java.security.MessageDigest的使用(2),生成安全令牌!
时候,我们需要产生一个数据,这个数据保存了用户的信息,但加密后仍然有可能被人使用,即便他人不确切的了解详细信息...
好比,我们在上网的时候,很多网页都会有一个信息,是否保存登录信息,以便下次可以直接登录而不必再次输入账户,密码等...而通常这样需要Cookie保存用户信息,当然,这个信息是加密信息,且一般都加了时间戳等验证信息的...
登陆时,读取cookie,解析cookie的信息,以及如时间戳等附加信息.如果没有时间戳...那么任何人只要有这个cookie,复制cookie到他的电脑中,然后登陆相同的页面,即便盗用者并不知道用户的信息是什么,也能登陆...
所以,时间戳就类似我们所说的安全令牌.
方式,将用户信息MD5加密后,再将时间戳MD5加密,然后按照特定的处理,将加密后的用户信息以及时间戳,ip地址等信息再次处理,加密后,生成cookie保存客户端...这样就避免了前面所说的安全问题...
java.security.MessageDigest,在创建安全令牌上,比MD5更简便.因为update方法!!!
package cn.vicky.utils; import java.security.MessageDigest; import java.security.NoSuchAlgorithmException; /** * 令牌处理器 * * @author Vicky * @emial [email protected] * */ public class TokenProcessor { private static TokenProcessor instance = new TokenProcessor(); private long previous; protected TokenProcessor() { } public static TokenProcessor getInstance() { return instance; } public synchronized String generateToken(String msg, boolean timeChange) { try { long current = System.currentTimeMillis(); if (current == previous) current++; previous = current; MessageDigest md = MessageDigest.getInstance("MD5"); md.update(msg.getBytes()); if (timeChange) { // byte now[] = (current+"").toString().getBytes(); byte now[] = (new Long(current)).toString().getBytes(); md.update(now); } return toHex(md.digest()); } catch (NoSuchAlgorithmException e) { return null; } } private String toHex(byte buffer[]) { StringBuffer sb = new StringBuffer(buffer.length * 2); for (int i = 0; i < buffer.length; i++) { sb.append(Character.forDigit((buffer[i] & 240) >> 4, 16)); sb.append(Character.forDigit(buffer[i] & 15, 16)); } return sb.toString(); } }
测试
@Test public void testGenerateToken(){ String token = new TokenProcessor().generateToken("Vicky",true); System.err.println(token); String token2 = new TokenProcessor().generateToken("Vicky",false); System.err.println(token2); }
执行后打印:
69ff8ae72232da59a613ecc830ed7c7a
020c290593cef84aeac4ea2c269d326d
再次执行打印:
d8e38257652deaa76de81c8225801482
020c290593cef84aeac4ea2c269d326d
可见,第1打印的数据,是一直变换的.因为他加入了时间戳
而第2条打印的数据却是不变的,因为他只是简单的MD5加密
这样的安全令牌在很多大型框架中都会涉及,比如说顶顶大名的Struts.这里,我以servlet为实例,向request请求加入安全令牌!
package cn.vicky.struts.util; import java.security.MessageDigest; import java.security.NoSuchAlgorithmException; import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpSession; /** * * @author Vicky * @email [email protected] * */ public class TokenProcessor { private static TokenProcessor instance = new TokenProcessor(); private long previous; protected TokenProcessor() { } public static TokenProcessor getInstance() { return instance; } public synchronized boolean isTokenValid(HttpServletRequest request) { return isTokenValid(request, false); } public synchronized boolean isTokenValid(HttpServletRequest request, boolean reset) { HttpSession session = request.getSession(false); if (session == null return false; String saved = (String) session .getAttribute("cn.vicky.struts.action.TOKEN"); if (saved == null) return false; if (reset) resetToken(request); String token = request .getParameter("cn.vicky.struts.taglib.html.TOKEN"); if (token == null) return false; else return saved.equals(token); } public synchronized void resetToken(HttpServletRequest request) { HttpSession session = request.getSession(false); if (session == null) { return; } else { session.removeAttribute("cn.vicky.struts.action.TOKEN"); return; } } public synchronized void saveToken(HttpServletRequest request) { HttpSession session = request.getSession(); String token = generateToken(request); if (token != null) session.setAttribute("cn.vicky.struts.action.TOKEN", token); } public synchronized String generateToken(HttpServletRequest request) { HttpSession session = request.getSession(); return generateToken(session.getId()); } public synchronized String generateToken(String id) { try { long current = System.currentTimeMillis(); if (current == previous) current++; previous = current; // byte now[] = (current+"").toString().getBytes(); byte now[] = (new Long(current)).toString().getBytes(); MessageDigest md = MessageDigest.getInstance("MD5"); md.update(id.getBytes()); md.update(now); System.out.println(md.digest().length); return toHex(md.digest()); } catch (NoSuchAlgorithmException e) { return null; } } private String toHex(byte buffer[]) { StringBuffer sb = new StringBuffer(buffer.length * 2); for (int i = 0; i < buffer.length; i++) { sb.append(Character.forDigit((buffer[i] & 240) >> 4, 16)); sb.append(Character.forDigit(buffer[i] & 15, 16)); } return sb.toString(); } }