文档首页
MySQL Connector/NET 开发人员指南
相关文档 下载本手册
PDF (US Ltr) - 1.3Mb
PDF (A4) - 1.3Mb


MySQL Connector/NET 开发人员指南  /  Connector/NET 编程  /  编写自定义身份验证插件

5.8 编写自定义身份验证插件

具有特殊安全要求的进阶用户可以为 MySQL Connector/NET 应用程序创建自己的身份验证插件。您可以扩展握手协议,添加自定义逻辑。有关 MySQL 身份验证插件的背景和使用信息,请参见身份验证插件编写身份验证插件.

要编写自定义身份验证插件,您需要引用程序集 MySql.Data.dll。与编写身份验证插件相关的类位于命名空间 MySql.Data.MySqlClient.Authentication 中。

自定义身份验证插件的工作原理

在握手过程中的某个时刻,会调用内部方法

void Authenticate(bool reset)

MySqlAuthenticationPlugin。该方法反过来会调用当前插件的几个可重写方法。

创建身份验证插件类

您将身份验证插件逻辑放在从 MySql.Data.MySqlClient.Authentication.MySqlAuthenticationPlugin 派生的新类中。以下方法可供重写

protected virtual void CheckConstraints()
protected virtual void AuthenticationFailed(Exception ex)
protected virtual void AuthenticationSuccessful()
protected virtual byte[] MoreData(byte[] data)
protected virtual void AuthenticationChange()
public abstract string PluginName { get; }
public virtual string GetUsername()
public virtual object GetPassword()
protected byte[] AuthData;

以下是每个方法的简要说明

/// <summary>
/// This method must check authentication method specific constraints in the
environment and throw an Exception
/// if the conditions are not met. The default implementation does nothing.
/// </summary>
protected virtual void CheckConstraints()

/// <summary>
/// This method, called when the authentication failed, provides a chance to
plugins to manage the error
/// the way they consider decide (either showing a message, logging it, etc.).
/// The default implementation wraps the original exception in a MySqlException
with an standard message and rethrows it.
/// </summary>
/// <param name="ex">The exception with extra information on the error.</param>
protected virtual void AuthenticationFailed(Exception ex)

/// <summary>
/// This method is invoked when the authentication phase was successful accepted
by the server.
/// Derived classes must override this if they want to be notified of such
condition.
/// </summary>
/// <remarks>The default implementation does nothing.</remarks>
protected virtual void AuthenticationSuccessful()

/// <summary>
/// This method provides a chance for the plugin to send more data when the
server requests so during the
/// authentication phase. This method will be called at least once, and more
than one depending upon whether the
/// server response packets have the 0x01 prefix.
/// </summary>
/// <param name="data">The response data from the server, during the
authentication phase the first time is called is null, in
subsequent calls contains the server response.</param>
/// <returns>The data generated by the plugin for server consumption.</returns>
/// <remarks>The default implementation always returns null.</remarks>
protected virtual byte[] MoreData(byte[] data)

/// <summary>
/// The plugin name.
/// </summary>
public abstract string PluginName { get; }

/// <summary>
/// Gets the user name to send to the server in the authentication phase.
/// </summary>
/// <returns>An string with the user name</returns>
/// <remarks>Default implementation returns the UserId passed from the
connection string.</remarks>
public virtual string GetUsername()

/// <summary>
/// Gets the password to send to the server in the authentication phase. This
can be a string or a
/// </summary>
/// <returns>An object, can be byte[], string or null, with the password.
</returns>
/// <remarks>Default implementation returns null.</remarks>
public virtual object GetPassword()

/// <summary>
/// The authentication data passed when creating the plugin.
/// For example in mysql_native_password this is the seed to encrypt the
password.
/// </summary>
protected byte[] AuthData;

