[英]Checking password in java code (security concerns)
I am writing a small webserver for my house to play around with a few java API's I want to know better. 我正在为自己的房子编写一个小型Web服务器,以玩一些我想更好地了解的Java API。 This web server will eventually hold personal files and pictures. 该Web服务器最终将保存个人文件和图片。
I did not feel like setting up an LDAP server for authentication and was wondering how bad would it be if i just had the java code check it directly? 我不想设置用于身份验证的LDAP服务器,并且想知道如果我直接让Java代码直接检查它会有多糟糕?
As long as you take proper precautions not to distribute or publish your source code, having a hardcoded password is most certainly safer than having a network service validate it. 只要您采取适当的预防措施以免分发或发布源代码,那么使用硬编码密码肯定比使用网络服务验证密码更安全。 There are two problems, however: 但是,有两个问题:
A potential alternative you should consider is to keep a plain text file with the password, and read it as necessary. 您应该考虑的一种可能的替代方法是使用密码保存纯文本文件,并在需要时阅读它。 It mitigates (but doesn't eliminate) these two issues, and will also allow for a bit more security if your OS supports the proper file permissions and user privilege separation. 它可以缓解(但不能消除)这两个问题,并且如果您的操作系统支持适当的文件权限和用户权限分离,还可以提供更高的安全性。
As always, avoid using a password repeatedly for different services. 与往常一样,避免针对不同的服务重复使用密码。 Since you'll have untested code facing the internet, remember to implement proper OS-level counter-measures. 由于您将面临未经测试的面向Internet的代码,因此请记住实施适当的OS级对策。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.