Question

In my web app which uses servlets and hibernate. I need to authenticate a Customer who enters a password.

If he is already in database, I need to check if his password matches that of the record in db.For a new Customer, I want to take a password and create a record for him. I tried to do it this way for the scenarios.

现有客户进入电子邮件地址和密码

String email = req.getParameter("emailAddress");
String password = req.getParameter("password");
Customer cust = dao.findByEmailAddress(email);

现在,我如何检查这个黄色物体是否与密码有关,是否与用户的相匹配? 曼宁的藏书实例将密码作为客户阶层的长处。这是一种好的想法吗? 如何储存在数据库中?

在使用秘密时,如何处理这一问题? 我听到有人提到,传闻像过去一样。但我不相信我能怎样做。

Can someone tell me how I can tackle this?

Answer 1

你们必须决定如何储存密码。如果你把他们作为解放实体储存起来,他们将储存在数据库中,内容明确。任何人都可以查阅数据库。本案的评议包括将发送的密码与数据库中的密码进行比较。

There are two other possibilities

The first one consists in encrypting them with a secret key before storing them in database. But this secret key will have to be stored somewhere in order for your application to decrypt them and compare the decrypted password with the one sent by the user. But it could at least reduce the visibility of the password only to the persons having acces to the application deployment directory. Authenticating in this case consists in decrypting the password stored in database with the secret key, and compare it with the password sent by the user. If they are equal, then the user sent the correct password.

最后一种可能性是使用单向散射算法(例如SHA-1,又称电文摘要算法)。这样,就不需要秘密钥匙,任何人都很难(现在:几乎不可能)查阅密码(如果密码被打盐的话)。这一解决办法的缺点是,如果用户放松其密码,那么你就能够寄出他。唯一的可能性是使他重新获得新的价值,向用户发出这一新的密码,并请他选择新的密码。在此情况下,对用户进行认证,包括打上他发出的密码,并与数据库中储存的散射器进行比较。

http://en.wikipedia.org/wiki/Salt_(加密技术” rel=“nofollow”>http://en.wikipedia.org/wiki/Salt_(加密技术),以提供更详细的解释。

Answer 2

删除简单案文的口号从来不是一个好的想法。事实上,在

You need to encrypt the passwords before writing them in the database. When searching for a user use the encrypted password

String email = req.getParameter("emailAddress");
String password = req.getParameter("password");
String encryptedPassword = MD5Helper.hashPassword(password)
Customer cust = dao.findByEmailAddressAndPassword(email, encryptedPassword);

你们可以使用MD5算法对密码进行加密。

public class MD5Helper {

    private static final int MD5_PASSWORD_LENGTH = 16;

    public static String hashPassword(String password) {
        String hashword = null;
        try {
            MessageDigest md5 = MessageDigest.getInstance("MD5");
            md5.update(password.getBytes());
            BigInteger hash = new BigInteger(1, md5.digest());
            hashword = hash.toString(MD5_PASSWORD_LENGTH);
        } catch (NoSuchAlgorithmException nsae) {
            // handle exception
        }
        return hashword;
    }
}

Answer 3

通常密码储存在数据库中,如果输入密码相匹配,则你必须加密。

String passwordEncrypted = encrypt(password);

where encrypt is your function that crypt the password (you can try with MD5 or SHA-1, for example).

在您检索到的标码<>cust后,您可核查

if (cust.getPassword().equals(passwordEncrypted)) {
    // login successfull code
} else {
    // login failed code
}

友情链接