定制密码加密的插接点
可以创建定制密码加密的插接点,来对 WebSphere® Application Server 中当前使用基本 64 位编码进行编码或解码的所有密码进行加密和解密。
此插接点的实现类将负责管理密钥、确定要使用的加密算法以及保护主密钥。WebSphere Application Server 运行时将加密密码存储在它们的现有位置,并在这些位置前添加 {custom:alias} 标记而不是 {xor} 标记。该标记的定制部分指示它是一种定制算法。该标记的别名部分是由定制实现指定的,用来指示密码是如何加密的。定制实现可以包括密钥别名、加密算法、加密方式或加密填充。
此插接点的定制提供程序必须实现一个用来对密码加密和解密的接口。每当启用定制插接点时,WebSphere Application Server 运行时就会调用该接口。当启用插接点时,定制算法就成为一种受支持的算法。其他受支持的算法包括 {xor}(标准基本 64 位编码)和 {os400}(用于 iSeries 平台)。
以下示例说明了 com.ibm.wsspi.security.crypto.CustomPasswordEncryption 接口:
package com.ibm.wsspi.security.crypto;
public interface CustomPasswordEncryption
{
/**
* The encrypt operation takes a UTF-8 encoded String in the form of a byte[].
* The byte[] is generated from String.getBytes("UTF-8").
* An encrypted byte[] is returned from the implementation in the EncryptedInfo
* object. Additionally, a logical key alias is returned in the EncryptedInfo
* objectwhich is passed back into the decrypt method to determine which key was
* used to encrypt this password. The WebSphere Application Server runtime has
* no knowledge of the algorithm or the key used to encrypt the data.
*
* @param byte[]
* @return com.ibm.wsspi.security.crypto.EncryptedInfo
* @throws com.ibm.wsspi.security.crypto.PasswordEncryptException
**/
public EncryptedInfo encrypt (byte[] decrypted_bytes) throws PasswordEncryptException;
/**
* The decrypt operation takes the EncryptedInfo object containing a byte[]
* and the logical key alias and converts it to the decrypted byte[]. The
* WebSphere Application Server runtime converts the byte[] to a String
* using new String (byte[], "UTF-8");
*
* @param com.ibm.wsspi.security.crypto.EncryptedInfo
* @return byte[]
* @throws com.ibm.wsspi.security.crypto.PasswordDecryptException
**/
public byte[] decrypt (EncryptedInfo info) throws PasswordDecryptException;
/**
* The following is reserved for future use and is currently not
* called by the WebSphere Application Server runtime.
*
* @param java.util.HashMap
**/
public void initialize (java.util.HashMap initialization_data);
}
com.ibm.wsspi.security.crypto.EncryptedInfo 类包含已加密字节及其关联的用户定义别名。将此信息传递回加密方法,以帮助确定密码最初是如何加密的。
package com.ibm.wsspi.security.crypto;
public class EncryptedInfo
{
private byte[] bytes;
private String alias;
/**
* This constructor takes the encrypted bytes and a keyAlias as parameters.
* This constructor is used to pass to or from the WebSphere Application Server
* runtime to enable the runtime to associate the bytes with a specific key that
* is used to encrypt the bytes.
*/
public EncryptedInfo (byte[] encryptedBytes, String keyAlias)
{
bytes = encryptedBytes;
alias = keyAlias;
}
/**
* This command returns the encrypted bytes.
*
* @return byte[]
*/
public byte[] getEncryptedBytes()
{
return bytes;
}
/**
* This command returns the key alias. The key alias is a logical string that is
* associated with the encrypted password in the model. The format is
* {custom:keyAlias}encrypted_password. Typically, just the key alias is placed
* here, but algorithm information can also be returned.
*
* @return String
*/
public String getKeyAlias()
{
return alias;
}
}
每当配置了定制类并且启用了定制加密,就会调用加密方法来处理密码。每当配置了定制类并且密码中包含 {custom:alias} 标记,就会调用解密方法。在解密之前,会先去掉 custom:alias 标记。有关更多信息,请参阅启用定制密码加密。