项目需求 :
所有认证数据,例如密码,不论是在储存、传输中都必须妥善保护,以防泄露或被未获授权修改。在安全认证中的Fortify 静态代码分析器的扫描中,如果密码明文放在文件中是肯定过不去的。
<!-- [if gte mso 9]><xml> <w:WordDocument> <w:View>Normal</w:View> <w:Zoom>0</w:Zoom> <w:PunctuationKerning /> <w:DrawingGridVerticalSpacing>7.8 磅</w:DrawingGridVerticalSpacing> <w:DisplayHorizontalDrawingGridEvery>0</w:DisplayHorizontalDrawingGridEvery> <w:DisplayVerticalDrawingGridEvery>2</w:DisplayVerticalDrawingGridEvery> <w:ValidateAgainstSchemas /> <w:SaveIfXMLInvalid>false</w:SaveIfXMLInvalid> <w:IgnoreMixedContent>false</w:IgnoreMixedContent> <w:AlwaysShowPlaceholderText>false</w:AlwaysShowPlaceholderText> <w:Compatibility> <w:SpaceForUL /> <w:BalanceSingleByteDoubleByteWidth /> <w:DoNotLeaveBackslashAlone /> <w:ULTrailSpace /> <w:DoNotExpandShiftReturn /> <w:AdjustLineHeightInTable /> <w:BreakWrappedTables /> <w:SnapToGridInCell /> <w:WrapTextWithPunct /> <w:UseAsianBreakRules /> <w:DontGrowAutofit /> <w:UseFELayout /> </w:Compatibility> <w:BrowserLevel>MicrosoftInternetExplorer4</w:BrowserLevel> </w:WordDocument> </xml><![endif]--><!-- [if gte mso 9]><xml> <w:LatentStyles DefLockedState="false" LatentStyleCount="156"> </w:LatentStyles> </xml><![endif]--><!-- [if gte mso 10]> <style> /* Style Definitions */ table.MsoNormalTable {mso-style-name:普通表格; mso-tstyle-rowband-size:0; mso-tstyle-colband-size:0; mso-style-noshow:yes; mso-style-parent:""; mso-padding-alt:0cm 5.4pt 0cm 5.4pt; mso-para-margin:0cm; mso-para-margin-bottom:.0001pt; mso-pagination:widow-orphan; font-size:10.0pt; font-family:"Times New Roman"; mso-ansi-language:#0400; mso-fareast-language:#0400; mso-bidi-language:#0400;} </style> <![endif]-->
下面具体结合SSH的框架的代码实现。 <!-- [if gte mso 10]> <style> /* Style Definitions */ table.MsoNormalTable {mso-style-name:普通表格; mso-tstyle-rowband-size:0; mso-tstyle-colband-size:0; mso-style-noshow:yes; mso-style-parent:""; mso-padding-alt:0cm 5.4pt 0cm 5.4pt; mso-para-margin:0cm; mso-para-margin-bottom:.0001pt; mso-pagination:widow-orphan; font-size:10.0pt; font-family:"Times New Roman"; mso-ansi-language:#0400; mso-fareast-language:#0400; mso-bidi-language:#0400;} </style> <![endif]-->
所有认证数据通过 3DES 加密;加解密方法如下:
byte src_byte[] = password.getBytes(); byte key_byte[] = "123456781234567812345678".getBytes();// 3DES 24 bytes key try { // 生成DES密钥 javax.crypto.SecretKey deskey; deskey = genDESKey(key_byte); System.out.println("Generator DES KEY OK"); // DES加解密 byte[] encrypt, decrypt; //加密 encrypt = desEncrypt(deskey, src_byte); System.out.println("encrypt=" + new String(encrypt)); //解密 decrypt = desDecrypt(deskey, encrypt); System.out.println("decrypt=" + new String(decrypt)); } catch (Exception ex) { ex.printStackTrace(); }
解析说明:
第一步,调用 genDESKey 生成 24 位的 3DES 密销;
第二步,调用 desEncrypt 或 desDecrypt 方法进行加解密 ;
以上三个函数代码如下:
<!-- [if !supportLists]-->1. <!-- [endif]-->生成密销函数 : genDESKey
/** * 生成3DES密钥. * * @param key_byte seed key * @throws Exception * @return javax.crypto.SecretKey Generated DES key */ public static javax.crypto.SecretKey genDESKey(byte[] key_byte) throws Exception { SecretKey k = null; k = new SecretKeySpec(key_byte,"DESede"); return k; }
<!-- [if !supportLists]-->2. <!-- [endif]-->加密函数: desEncrypt
/** * 3DES加密(byte[]). * * @param key SecretKey * @param src byte[] * @throws Exception * @return byte[] */ public static byte[] desEncrypt(javax.crypto.SecretKey key, byte[] src) throws Exception { javax.crypto.Cipher cipher = javax.crypto.Cipher.getInstance( "DESede"); cipher.init(javax.crypto.Cipher.ENCRYPT_MODE, key); return cipher.doFinal(src); }
<!-- [if !supportLists]-->3. <!-- [endif]-->解密函数: desDecrypt
/** * 3DES 解密(byte[]). * * @param key SecretKey * @param crypt byte[] * @throws Exception * @return byte[] */ public static byte[] desDecrypt(javax.crypto.SecretKey key, byte[] crypt) throws Exception { javax.crypto.Cipher cipher = javax.crypto.Cipher.getInstance( "DESede"); cipher.init(javax.crypto.Cipher.DECRYPT_MODE, key); return cipher.doFinal(crypt); }
将Hibernate 的数据库连接密码加密放在配置文件和数据库中,具体spring+hibernate 连接配置修改连接如下:
步骤1: 将spring 关于数据源的连接修改如下:
<bean id="dataSource" class="com.hqlTest.MyBasicDataSource" destroy-method="close"> <property name="driverClassName"> <value>oracle.jdbc.driver.OracleDriver</value> </property> <property name="url"> <value>jdbc:oracle:thin:@dbServer:1521:feelview</value> </property> <property name="username"> <value>feelview</value> </property> <property name="password"> <value>%QX7N顴服筜吩d/?</value> </property> </bean>
解析:
dataSource 的 class 由 org.apache.commons.dbcp.BasicDataSource 改为自己创建的 com.hqlTest.MyBasicDataSource ;
BasicDataSource 类所做的事只有二件:1,继承 BasicDataSource ;2 ,重写 (override) 密码设置方法 setPassword ;函数 setPassword 中实现密码的 3DES 解密;