本文介绍了一种使用MD5加密的记住我功能实现方式。通过在用户登录时将用户名、过期时间和密钥等信息进行MD5加密并存储为Cookie,即使Cookie被截获,攻击者也无法获取到用户的明文密码。
[code]if (SecurityContextHolder.getContext().getAuthentication() == null) {
Authentication rememberMeAuth = rememberMeServices.autoLogin(httpRequest, httpResponse);
if (rememberMeAuth != null) {
// Attempt authenticaton via AuthenticationManager
try {
authenticationManager.authenticate(rememberMeAuth);
// Store to SecurityContextHolder
SecurityContextHolder.getContext().setAuthentication(rememberMeAuth);
if (logger.isDebugEnabled()) {
logger.debug("SecurityContextHolder populated with remember-me token: '"
+ SecurityContextHolder.getContext().getAuthentication() + "'");
}
// Fire event
if (this.eventPublisher != null) {
eventPublisher.publishEvent(new InteractiveAuthenticationSuccessEvent(
SecurityContextHolder.getContext().getAuthentication(), this.getClass()));
}
} catch (AuthenticationException authenticationException) {
if (logger.isDebugEnabled()) {
logger.debug(
"SecurityContextHolder not populated with remember-me token, as AuthenticationManager rejected Authentication returned by RememberMeServices: '"
+ rememberMeAuth + "'; invalidating remember-me token", authenticationException);
}
rememberMeServices.loginFail(httpRequest, httpResponse);
}
}[/code]
for the protected url,if the security context is null,the RememberMeProcessingFilter will get the cookie from local which way is the same
as inputing the name and pass in the form.it will create an
RememberMeAuthenticationToken from the cookie.see the code:
[code]
RememberMeAuthenticationToken auth = new RememberMeAuthenticationToken(this.key, userDetails,
userDetails.getAuthorities());
auth.setDetails(authenticationDetailsSource.buildDetails((HttpServletRequest) request));
[/code]
The key component is the rememberMeServices see how it write and read the cookie:
write:
[code]
String signatureValue = new String(DigestUtils.md5Hex(username + ":" + expiryTime + ":" + password + ":" + key));
String tokenValue = username + ":" + expiryTime + ":" + signatureValue;
String tokenValueBase64 = new String(Base64.encodeBase64(tokenValue.getBytes()));
response.addCookie(makeValidCookie(expiryTime, tokenValueBase64, request));[/code];
read:
[code] String expectedTokenSignature = DigestUtils.md5Hex(userDetails.getUsername() + ":"
+ tokenExpiryTime + ":" + userDetails.getPassword() + ":" + this.key);
if (!expectedTokenSignature.equals(cookieTokens[2])) {
cancelCookie(request, response,
"Cookie token[2] contained signature '" + cookieTokens[2] + "' but expected '"
+ expectedTokenSignature + "'");
return null;
}[/code];
u could see the cookie is encripted by MD5,so if even attackers get
the cookie,he can't get the passward.
after geting the RememberMeAuthenticationToken ,it pass it to the
authenticationManager for more authentication.
Authentication rememberMeAuth = rememberMeServices.autoLogin(httpRequest, httpResponse);
if (rememberMeAuth != null) {
// Attempt authenticaton via AuthenticationManager
try {
authenticationManager.authenticate(rememberMeAuth);
// Store to SecurityContextHolder
SecurityContextHolder.getContext().setAuthentication(rememberMeAuth);
if (logger.isDebugEnabled()) {
logger.debug("SecurityContextHolder populated with remember-me token: '"
+ SecurityContextHolder.getContext().getAuthentication() + "'");
}
// Fire event
if (this.eventPublisher != null) {
eventPublisher.publishEvent(new InteractiveAuthenticationSuccessEvent(
SecurityContextHolder.getContext().getAuthentication(), this.getClass()));
}
} catch (AuthenticationException authenticationException) {
if (logger.isDebugEnabled()) {
logger.debug(
"SecurityContextHolder not populated with remember-me token, as AuthenticationManager rejected Authentication returned by RememberMeServices: '"
+ rememberMeAuth + "'; invalidating remember-me token", authenticationException);
}
rememberMeServices.loginFail(httpRequest, httpResponse);
}
}[/code]
for the protected url,if the security context is null,the RememberMeProcessingFilter will get the cookie from local which way is the same
as inputing the name and pass in the form.it will create an
RememberMeAuthenticationToken from the cookie.see the code:
[code]
RememberMeAuthenticationToken auth = new RememberMeAuthenticationToken(this.key, userDetails,
userDetails.getAuthorities());
auth.setDetails(authenticationDetailsSource.buildDetails((HttpServletRequest) request));
[/code]
The key component is the rememberMeServices see how it write and read the cookie:
write:
[code]
String signatureValue = new String(DigestUtils.md5Hex(username + ":" + expiryTime + ":" + password + ":" + key));
String tokenValue = username + ":" + expiryTime + ":" + signatureValue;
String tokenValueBase64 = new String(Base64.encodeBase64(tokenValue.getBytes()));
response.addCookie(makeValidCookie(expiryTime, tokenValueBase64, request));[/code];
read:
[code] String expectedTokenSignature = DigestUtils.md5Hex(userDetails.getUsername() + ":"
+ tokenExpiryTime + ":" + userDetails.getPassword() + ":" + this.key);
if (!expectedTokenSignature.equals(cookieTokens[2])) {
cancelCookie(request, response,
"Cookie token[2] contained signature '" + cookieTokens[2] + "' but expected '"
+ expectedTokenSignature + "'");
return null;
}[/code];
u could see the cookie is encripted by MD5,so if even attackers get
the cookie,he can't get the passward.
after geting the RememberMeAuthenticationToken ,it pass it to the
authenticationManager for more authentication.
扫一扫
1639
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
