Spring 安全 RememberMe 令牌 case-sensitive?
Are Spring Security RememberMe tokens case-sensitive?
正在生成我的 Spring Security 4.0.1 RememberMe 令牌 我发现此令牌生成代码在令牌解码时失败:
MessageDigest md5Digest = MessageDigest.getInstance("MD5");
String md5String = DatatypeConverter.printHexBinary(md5Digest.digest((emailAddress + ":" + expiryTime + ":" + password + ":" + key).getBytes()));
String token = emailAddress + ":" + expiryTime + ":" + md5String;
Encoder encoder = Base64.getEncoder();
String encodedToken = encoder.encodeToString(token.getBytes());
但是这段代码成功了:
String md5String = DatatypeConverter.printHexBinary(md5Digest.digest((emailAddress + ":" + expiryTime + ":" + password + ":" + key).getBytes())).toLowerCase();
令牌解码器期望 MD5 字符串为小写,即使生成的 MD5 字符串为大写。
这是最初生成的 md5String(在 toLower() 之前):
testLogin: md5String: E34B931F1F6C02C344AB28A8103F6D23
这是显示小写期望值的错误消息:
Invalid remember-me cookie: Cookie token[2] contained signature 'E34B931F1F6C02C344AB28A8103F6D23' but expected 'e34b931f1f6c02c344ab28a8103f6d23'
(我有一个 extractRememberMeCookie 覆盖从 header 伪造 cookie)
有没有不包含 toLower() hack 的更好方法?
正在生成我的 Spring Security 4.0.1 RememberMe 令牌 我发现此令牌生成代码在令牌解码时失败:
MessageDigest md5Digest = MessageDigest.getInstance("MD5");
String md5String = DatatypeConverter.printHexBinary(md5Digest.digest((emailAddress + ":" + expiryTime + ":" + password + ":" + key).getBytes()));
String token = emailAddress + ":" + expiryTime + ":" + md5String;
Encoder encoder = Base64.getEncoder();
String encodedToken = encoder.encodeToString(token.getBytes());
但是这段代码成功了:
String md5String = DatatypeConverter.printHexBinary(md5Digest.digest((emailAddress + ":" + expiryTime + ":" + password + ":" + key).getBytes())).toLowerCase();
令牌解码器期望 MD5 字符串为小写,即使生成的 MD5 字符串为大写。
这是最初生成的 md5String(在 toLower() 之前):
testLogin: md5String: E34B931F1F6C02C344AB28A8103F6D23
这是显示小写期望值的错误消息:
Invalid remember-me cookie: Cookie token[2] contained signature 'E34B931F1F6C02C344AB28A8103F6D23' but expected 'e34b931f1f6c02c344ab28a8103f6d23'
(我有一个 extractRememberMeCookie 覆盖从 header 伪造 cookie)
有没有不包含 toLower() hack 的更好方法?