles.name = users.username WHERE users.username = ?"/>
<module-option name="unauthenticatedIdentity" value="guest"/>
<!-- DEFAULT HASHING OPTIONS:
<module-option name="hmacAlgorithm" value="HMacSHA1" />
<module-option name="hashCharset" value="UTF-8" />
<module-option name="formatter" value="de.rtner.security.auth.spi.PBKDF2HexFormatter" />
<module-option name="engine" value="de.rtner.security.auth.spi.PBKDF2Engine" />
<module-option name="engine-parameters" value="de.rtner.security.auth.spi.PBKDF2Parameters" />
-->
</login-module>
</authentication>
</security-domain>
<!-- .... -->
</security-domains>
</subsystem>
DatabaseLoginModule
相同。默认哈希选项无需指定(因为它们是默认值),但在创建新用户时,您需要了解它们(并正确设置它们),以便使用相同的参数正确地哈希其密码。public static String hash(String plainText, String storedPassword) {
if (plainText == null) return null;
SimplePBKDF2 crypto = new SimplePBKDF2();
PBKDF2Parameters params = crypto.getParameters();
params.setHashCharset("UTF-8");
params.setHashAlgorithm("HmacSHA1");
params.setIterationCount(1000);
if (storedPassword != null) {
new PBKDF2HexFormatter().fromString(params, storedPassword);
}
return crypto.deriveKeyFormatted(plainText);
}
null
作为storedPassword
传递:String password = hash('MySecretPassword', null);
密码
最终可能会看起来像这样:
"192EAEB3B7AA40B1:1000:4C137AF7AD0F3999D18E2B9E6FB726D5C07DE7D5"
比较密码时,调用同一函数,传递原始密码,然后比较结果:
String enteredPassword = hash(userInput, password);
if (enteredPassword.equals(password)) {
// Ok!
}