最新消息:

前端登录密码加密传输

tools admin_ad 308浏览 0评论

在HTTPS还没有普及的时候,前端采用HTTP协议,登录用户名和密码在不做任何控制的情况下是明文传输的,大量的网站都需要登录,大量的人使用同样的用户名和密码。

目的:防止登录密码名文传输(仅仅只是防止明文传输,加密效果取决于key,而key对于前台是透明的)

方式:前端页面用js加密前端登录密码,采用AES对称加密

一、前端JS加密库crypto-js

因为懒,所以直接引入整个加密库,可以根据所需要的加密算法分别引入,下载地址crypto-js

如果是分别引入,记得别忘记引入核心库core

二、前端页面代码

因为需要加密密码,所以把提交方式换成了ajax

AES加密的key为128bit,可以理解为16个字符。key由后端生成并送入前端。

复制代码
<!DOCTYPE html>
<html lang="en"
      xmlns:th="http://www.w3.org/1999/xhtml"
>
<head>
    <meta charset="utf-8">
    <meta http-equiv="X-UA-Compatible" content="IE=edge">
    <meta name="viewport" content="width=device-width, initial-scale=1">
    <link rel="stylesheet" href="../../static/css/bootstrap.min.css" th:href="@{/css/bootstrap.min.css}">

    <script src="../../static/js/jquery-3.3.1.min.js" th:src="@{/js/jquery-3.3.1.min.js}"></script>
    <script src="../../static/js/bootstrap.min.js" th:src="@{/js/bootstrap.min.js}"></script>
    <script src="../../static/js/crypto-js.js" th:src="@{/js/crypto-js.js}"></script>


    <title>用户登录</title>

    <style>
        .bgColor {
            background-color: rgba(243, 66, 111, 0.15)
        }

        .divBorder {
            border: solid 1px rgba(12, 24, 255, 0.15);
            padding: 10px;
            margin-top: 10px;
            border-radius: 10px;
            text-align: center;
            vertical-align: middle;
        }

        .h4font {
            margin-top: 0px;
            font-family: 微软雅黑;
            font-weight: 500;
        }

        .center {
            padding: 20% 0;
        }

        .verifyInput {
            vertical-align: middle;
            font-size: 14px;
            font-weight: normal;
            line-height: 1;
            /*border:1px solid #999;*/
            float: left;
            width: 180px;
            height: 30px;

        }

        .verifyImage {
            vertical-align: middle;
            float: right;
            height: 30px;
        }

    </style>


</head>
<body>

<div class="container">
    <div class="row center">
        <div class="divBorder col-sm-offset-4 col-sm-4">
            <h3 class="panel panel-heading h4font">
                用户登录
            </h3>
            <h4 name="msg" th:text="${msg}"></h4>
            <input type="hidden" name="key" th:value="${key}">
            <!--<form class="form-horizontal" th:action="@{/login}" method="post">-->
            <form class="form-horizontal" method="post">
                <div class="input-group">
                    <span class="input-group-addon"><i class="glyphicon glyphicon-user" aria-hidden="true"></i></span>
                    <input type="text" class="form-control" name="userName" placeholder="请输入用户名称"
                           th:value="${userName}"/>
                </div>
                <br>
                <div class="input-group">
                    <span class="input-group-addon"><i class="glyphicon glyphicon-lock"></i></span>
                    <input type="password" class="form-control" name="password" th:value="${password}"
                           placeholder="请输入密码"/>
                </div>
                <br/>
                <div class="input-group">
                    <span class="input-group-addon"><i class="glyphicon glyphicon-font"></i></span>
                    <input type="text" class="verifyInput" name="verifyCode" placeholder="验证码"/>
                    <img class="verifyImage" alt="验证码" onclick="this.src='/getVerifyCode?d='+new Date()*1"
                         src="/getVerifyCode">
                </div>

                <br>
                <input type="button" name="btnLogin" class="btn btn-lg btn-block btn-info" value="登 录">
            </form>
        </div>


    </div>

</div>
<script th:inline="javascript">
    $(function () {
        $('input[name="btnLogin"]').click(function () {
            var $key = $('input[name="key"]').val();
            var $userName = $('input[name="userName"]').val();
            var $password = $('input[name="password"]').val();
            var $verifyCode = $('input[name="verifyCode"]').val();
//            console.log($userName + ",  " + $password + ", " + $verifyCode + ", " + $key);
            if ($userName == "" || $password == "" || $verifyCode == "") {
                alert("用户名、密码、验证码不能为空!");
                return false;
            }

            var key = CryptoJS.enc.Utf8.parse($key);
            console.log("key:" + key + ",$key:" + $key);
            var password = CryptoJS.enc.Utf8.parse($password);
            var encrypted = CryptoJS.AES.encrypt(password, key, {mode: CryptoJS.mode.ECB, padding: CryptoJS.pad.Pkcs7});
            var encryptedPwd = encrypted.toString();

//            console.log("encrypted:" + encrypted);
//            console.log("encryptedPwd:" + encryptedPwd);

            var decrypt = CryptoJS.AES.decrypt(encryptedPwd, key, {
                mode: CryptoJS.mode.ECB,
                padding: CryptoJS.pad.Pkcs7
            });
            var testDecryptStr = CryptoJS.enc.Utf8.stringify(decrypt).toString();

//            console.log("decrypt:" + decrypt);
//            console.log("testDecryptStr:" + testDecryptStr);


            $.ajax({
                type: "post",
                url: "/login",
                data: {userName: $userName, password: encryptedPwd, verifyCode: $verifyCode,key: $key},
                dataType: "json",
                success: function (result) {
//                    console.log(result);
                    if(result.success)
                    {
                        window.location.href=result.url;
                    }
                    else
                    {
                        $('h4[name="msg"]').html(result.msg);
                        alert(result.msg);
                    }
//                    window.location.replace(result.url);
//                    $('#container').load(result.url);
                },
                error: function (result) {
//                        console.log(result);
                    alert(result.responseText);
                }
            });

        })
    })
</script>


</body>
</html>
复制代码

 

三、后端解密代码

后端PKCS5Padding补码方式和前端的CryptoJS.pad.Pkcs7效果一致

 

复制代码
public class AesUtils {
    private static final String ALGORITHMSTR = "AES/ECB/PKCS5Padding";

    public static String encrypt(String content, String key) {
        try {
            byte[] raw = key.getBytes();  //获得密码的字节数组
            SecretKeySpec skey = new SecretKeySpec(raw, "AES"); //根据密码生成AES密钥
            Cipher cipher = Cipher.getInstance(ALGORITHMSTR);  //根据指定算法ALGORITHM自成密码器
            cipher.init(Cipher.ENCRYPT_MODE, skey); //初始化密码器,第一个参数为加密(ENCRYPT_MODE)或者解密(DECRYPT_MODE)操作,第二个参数为生成的AES密钥
            byte [] byte_content = content.getBytes("utf-8"); //获取加密内容的字节数组(设置为utf-8)不然内容中如果有中文和英文混合中文就会解密为乱码
            byte [] encode_content = cipher.doFinal(byte_content); //密码器加密数据
            return Base64.encodeBase64String(encode_content); //将加密后的数据转换为字符串返回
        } catch (Exception e) {
            e.printStackTrace();
            return null;
        }
    }

    public static String decrypt(String encryptStr, String decryptKey) {
        try {
            byte[] raw = decryptKey.getBytes();  //获得密码的字节数组
            SecretKeySpec skey = new SecretKeySpec(raw, "AES"); //根据密码生成AES密钥
            Cipher cipher = Cipher.getInstance(ALGORITHMSTR);  //根据指定算法ALGORITHM自成密码器
            cipher.init(Cipher.DECRYPT_MODE, skey); //初始化密码器,第一个参数为加密(ENCRYPT_MODE)或者解密(DECRYPT_MODE)操作,第二个参数为生成的AES密钥
            byte [] encode_content = Base64.decodeBase64(encryptStr); //把密文字符串转回密文字节数组
            byte [] byte_content = cipher.doFinal(encode_content); //密码器解密数据
            return new String(byte_content,"utf-8"); //将解密后的数据转换为字符串返回
        } catch (Exception e) {
            e.printStackTrace();
            return null;
        }
    }
}
复制代码

 

四、controller贴一把

复制代码
@Controller
public class HomeController {
    @Resource
    private LoginService loginService;

    @Resource
    DefaultKaptcha defaultKaptcha;

    @Resource
    LogService logService;

    private long verifyTTL = 60;//验证码过期时间60秒

    private String create16String()
    {
        return RandomUtils.generateString(16);
    }

    @RequestMapping({"/", "/index"})
    public String index() {
        return "index";
    }


    /**
     * 2、生成验证码
     *
     * @param request
     * @param response
     * @throws Exception
     */
    @RequestMapping("/getVerifyCode")
    public void defaultKaptcha(HttpServletRequest request, HttpServletResponse response)
            throws Exception {
       略...   
    }


    @RequestMapping(value = "/login", method = RequestMethod.GET)
    public String toLogin(Map<String, Object> map, HttpServletRequest request) {
        String key = create16String();        
        map.put("key",key);
        return "/user/login";
    }

    @RequestMapping(value = "/login", method = RequestMethod.POST)
    @ResponseBody
    public Object login(HttpServletRequest request) throws Exception {
        System.out.println("login()");
        Map<String, Object> map = new HashMap<>();
        String userName = request.getParameter("userName");
        String encryptedPassword = request.getParameter("password");
        String key = request.getParameter("key");



        String verifyCode = request.getParameter("verifyCode");
        String rightCode = (String) request.getSession().getAttribute("verifyCode");
        Long verifyCodeTTL = (Long) request.getSession().getAttribute("verifyCodeTTL");

        String password = AesUtils.decrypt(encryptedPassword,key);

        Long currentMillis = System.currentTimeMillis();
        if (rightCode == null || verifyCodeTTL == null) {
            map.put("msg", "请刷新图片,输入验证码!");
            map.put("userName", userName);
            map.put("success",false);
            map.put("url","/user/login");
            return map;
        }
        Long expiredTime = (currentMillis - verifyCodeTTL) / 1000;
        if (expiredTime > this.verifyTTL) {
            map.put("msg", "验证码过期,请刷新图片重新输入!");
            map.put("userName", userName);
            map.put("success",false);
            map.put("url","/user/login");
            return map;
        }

        if (!verifyCode.equalsIgnoreCase(rightCode)) {
            map.put("msg", "验证码错误,请刷新图片重新输入!");
            map.put("userName", userName);
            map.put("success",false);
            map.put("url","/user/login");
            return map;
//            return "/user/login";
        }

        LoginResult loginResult = loginService.login(userName, password);
        if (loginResult.isLogin()) {
            map.put("userName", userName);
            SysLog sysLog = LogFactory.createSysLog("登录","登录成功");
            logService.writeLog(sysLog);
            map.put("success",true);
            map.put("url","/index");
            return map;
//            return "/index";
        } else {
            map.put("msg", loginResult.getResult());
            map.put("userName", userName);
            map.put("success",false);
            map.put("url","/user/login");
            return map;
//            return "/user/login";
        }
    }
}
复制代码

转载请注明:VPS驿站 » 前端登录密码加密传输

发表我的评论
取消评论

表情

Hi,您需要填写昵称和邮箱!

  • 昵称 (必填)
  • 邮箱 (必填)
  • 网址