存储批处理作业的密码
我有一个小的java prog,它使用需要授权的网络服务。 因此java prog(将使用Windows任务调度程序运行)需要有一个用户/密码参数。 如何将它们存储在某个地方而不将它们作为纯文本放在文件中?
到目前为止,我已经尝试使用runtime.getRuntime和CACLS来拥有一个纯文本文件,但更改了权限,以便只有所有者才能打开它(不起作用,不知道为什么)。
密码加密不起作用,因为如果我将哈希值传递给 Web 服务,Web 服务只是“错误什么?被拒绝,迷路”,但如果我使用密钥加密,您需要一个密码来解密密码。 我应该把它存储在哪里。 :P
帮忙吗? 请? :)
谢谢。
I have a little java prog that uses a webservice which needs authorization. So the java prog (which is to be run using windows task scheduler) needs to have a user/password argument. How can I store these somewhere without having them laying around in a file as plaintext?
So far I've tried using runtime.getRuntime and CACLS to have a plaintext file but alter the permissions so only the owner could open it (didn't work, not sure why).
Password encryption doesn't work because if I pass the hash to the webservice, the webservice is just "errr what? denied, get lost", but if I use secret key encryption you need a password to decrypt the password. and where do I store that. :P
Help? Please? :)
Thanks.
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(5)
没有“文件”的存储将会很困难。 无论如何,在某些时候您必须从某个位置检索密码。
混淆,因此快速哈希不会
泄露您的密码
使用该程序,无法访问所有
其他)以保护本地磁盘上的文件或将其放在外部驱动器(闪存)上。
Storing without a "file" will be dificulty. Anyway at some moment you have to retrieve the password from some location.
obfuscating so a quick hash does not
reveal your password
that uses the program, no access all
other) to protect the file on local disk or put it on an external drive (flash).
如果有人有权访问该正在运行的计算机,您就无法安全地保存您的密码。 我认为将密码加密保存在内存中的某个位置是最安全的方法,就像上面提出的运行即服务解决方案一样。
对于更复杂的方法,您可以创建一个守护程序,它允许您输入密码,将其加密在内存中,并通过 IPC(套接字)将该加密文本传递到您的 java 程序,然后您的程序将解密它以供使用。 但我绝对不会这么做……嘿嘿嘿……
There's no way that you can keep your password safely if someone has authority to access that running machine. Keeping the password encrypted somewhere in memory is the most secure way I think, just like the run-as-service solution above proposed.
For a more sophisticate approach, you can create a daemon which allows you to key in the password, keep it encrypted in memory, and passes that encrypted text to your java program via IPC (socket), then you program will decrypt it to use. But I would never do this... Hihihi...
两个问题:
无论采用哪种方法,都会遇到问题,因为您可以轻松地反汇编 Java 程序。 无论您选择哪种方法,反汇编都会使其容易受到攻击。
Two questions:
You have a problem regardless of either approach, in that you can easily disassemble a Java program. Whichever method you choose, disassembly will make it vulnerable.
一种选择是不使用 Windows 任务计划程序,而是将程序作为服务。 这样做,您可以使用密码作为参数启动服务一次。 然后密码会保留在内存中以供您使用,您无需再存储它。
使用 Java Service Wrapper 将程序设置为服务可以非常轻松地完成
An option is to not use the Windows task scheduler, but rather put your program as a service. Doing so, you can launch your service once with the password as a parameter. Then the password stays in memory for your service and you don't need to store it anymore.
Setting the program as a service can be done quite easily with the Java Service Wrapper
简单的答案是:
您无法使其完全安全,但您可以使其稍微更安全。
您无法对密码进行哈希处理,因为这会阻止您的程序使用它。
您可以将密码放入文件中并使用操作系统权限保护该文件。 您需要允许执行程序的进程进行读取访问。 这可以防止没有管理员权限的任何人查看密码。
您可以加密密码并在程序中提供密钥。 这可以防止那些可以读取文件的人随意观察密码,但不会阻止(甚至减慢)有权访问密码和程序的人。
其他的东西或多或少都是戏剧。
The simple answer is:
You can't make it entirely secure but you can make it marginally more secure.
You CAN NOT hash the password because this would prevent it's use by your program.
You CAN put the password in a file and protect the file using the OS permissions. You will need to allow the process executing your program read access. This prevents anyone without administrator rights from viewing the password.
You CAN encrypt the password and provide the key in your program. This prevents casual observation of the password by those who can read the file but will not stop (or even slow down much) someone with access to the password and your program.
Anything else is more or less theater.