身份验证插件示例

此示例演示了如何创建身份验证插件,然后通过配置文件启用它。

  1. 创建一个控制台应用程序,并添加对 MySql.Data.dll 的引用。

  2. 按如下方式设计主 C# 程序

    using System;
    using System.Collections.Generic;
    using System.Linq;
    using System.Text;
    using MySql.Data.MySqlClient;
    
    namespace AuthPluginTest
    {
      class Program
      {
        static void Main(string[] args)
        {
          // Customize the connection string as necessary.
          MySqlConnection con = new MySqlConnection("server=localhost;
          database=test; user id=myuser; password=mypass");
          con.Open();
          con.Close();
        }
      }
    }
  3. 创建您的插件类。在本示例中,我们通过仅使用原始插件中的相同代码,添加了对“本机”密码插件的“替代”实现。

    注意

    从 MySQL 服务器 8.4.0 开始,mysql_native_password 插件默认情况下处于禁用状态,并且从 MySQL 服务器 9.0.0 开始已移除。

    我们将类命名为 MySqlNativePasswordPlugin2

    using System.IO;
    using System;
    using System.Text;
    using System.Security.Cryptography;
    using MySql.Data.MySqlClient.Authentication;
    using System.Diagnostics;
    
    namespace AuthPluginTest
    {
      public class MySqlNativePasswordPlugin2 : MySqlAuthenticationPlugin
      {
        public override string PluginName
        {
          get { return "mysql_native_password"; }
        }
    
        public override object GetPassword()
        {
          Debug.WriteLine("Calling MySqlNativePasswordPlugin2.GetPassword");
          return Get411Password(Settings.Password, AuthData);
        }
    
        /// <summary>
        /// Returns a byte array containing the proper encryption of the
        /// given password/seed according to the new 4.1.1 authentication scheme.
        /// </summary>
        /// <param name="password"></param>
        /// <param name="seed"></param>
        /// <returns></returns>
        private byte[] Get411Password(string password, byte[] seedBytes)
        {
          // if we have no password, then we just return 1 zero byte
          if (password.Length == 0) return new byte[1];
    
          SHA1 sha = new SHA1CryptoServiceProvider();
    
          byte[] firstHash = sha.ComputeHash(Encoding.Default.GetBytes(password));
          byte[] secondHash = sha.ComputeHash(firstHash);
    
          byte[] input = new byte[seedBytes.Length + secondHash.Length];
          Array.Copy(seedBytes, 0, input, 0, seedBytes.Length);
          Array.Copy(secondHash, 0, input, seedBytes.Length, secondHash.Length);
          byte[] thirdHash = sha.ComputeHash(input);
    
          byte[] finalHash = new byte[thirdHash.Length + 1];
          finalHash[0] = 0x14;
          Array.Copy(thirdHash, 0, finalHash, 1, thirdHash.Length);
    
          for (int i = 1; i < finalHash.Length; i++)
            finalHash[i] = (byte)(finalHash[i] ^ firstHash[i - 1]);
          return finalHash;
        }
      }
    }

    请注意,插件实现仅重写了 GetPassword,并提供了一个实现来使用 4.1 协议加密密码。在 GetPassword 主体中添加以下行,以确认插件已有效使用。

    Debug.WriteLine("Calling MySqlNativePasswordPlugin2.GetPassword");
    提示

    您也可以在该方法上设置断点。

  4. 在配置文件中启用新插件

    <?xml version="1.0"?>
    <configuration>
      <configSections>
        <section name="MySQL" type="MySql.Data.MySqlClient.MySqlConfiguration,
    MySql.Data"/>
      </configSections>
      <MySQL>
        <AuthenticationPlugins>
          <add name="mysql_native_password"
    type="AuthPluginTest.MySqlNativePasswordPlugin2, AuthPluginTest"></add>
        </AuthenticationPlugins>  
      </MySQL>
    <startup><supportedRuntime version="v4.0" sku=".NETFramework,Version=v4.0"/>
    </startup></configuration>
  5. 运行应用程序。在 Visual Studio 中,您将在调试窗口中看到消息 Calling MySqlNativePasswordPlugin2.GetPassword

继续增强身份验证逻辑,如果您需要,可以重写更多方法。