在Play Session Cookie中加密数据

时间:2014-01-24 18:51:35

标签: scala cookies encryption playframework-2.0 session-cookies

我在Play中存储了一些小块用户数据!会话cookie,以实现无状态服务器。有四个数据。出于安全考虑,我想加密其中两个。我正在使用Play Crypto库。加密看起来像这样(假设encryptKey是一个有效的16字节字符串):

Redirect(successRedirectURL).withSession("id" -> (userProfile.get \ "_id").as[String],
                                         "name" -> Crypto.encryptAES(name, encryptKey),
                                         "imageUrl" -> { if (imageUrl.isEmpty) "" else imageUrl.get },
                                         "email" -> Crypto.encryptAES((userProfile.get \ "email").as[String]))

解密看起来像这样:

def getUserName[A](implicit request: SecuredRequest[A]): String = Crypto.decryptAES(request.session.get("name").get, encryptKey)
def getUserEmail[A](implicit request: SecuredRequest[A]): String = Crypto.decryptAES(request.session.get("email").get, encryptKey)

现在,用户名解密就好了。电子邮件没有。我直接输入加密字符串来验证它不是会话机制,我得到了相同的行为。我打电话给getUserEmail时得到的堆栈跟踪是这样的:

play.api.Application$$anon$1: Execution exception[[BadPaddingException: Given final block not properly padded]]
    at play.api.Application$class.handleError(Application.scala:293) ~[play_2.10.jar:2.2.1]
    at play.api.DefaultApplication.handleError(Application.scala:399) [play_2.10.jar:2.2.1]
    at play.core.server.netty.PlayDefaultUpstreamHandler$$anonfun$12$$anonfun$apply$1.applyOrElse(PlayDefaultUpstreamHandler.scala:165) [play_2.10.jar:2.2.1]
    at play.core.server.netty.PlayDefaultUpstreamHandler$$anonfun$12$$anonfun$apply$1.applyOrElse(PlayDefaultUpstreamHandler.scala:162) [play_2.10.jar:2.2.1]
    at scala.runtime.AbstractPartialFunction.apply(AbstractPartialFunction.scala:33) [scala-library.jar:na]
    at scala.util.Failure$$anonfun$recover$1.apply(Try.scala:185) [scala-library.jar:na]
Caused by: javax.crypto.BadPaddingException: Given final block not properly padded
    at com.sun.crypto.provider.CipherCore.doFinal(CipherCore.java:811) ~[na:na]
    at com.sun.crypto.provider.CipherCore.doFinal(CipherCore.java:676) ~[na:na]
    at com.sun.crypto.provider.AESCipher.engineDoFinal(AESCipher.java:313) ~[na:na]
    at javax.crypto.Cipher.doFinal(Cipher.java:2087) ~[na:1.7.0_10]
    at play.api.libs.Crypto$.decryptAES(Crypto.scala:229) ~[play_2.10.jar:2.2.1]
    at play.api.libs.Crypto.decryptAES(Crypto.scala) ~[play_2.10.jar:2.2.1]

我试图找出如何设置它不做填充,但我无法找到我的application.conf中application.crypto.providerapplication.crypto.aes.transformation的值。有什么想法吗?

1 个答案:

答案 0 :(得分:2)

在您的加密中:

Redirect(successRedirectURL).withSession("id" -> (userProfile.get \ "_id").as[String],
                                     "name" -> Crypto.encryptAES(name, encryptKey),
                                     "imageUrl" -> { if (imageUrl.isEmpty) "" else imageUrl.get },
                                     "email" -> Crypto.encryptAES((userProfile.get \ "email").as[String]))

我发现电子邮件 encryptAES 未通过加密密钥,与名称一样。< / p>

这是一个错字,还是与你的问题有关?

尝试:

"email" -> Crypto.encryptAES((userProfile.get \ "email").as[String]), encryptKey)