我正在研究密码保护我正在建设的码头服务器。 我正在使用Java的MessageDigest类来散列密码。 我创建了这个测试类,它工作正常:
String hash = "<hashOfMyPassword"; String pass = "<myPassword>"; byte[] data = pass.getBytes(); MessageDigest md = null; try { md = MessageDigest.getInstance("SHA"); } catch (NoSuchAlgorithmException e) { // TODO Auto-generated catch block e.printStackTrace(); } md.update(data); MessageDigest passMD = null; try { passMD = (MessageDigest) md.clone(); } catch (CloneNotSupportedException e) { // TODO Auto-generated catch block e.printStackTrace(); } byte[] passHash = passMD.digest(); System.out.println(passHash.toString().equals(hash));但是当我把它移到我的码头服务器时,它开始表现得很奇怪。 这是方法:
public void handle(String s, Request req, HttpServletRequest hreq, HttpServletResponse hres) throws IOException, ServletException { hres.setContentType("text/plain"); hres.setStatus(HttpServletResponse.SC_OK); req.setHandled(true); if (!running) { //Validate password String pass = hreq.getParameter("password"); hres.getWriter().println(pass); byte[] data = pass.getBytes(); MessageDigest md = null; try { md = MessageDigest.getInstance("SHA"); } catch (NoSuchAlgorithmException e) { // TODO Auto-generated catch block e.printStackTrace(); } md.update(data); MessageDigest passMD = null; try { passMD = (MessageDigest) md.clone(); } catch (CloneNotSupportedException e) { // TODO Auto-generated catch block e.printStackTrace(); } byte[] passHash = passMD.digest(); hres.getWriter().println(passHash.toString()); if (passHash.toString().equals(hash)) { //dostuff } else { hres.getWriter().println("invalid password"); } } } }(在任何人说出某些内容之前,我知道我很奇怪地传递密码,但这个项目没问题)
这与以前完全相同,但这次我总是得到不同的哈希值,密码永远不会匹配。 我两次传递相同的密码,第一次得到类似“[B @ 33ab7e65”的东西,然后我得到“[B @ 58eb5b4”]。
我正在使用curl来访问服务器顺便说一句。
关于发生了什么的任何想法? 这真的很奇怪。
I'm working on password protecting a jetty server I'm building. I'm using Java's MessageDigest class to hash the passwords. I created this test class and it's working fine:
String hash = "<hashOfMyPassword"; String pass = "<myPassword>"; byte[] data = pass.getBytes(); MessageDigest md = null; try { md = MessageDigest.getInstance("SHA"); } catch (NoSuchAlgorithmException e) { // TODO Auto-generated catch block e.printStackTrace(); } md.update(data); MessageDigest passMD = null; try { passMD = (MessageDigest) md.clone(); } catch (CloneNotSupportedException e) { // TODO Auto-generated catch block e.printStackTrace(); } byte[] passHash = passMD.digest(); System.out.println(passHash.toString().equals(hash));but when I move it to my jetty server it starts acting oddly. Here's that method:
public void handle(String s, Request req, HttpServletRequest hreq, HttpServletResponse hres) throws IOException, ServletException { hres.setContentType("text/plain"); hres.setStatus(HttpServletResponse.SC_OK); req.setHandled(true); if (!running) { //Validate password String pass = hreq.getParameter("password"); hres.getWriter().println(pass); byte[] data = pass.getBytes(); MessageDigest md = null; try { md = MessageDigest.getInstance("SHA"); } catch (NoSuchAlgorithmException e) { // TODO Auto-generated catch block e.printStackTrace(); } md.update(data); MessageDigest passMD = null; try { passMD = (MessageDigest) md.clone(); } catch (CloneNotSupportedException e) { // TODO Auto-generated catch block e.printStackTrace(); } byte[] passHash = passMD.digest(); hres.getWriter().println(passHash.toString()); if (passHash.toString().equals(hash)) { //dostuff } else { hres.getWriter().println("invalid password"); } } } }(before anyone says something, I know I'm passing the password weirdly, but that's okay for this project)
This is the exact same this as before but this time I'm always getting different hashes, and the passwords never match. I pass the same password in twice and the first time I get something like "[B@33ab7e65" and the next I get "[B@58eb5b4".
I'm using curl to access the server btw.
Any ideas about what's happening? This is really weird.
最满意答案
您将passHash (一个字节数组)转换为带有toString的字符串。 这实际上并没有完全获取数组的内容 - Java在数组上的toString实现是相当无用的,它只是在内存中打印出数组位置的一部分地址。
不要使用字符串相等比较哈希,直接比较它! 键入hash作为字节数组,并使用Arrays.equals()来比较它们。
Arrays.equals(passHash, hash)You're converting passHash, a byte array, to a string with toString. This is not actually getting at the contents of your array at all—Java's implementation of toString on arrays is rather unhelpful, and it simply prints out a part of the address of the array's location in memory.
Don't compare the hash using string equality, compare it directly! Type hash as a byte array as well, and use Arrays.equals() to compare them.
Arrays.equals(passHash, hash)更多推荐
发布评论