堆栈内存溢出
  简体   繁体   English

如何存储Java Web应用程序所需的密码?

[英]How to store java web application needed passwords?

 原文  2016-04-06 10:25:48       java/ email/ encryption/ passwords

问题描述

I have read several topics about this situation and found some solutions, but I´m not quite sure if they fit for my project. 我已经阅读了有关这种情况的几个主题并找到了一些解决方案,但是我不确定它们是否适合我的项目。

For example this topic: https://stackoverflow.com/questions/10306673/securing-a-password-in-a-properties-file 例如,以下主题: https : //stackoverflow.com/questions/10306673/securing-a-password-in-a-properties-file

In my web application a user can register and do stuff on my homepage, where he has to be logged in. I´m saving the password with SCrypt. 在我的Web应用程序中,用户可以在我必须登录的主页上进行注册和处理。我正在使用SCrypt保存密码。 The user can log in by typing in the password in clear text, the password gets checked against the encrypted password in the database. 用户可以通过以明文形式输入密码来登录,密码将根据数据库中的加密密码进行检查。 If the password is correct, then the user has access to the control center. 如果密码正确,则用户可以访问控制中心。

Registered AND non registered users can send emails to my e-mail account with a contact form. 已注册和未注册的用户都可以使用联系表将电子邮件发送到我的电子邮件帐户。

This contact form calls a Bean, which sends an email. 此联系表单称为Bean,该Bean发送电子邮件。 To send this E-Mail I have to store the account information somewhere. 要发送此电子邮件,我必须将帐户信息存储在某处。

The problem is, that I have to get the password decrypted. 问题是,我必须将密码解密。 If I save the information encrypted the account validation fails. 如果我保存了加密的信息,则帐户验证将失败。

Saving the password in plain text is absolute horror. 以纯文本形式保存密码绝对是恐怖的事情。

I thought about setting the passwords into a property in an application scoped bean after the application has started, but I´m not sure if this is a save way. 我考虑过在应用程序启动后将密码设置到应用程序范围的bean中的属性中,但是我不确定这是否是一种保存方式。

Another option is a file, which the application reads from, if the password is needed. 另一个选项是文件,如果需要密码,应用程序将从中读取文件。 But in this file the password is decrypted. 但是在此文件中,密码已解密。

What is the best way to save a password, which is needed by the application? 应用程序所需的最佳密码保存方法是什么?

EDIT1 06.04.2016 12:48: 编辑1 06.04.2016 12:48:

I need the password decrypted for my EmailBean, so the bean can login into my e-mail account and send the message. 我需要为我的EmailBean解密密码,以便Bean可以登录到我的电子邮件帐户并发送消息。

1 个解决方案

解决方案1
 0 已采纳  2016-04-06 11:09:00

Well, if you need the password to auth against your mail server, you need it in plaintext somewhere. 好吧,如果您需要密码来对您的邮件服务器进行身份验证,则需要在某处以明文形式输入密码。 If you do not lift the requirement to have the password, eg by configuring your mail server to accept mails from your IP without password, then the best you can do is to obfuscate the password by some encrypting. 如果您不取消拥有密码的要求,例如通过将邮件服务器配置为接受不带密码的IP邮件,那么您最好的办法就是通过某种加密来混淆密码。 But it has to be something reversible and your code will reverse it. 但是它必须是可逆的,您的代码将逆转它。 So if someone breaks into the system and has access to your code, he will also be able to decrypt and retrieve your password. 因此,如果有人闯入系统并可以访问您的代码,那么他也将能够解密和检索您的密码。 But at least it will not be in plaintext in the file. 但是,至少在文件中不是纯文本格式。

暂无
暂无

声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.

相关问题 如何在桌面客户端应用程序(Java)中存储密码和敏感数据? - How to store passwords and sensitive data in a desktop client application (Java)? 如何存储文件并将其引用到Java Web应用程序? - How to store file and reference it to java web application? 如何在Java Web应用程序中存储文件? - How to store files in a java web application? Java Web应用程序创建用户,缓解弱密码 - Java Web Application Create User, Mitigate weak passwords 在Java应用程序中散列密码 - Hashing passwords in Java application 如何在数据库中存储密码? - how to store passwords in database? 如何在java中存储用户名和密码并在不同的类中调用它们 - How to store usernames and passwords in java and call them in a different class 如何在非Web应用程序中存储Java bean的状态? - How to store the state of Java bean in a non web application? 部署问题,基于Web的Java应用程序需要的建议 - Problems with deployment, advice needed for a web-based java application 如何安全地在Android上存储密码? - How to safely store passwords on Android?
相关标签
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM