Verify BCrypt Hash password when Login
我正在使用Net bean IDE来创建我的登录表单和servlet。当密码存储在数据库中并且成功时,我使用BCrypt哈希方法来保护密码。但是当我要登录时,它总是显示"无效凭据"
我该怎么解决
这是我的CompanyLoging.jsp
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 | <%@page contentType="text/html" pageEncoding="UTF-8"%> <!DOCTYPE html> <html lang="en"> <head> </head> <body style="background-color: #666666;"> <% Cookie[] cookies=request.getCookies(); String email ="", password ="",rememberVal=""; if (cookies != null) { for (Cookie cookie : cookies) { if(cookie.getName().equals("cookuser")) { email = cookie.getValue(); } if(cookie.getName().equals("cookpass")){ password = cookie.getValue(); } if(cookie.getName().equals("cookrem")){ rememberVal = cookie.getValue(); } } } %> <form class="login100-form validate-form" action="CompanyLogin" method="post"> <span class="login100-form-title p-b-43"> Login to continue </span> <input class="input100" type="text" name="email"> <span class="focus-input100"></span> <span class="label-input100">Email</span> <input class="input100" type="password" name="pass" autocomplete="off"> <span class="focus-input100"></span> <span class="label-input100">Password</span> <label>Remember me?</label> <input type="checkbox" name="remember_me" value="1" <%="1".equals(rememberVal.trim()) %>> Forgot Password? <button class="login100-form-btn"> Login </button> <span class="login100-form-btn2"> or sign up </span> </form> </body> </html> |
这是我的CompanyLog.java
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 | protected void doPost(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException { String email = request.getParameter("email"); String password = request.getParameter("pass"); String hashPass = BCrypt.hashpw(password, BCrypt.gensalt(12)); try { connection = Connector.ConnectDb(); PreparedStatement pst = connection.prepareStatement("SELECT * FROM Company WHERE Email= '"+email+"' AND Password='"+hashPass+"'"); ResultSet rs = pst.executeQuery(); if (rs.next()) { if(request.getParameter("remember_me") != null) { String remember = request.getParameter("remember_me"); Cookie cemail = new Cookie("cookuser", email.trim()); Cookie cPassword = new Cookie("cookpass", password.trim()); Cookie cRemember = new Cookie("cookrem", remember.trim()); cemail.setMaxAge(60 * 60 * 24 * 15);//15 days cPassword.setMaxAge(60 * 60 * 24 * 15); cRemember.setMaxAge(60 * 60 * 24 * 15); response.addCookie(cemail); response.addCookie(cPassword); response.addCookie(cRemember); } HttpSession httpSession = request.getSession(); httpSession.setAttribute("sessuser", email.trim()); RequestDispatcher requestDispatcher = request.getRequestDispatcher("CompanyDashboard.jsp"); requestDispatcher.forward(request, response); } else { PrintWriter out=response.getWriter(); out.println("<script type="text/javascript">"); out.println("alert('Invalid Credentials');"); out.println("location='CompanyLogin.jsp';"); out.println(""); } } catch (IOException | SQLException | ServletException e) { PrintWriter out=response.getWriter(); out.println("Error :" + e); } } |
这是我的数据库的样子
您尚未发布申请的注册部分,但我怀疑该问题是由您的登录部分中的以下行引起的:
1 |
会为新的salt创建密码哈希。当然,这与在注册部分创建的密码哈希(并存储在数据库的
1 |
原则上,可以从存储的BCrypt哈希中重建salt(如果您对此感兴趣,可以在bcrypt如何使用内置salt吗?中详细解释
但是,有一种更简单的方法(这也是预期的方法):您可以使用
1 | boolean isAuthenticated = BCrypt.checkpw(candidatePassword, passwordHash); |
在这里,
如果您使用这种方法,则必须相应地调整数据库访问权限,例如类似于(尚未测试!):
1 2 3 4 5 6 7 8 9 10 11 12 | protected void doPost(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException { String email = request.getParameter("email"); String password = request.getParameter("pass"); try { connection = Connector.ConnectDb(); PreparedStatement pst = connection.prepareStatement("SELECT * FROM Company WHERE Email= '"+email+"'"); ResultSet rs = pst.executeQuery(); while (rs.next()) { if (BCrypt.checkpw(password, rs.getString("Password"))) { ... |