909
java.security.MessageDigest的使用(2),生成安全令牌!
時候,我們需要產生一個數據,這個數據保存了用戶的信息,但加密後仍然有可能被人使用,即便他人不確切的了解詳細信息...
好比,我們在上網的時候,很多網頁都會有一個信息,是否保存登錄信息,以便下次可以直接登錄而不必再次輸入賬戶,密碼等...而通常這樣需要Cookie保存用戶信息,當然,這個信息是加密信息,且一般都加了時間戳等驗證信息的...
登陸時,讀取cookie,解析cookie的信息,以及如時間戳等附加信息.如果沒有時間戳...那麼任何人隻要有這個cookie,複製cookie到他的電腦中,然後登陸相同的頁麵,即便盜用者並不知道用戶的信息是什麼,也能登陸...
所以,時間戳就類似我們所說的安全令牌.
方式,將用戶信息MD5加密後,再將時間戳MD5加密,然後按照特定的處理,將加密後的用戶信息以及時間戳,ip地址等信息再次處理,加密後,生成cookie保存客戶端...這樣就避免了前麵所說的安全問題...
java.security.MessageDigest,在創建安全令牌上,比MD5更簡便.因為update方法!!!
view plaincopy to clipboardprint?
package cn.vicky.utils;
import java.security.MessageDigest;
import java.security.NoSuchAlgorithmException;
/**
* 令牌處理器
*
* @author Vicky
* @emial eclipser@163.com
*
*/
public class TokenProcessor {
private static TokenProcessor instance = new TokenProcessor();
private long previous;
protected TokenProcessor() {
}
public static TokenProcessor getInstance() {
return instance;
}
public synchronized String generateToken(String msg, boolean timeChange) {
try {
long current = System.currentTimeMillis();
if (current == previous) current++;
previous = current;
MessageDigest md = MessageDigest.getInstance("MD5");
md.update(msg.getBytes());
if (timeChange) {
// byte now[] = (current+"").toString().getBytes();
byte now[] = (new Long(current)).toString().getBytes();
md.update(now);
}
return toHex(md.digest());
} catch (NoSuchAlgorithmException e) {
return null;
}
}
private String toHex(byte buffer[]) {
StringBuffer sb = new StringBuffer(buffer.length * 2);
for (int i = 0; i < buffer.length; i++) {
sb.append(Character.forDigit((buffer[i] & 240) >> 4, 16));
sb.append(Character.forDigit(buffer[i] & 15, 16));
}
return sb.toString();
}
}
package cn.vicky.utils;
import java.security.MessageDigest;
import java.security.NoSuchAlgorithmException;
/**
* 令牌處理器
*
* @author Vicky
* @emial eclipser@163.com
*
*/
public class TokenProcessor {
private static TokenProcessor instance = new TokenProcessor();
private long previous;
protected TokenProcessor() {
}
public static TokenProcessor getInstance() {
return instance;
}
public synchronized String generateToken(String msg, boolean timeChange) {
try {
long current = System.currentTimeMillis();
if (current == previous) current++;
previous = current;
MessageDigest md = MessageDigest.getInstance("MD5");
md.update(msg.getBytes());
if (timeChange) {
// byte now[] = (current+"").toString().getBytes();
byte now[] = (new Long(current)).toString().getBytes();
md.update(now);
}
return toHex(md.digest());
} catch (NoSuchAlgorithmException e) {
return null;
}
}
private String toHex(byte buffer[]) {
StringBuffer sb = new StringBuffer(buffer.length * 2);
for (int i = 0; i < buffer.length; i++) {
sb.append(Character.forDigit((buffer[i] & 240) >> 4, 16));
sb.append(Character.forDigit(buffer[i] & 15, 16));
}
return sb.toString();
}
}
測試
view plaincopy to clipboardprint?
@Test
public void testGenerateToken(){
String token = new TokenProcessor().generateToken("Vicky",true);
System.err.println(token);
String token2 = new TokenProcessor().generateToken("Vicky",false);
System.err.println(token2);
}
@Test
public void testGenerateToken(){
String token = new TokenProcessor().generateToken("Vicky",true);
System.err.println(token);
String token2 = new TokenProcessor().generateToken("Vicky",false);
System.err.println(token2);
}
執行後打印:
69ff8ae72232da59a613ecc830ed7c7a
020c290593cef84aeac4ea2c269d326d
再次執行打印:
d8e38257652deaa76de81c8225801482
020c290593cef84aeac4ea2c269d326d
可見,第1打印的數據,是一直變換的.因為他加入了時間戳
而第2條打印的數據卻是不變的,因為他隻是簡單的MD5加密
這樣的安全令牌在很多大型框架中都會涉及,比如說頂頂大名的Struts.這裏,我以servlet為實例,向request請求加入安全令牌!
view plaincopy to clipboardprint?
package cn.vicky.struts.util;
import java.security.MessageDigest;
import java.security.NoSuchAlgorithmException;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpSession;
/**
*
* @author Vicky
* @email eclipser@163.com
*
*/
public class TokenProcessor {
private static TokenProcessor instance = new TokenProcessor();
private long previous;
protected TokenProcessor() {
}
public static TokenProcessor getInstance() {
return instance;
}
public synchronized boolean isTokenValid(HttpServletRequest request) {
return isTokenValid(request, false);
}
public synchronized boolean isTokenValid(HttpServletRequest request,
boolean reset) {
HttpSession session = request.getSession(false);
if (session == null
return false;
String saved = (String) session
.getAttribute("cn.vicky.struts.action.TOKEN");
if (saved == null)
return false;
if (reset)
resetToken(request);
String token = request
.getParameter("cn.vicky.struts.taglib.html.TOKEN");
if (token == null)
return false;
else
return saved.equals(token);
}
public synchronized void resetToken(HttpServletRequest request) {
HttpSession session = request.getSession(false);
if (session == null) {
return;
} else {
session.removeAttribute("cn.vicky.struts.action.TOKEN");
return;
}
}
public synchronized void saveToken(HttpServletRequest request) {
HttpSession session = request.getSession();
String token = generateToken(request);
if (token != null)
session.setAttribute("cn.vicky.struts.action.TOKEN", token);
}
public synchronized String generateToken(HttpServletRequest request) {
HttpSession session = request.getSession();
return generateToken(session.getId());
}
public synchronized String generateToken(String id) {
try {
long current = System.currentTimeMillis();
if (current == previous)
current++;
previous = current;
// byte now[] = (current+"").toString().getBytes();
byte now[] = (new Long(current)).toString().getBytes();
MessageDigest md = MessageDigest.getInstance("MD5");
md.update(id.getBytes());
md.update(now);
System.out.println(md.digest().length);
return toHex(md.digest());
} catch (NoSuchAlgorithmException e) {
return null;
}
}
private String toHex(byte buffer[]) {
StringBuffer sb = new StringBuffer(buffer.length * 2);
for (int i = 0; i < buffer.length; i++) {
sb.append(Character.forDigit((buffer[i] & 240) >> 4, 16));
sb.append(Character.forDigit(buffer[i] & 15, 16));
}
return sb.toString();
}
}
本文來自CSDN博客,轉載請標明出處:https://blog.csdn.net/eclipser1987/archive/2010/01/08/5159106.aspx
最後更新:2017-04-02 05:21:05