简体繁体 English

安全地处理servlet中的密码

[英]Process password within servlet securely

原文 2015-08-27 11:02:15 4 2 java/ security/ servlets

I am transmitting a password through HTTP(S) to a HttpServlet as parameter. 我通过HTTP（S）将密码作为参数传输到HttpServlet 。 To get the password I am using the Servlets getParameter(String) method, which returns a String. 要获取密码，我使用Servlets getParameter(String)方法，该方法返回一个String。 But passwords should be handled with char[] like mentioned here . 但是密码应该用char[]处理，就像这里提到的那样。

Well, what I want to know is: How can I process a password securely within a Java Servlet? 好吧，我想知道的是：如何在Java Servlet中安全地处理密码？ Is my solution with getParameter(String) the only one or are there better options? 我的解决方案是getParameter(String)唯一的还是有更好的选择？

Please keep in mind that I am NOT interested in how to transmit a password securely (I am expecting that the transmit is secure - maybe with SSL or something else). 请记住，我对如何安全地传输密码不感兴趣（我希望传输是安全的 - 可能使用SSL或其他东西）。

Thanks in advance :) 提前致谢：）

Edit: I forgot to mention that I am not using the password myself (for some kind of access restrictions for my application). 编辑：我忘了提到我自己没有使用密码（对于我的应用程序的某种访问限制）。 I am just forwarding the password (so you could say my WebApp is something like a remote control). 我只是转发密码（所以你可以说我的WebApp就像一个遥控器）。

2 个解决方案

If your login parameter is sent in a POST request and contained in the request content you could parse the content yourself and put the password in a char array. 如果您的登录参数是在POST请求中发送并包含在请求内容中，您可以自己解析内容并将密码放在char数组中。

You need to do this before any call to request.getParameter(String) is made since this will make the container read and parse the content. 您需要在调用request.getParameter(String) 之前执行此操作，因为这将使容器读取并解析内容。 This only works if the servlet container lazily initializes its parameter map. 这仅在servlet容器延迟初始化其参数映射时有效。

"Teleporter" approach: “传送器”方法：

Have Javascript break the password into parameters of 1 character each. 让Javascript将密码分成每个1个字符的参数。 Reassemble directly into char array at server side. 在服务器端直接重组为char数组。