如何避免以明文形式存储密码

如何避免以明文形式存储密码

本文介绍了如何避免以明文形式存储密码,以便 tomcat 的 server.xml 数据源的资源定义?的处理方法,对大家解决问题具有一定的参考价值,需要的朋友们下面随着小编来一起学习吧!

问题描述

tomcat 的server.xml 中的资源定义看起来像这样...

The resource definition in tomcat's server.xml looks something like this...

<Resource
    name="jdbc/tox"
    scope="Shareable"
    type="javax.sql.DataSource"
    url="jdbc:oracle:thin:@yourDBserver.yourCompany.com:1521:yourDBsid"
    driverClassName="oracle.jdbc.pool.OracleDataSource"
    username="tox"
    password="toxbaby"
    maxIdle="3"
    maxActive="10"
    removeAbandoned="true"
    removeAbandonedTimeout="60"
    testOnBorrow="true"
    validationQuery="select * from dual"
    logAbandoned="true"
    debug="99"/>

密码是明文.如何避免这种情况?

The password is in the clear. How to avoid this?

推荐答案

如前所述,加密密码只是将问题移到其他地方.

As said before encrypting passwords is just moving the problem somewhere else.

无论如何,这很简单.只需为您的密钥等编写一个带有静态字段的类,以及用于加密和解密密码的静态方法.使用此类在 Tomcat 的配置文件(server.xmlyourapp.xml...)中加密您的密码.

Anyway, it's quite simple.Just write a class with static fields for your secret key and so on, and static methods to encrypt, decrypt your passwords.Encrypt your password in Tomcat's configuration file (server.xml or yourapp.xml...) using this class.

要在 Tomcat 中即时"解密密码,请扩展 DBCP 的 BasicDataSourceFactory 并在您的资源中使用此工厂.

And to decrypt the password "on the fly" in Tomcat, extend the DBCP's BasicDataSourceFactory and use this factory in your resource.

它看起来像:

    <Resource
        name="jdbc/myDataSource"
        auth="Container"
        type="javax.sql.DataSource"
        username="user"
        password="encryptedpassword"
        driverClassName="driverClass"
        factory="mypackage.MyCustomBasicDataSourceFactory"
        url="jdbc:blabla://..."/>

对于自定义工厂:

package mypackage;

....

public class MyCustomBasicDataSourceFactory extends org.apache.tomcat.dbcp.dbcp.BasicDataSourceFactory {

@Override
public Object getObjectInstance(Object obj, Name name, Context nameCtx, Hashtable environment) throws Exception {
    Object o = super.getObjectInstance(obj, name, nameCtx, environment);
    if (o != null) {
        BasicDataSource ds = (BasicDataSource) o;
        if (ds.getPassword() != null && ds.getPassword().length() > 0) {
            String pwd = MyPasswordUtilClass.unscramblePassword(ds.getPassword());
            ds.setPassword(pwd);
        }
        return ds;
    } else {
        return null;
    }
}

希望这会有所帮助.

这篇关于如何避免以明文形式存储密码,以便 tomcat 的 server.xml 数据源的资源定义?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持!

08-07 01:31