用 Java 编写的应用程序需要存储每个用户的外部服务密码。在应用程序中,用户本身使用 Kerberos 对 KDC 进行身份验证(基本上利用 Jaas)。
我想将加密的秘密存储到应用程序位置的某种文件(XML?)中的其他服务。秘密可以是未启用 Kerberos 的数据库(MySQL...)的登录名/密码组合。有没有比我建议的方法更好的方法 - 也许有一个更好的位置来存储信息?
是否有可能使用 LoginContext 中的一些已存在的信息来加密数据,使得只有相同的主题(人或服务)才能解密该信息?
更新:
我想稍微改一下这个问题。基本上我需要的是某种秘密,只能由经过身份验证的用户接收。有这样的事吗?
否则我可能会使用主题名称的某种加盐哈希作为秘密。我知道这可以猜到,但它为解决方案提供了额外的安全性,例如 什么是保持密码可配置的最佳方法,而无需对于普通读者来说,它们太容易理解了吗?。
An application written in Java needs to store passwords to external services per user. Within the application the user itself authenticates against a KDC using Kerberos (basically creating a LoginContext utilizing Jaas).
I would like to store the encrypted secrets to other services in some kind of file (XML?) at the applications location. Secrets could be login/password combinations to not Kerberos enabled Databases (MySQL...). Is there a better approach than the one I suggest - maybe a better location to store the information?
Is it possible, to use some of the already existing information from LoginContext to encrypt data in such a way, that only the same Subject (person or service) can decrypt the information?
UPDATE:
I would like to rephrase the question a little. Basically what I need is some kind of secret, that can only be received by an authenticated user. Is there something like this?
Otherwise I would probably use some kind of salted hash of a subjects name as a secreat. I know this can be guessed, but it provides additional secruity to solutions as proposed e.g. in What is the best way to keep passwords configurable, without having them too easily available to the casual human reader?.
发布评论