问题
I can obtain the Weblogic InitialContext from a JNDI Client using the following properties as the Environment parameters for InitialContext
Hashtable jndiProps = new Hashtable();
jndiProps.put("java.naming.factory.initial", "t3://localhost:7001");
jndiProps.put("java.naming.provider.url", "weblogic.jndi.WLInitialContextFactory");
jndiProps.put("java.naming.security.principal", "weblogic");
jndiProps.put("java.naming.security.credentials", "weblogic");
InitialContext ctx = new InitialContext(jndiProps);
The question is, is there a way to obtain the InitialContext without specifying the security.credentials as cleartext but maybe as a hashed value?
回答1:
You could use symmetric encryption, encrypt the password value and store this in the properties file. Then before creating the initial context read the property value, decrypt it and update the property before passing the jndiProps object to the InitialContext constructor.
The encryption key would still be on the client but it's going to stop someone casually reading the property file to find out the password.
Using SSL is also a good idea for protecting the password as it is transmitted between the client and the server.
回答2:
Simply hashing the password has no real added security value. Since your password resides on the client anyway.
The bigest gains are to be had by using SSL encryption on your channel first with t3s and secondly a user with the least amount of privilges instead of the admin users "weblogic".
来源:https://stackoverflow.com/questions/527360/obtaining-an-intialcontext-from-weblogic-without-using-clear-text-password