堆栈内存溢出
  简体   繁体   English

如何在应用程序代码中安全地硬编码身份验证令牌 - Java

[英]How to safely hardcode an authentication token within an application code - Java

 原文  2021-10-03 12:40:18       java/ security/ passwords/ hardcode/ hardcoded

问题描述

I know that hardcoding passwords into a program is something insecure by nature.我知道将密码硬编码到程序中本质上是不安全的。 Most of them can be cracked by reverse engineering tools such as IDA Pro.其中大部分可以通过逆向工程工具如IDA Pro破解。 However, if one had no choice other than to do so, would there be a secure way to do it?但是,如果除了这样做别无选择,是否有一种安全的方法来做到这一点?

I need to release a small Java client app to a small group of users and need to hardcode an authentication token.我需要向一小部分用户发布一个小型 Java 客户端应用程序,并且需要对身份验证令牌进行硬编码。 Any advice?有什么建议吗?

Thanks谢谢

1 个解决方案

解决方案1
 0  2021-10-03 12:45:26

If you must, Java has a GuardedString class, similar to the SecureString class in C#.如果必须,Java 有一个GuardedString class,类似于 C# 中的SecureString class。

Secure string implementation that solves the problems associated with keeping passwords as java.lang.String.解决与将密码保留为 java.lang.String 相关的问题的安全字符串实现。 That is, anything represented as a String is kept in memory as a clear text password and stays in memory at least until it is garbage collected.也就是说,任何表示为字符串的内容都作为明文密码保存在 memory 中,并且至少在被垃圾回收之前一直保存在 memory 中。

The GuardedString class alleviates this problem by storing the characters in memory in an encrypted form. GuardedString class 通过以加密形式存储 memory 中的字符来缓解这个问题。 The encryption key will be a randomly-generated key.加密密钥将是随机生成的密钥。

In their serialized form, GuardedString will be encrypted using a known default key.在其序列化形式中,GuardedString 将使用已知的默认密钥进行加密。 This is to provide a minimum level of protection regardless of the transport.这是为了提供最低级别的保护,而不管传输方式如何。 For communications with the Remote Connector Framework it is recommended that deployments enable SSL for true encryption.对于与 Remote Connector Framework 的通信,建议部署启用 SSL 以实现真正的加密。

Applications may also wish to persist GuardedStrings.应用程序可能还希望保留 GuardedStrings。 In the case of Identity Manager, it should convert GuardedStrings to EncryptedData so that they can be stored and managed using the Manage Encryption features of Identity Manager.对于 Identity Manager,它应该将 GuardedStrings 转换为 EncryptedData,以便可以使用 Identity Manager 的管理加密功能来存储和管理它们。 Other applications may wish to serialize APIConfiguration as a whole.其他应用程序可能希望将 APIConfiguration 作为一个整体进行序列化。 These applications are responsible for encrypting the APIConfiguration blob for an additional layer of security (beyond the basic default key encryption provided by GuardedString).这些应用程序负责加密 APIConfiguration blob 以获得额外的安全层(超出 GuardedString 提供的基本默认密钥加密)。

暂无
暂无

声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.

相关问题 Java代码中的Hardcode Hibernate值 - Hardcode Hibernate values in Java code 如何在数据库中安全存储Java应用程序密码 - how to store java application password safely in database Java窗口事件-最大化。 如何进行硬编码? - Java Window Event - Maximize. How to hardcode? 如何在windows上硬编码maven使用的java - How to hardcode java used by maven on windows 在java中安全地运行javascript代码 - Safely running javascript code in java 如何在Java中使用身份验证令牌进行Spring安全性 - How to do Spring security with authentication token in java 如何使用 Java 创建身份验证令牌 - How to create a authentication token using Java 是否可以将Google API凭据硬编码到我的Java应用程序中? - Is is possible to hardcode Google API credentials into my Java application? Java Web应用程序中具有用户令牌的用户身份验证管理和会话管理 - User authentication management with user token and session management in java web application MS Dynamics和Java应用程序之间的Oauth令牌身份验证[处于保留状态] - Oauth token authentication between the MS Dynamics and Java Application [on hold]
相关标签
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM