具有特殊安全要求的进阶用户可以为 MySQL Connector/NET 应用程序创建自己的身份验证插件。您可以扩展握手协议,添加自定义逻辑。有关 MySQL 身份验证插件的背景和使用信息,请参见身份验证插件 和 编写身份验证插件.
要编写自定义身份验证插件,您需要引用程序集 MySql.Data.dll
。与编写身份验证插件相关的类位于命名空间 MySql.Data.MySqlClient.Authentication
中。
自定义身份验证插件的工作原理
在握手过程中的某个时刻,会调用内部方法
void Authenticate(bool reset)
的 MySqlAuthenticationPlugin
。该方法反过来会调用当前插件的几个可重写方法。
创建身份验证插件类
您将身份验证插件逻辑放在从 MySql.Data.MySqlClient.Authentication.MySqlAuthenticationPlugin
派生的新类中。以下方法可供重写
protected virtual void CheckConstraints()
protected virtual void AuthenticationFailed(Exception ex)
protected virtual void AuthenticationSuccessful()
protected virtual byte[] MoreData(byte[] data)
protected virtual void AuthenticationChange()
public abstract string PluginName { get; }
public virtual string GetUsername()
public virtual object GetPassword()
protected byte[] AuthData;
以下是每个方法的简要说明
/// <summary>
/// This method must check authentication method specific constraints in the
environment and throw an Exception
/// if the conditions are not met. The default implementation does nothing.
/// </summary>
protected virtual void CheckConstraints()
/// <summary>
/// This method, called when the authentication failed, provides a chance to
plugins to manage the error
/// the way they consider decide (either showing a message, logging it, etc.).
/// The default implementation wraps the original exception in a MySqlException
with an standard message and rethrows it.
/// </summary>
/// <param name="ex">The exception with extra information on the error.</param>
protected virtual void AuthenticationFailed(Exception ex)
/// <summary>
/// This method is invoked when the authentication phase was successful accepted
by the server.
/// Derived classes must override this if they want to be notified of such
condition.
/// </summary>
/// <remarks>The default implementation does nothing.</remarks>
protected virtual void AuthenticationSuccessful()
/// <summary>
/// This method provides a chance for the plugin to send more data when the
server requests so during the
/// authentication phase. This method will be called at least once, and more
than one depending upon whether the
/// server response packets have the 0x01 prefix.
/// </summary>
/// <param name="data">The response data from the server, during the
authentication phase the first time is called is null, in
subsequent calls contains the server response.</param>
/// <returns>The data generated by the plugin for server consumption.</returns>
/// <remarks>The default implementation always returns null.</remarks>
protected virtual byte[] MoreData(byte[] data)
/// <summary>
/// The plugin name.
/// </summary>
public abstract string PluginName { get; }
/// <summary>
/// Gets the user name to send to the server in the authentication phase.
/// </summary>
/// <returns>An string with the user name</returns>
/// <remarks>Default implementation returns the UserId passed from the
connection string.</remarks>
public virtual string GetUsername()
/// <summary>
/// Gets the password to send to the server in the authentication phase. This
can be a string or a
/// </summary>
/// <returns>An object, can be byte[], string or null, with the password.
</returns>
/// <remarks>Default implementation returns null.</remarks>
public virtual object GetPassword()
/// <summary>
/// The authentication data passed when creating the plugin.
/// For example in mysql_native_password this is the seed to encrypt the
password.
/// </summary>
protected byte[] AuthData;
身份验证插件示例
此示例演示了如何创建身份验证插件,然后通过配置文件启用它。
创建一个控制台应用程序,并添加对
MySql.Data.dll
的引用。按如下方式设计主 C# 程序
using System; using System.Collections.Generic; using System.Linq; using System.Text; using MySql.Data.MySqlClient; namespace AuthPluginTest { class Program { static void Main(string[] args) { // Customize the connection string as necessary. MySqlConnection con = new MySqlConnection("server=localhost; database=test; user id=myuser; password=mypass"); con.Open(); con.Close(); } } }
创建您的插件类。在本示例中,我们通过仅使用原始插件中的相同代码,添加了对“本机”密码插件的“替代”实现。
注意从 MySQL 服务器 8.4.0 开始,mysql_native_password 插件默认情况下处于禁用状态,并且从 MySQL 服务器 9.0.0 开始已移除。
我们将类命名为
MySqlNativePasswordPlugin2
using System.IO; using System; using System.Text; using System.Security.Cryptography; using MySql.Data.MySqlClient.Authentication; using System.Diagnostics; namespace AuthPluginTest { public class MySqlNativePasswordPlugin2 : MySqlAuthenticationPlugin { public override string PluginName { get { return "mysql_native_password"; } } public override object GetPassword() { Debug.WriteLine("Calling MySqlNativePasswordPlugin2.GetPassword"); return Get411Password(Settings.Password, AuthData); } /// <summary> /// Returns a byte array containing the proper encryption of the /// given password/seed according to the new 4.1.1 authentication scheme. /// </summary> /// <param name="password"></param> /// <param name="seed"></param> /// <returns></returns> private byte[] Get411Password(string password, byte[] seedBytes) { // if we have no password, then we just return 1 zero byte if (password.Length == 0) return new byte[1]; SHA1 sha = new SHA1CryptoServiceProvider(); byte[] firstHash = sha.ComputeHash(Encoding.Default.GetBytes(password)); byte[] secondHash = sha.ComputeHash(firstHash); byte[] input = new byte[seedBytes.Length + secondHash.Length]; Array.Copy(seedBytes, 0, input, 0, seedBytes.Length); Array.Copy(secondHash, 0, input, seedBytes.Length, secondHash.Length); byte[] thirdHash = sha.ComputeHash(input); byte[] finalHash = new byte[thirdHash.Length + 1]; finalHash[0] = 0x14; Array.Copy(thirdHash, 0, finalHash, 1, thirdHash.Length); for (int i = 1; i < finalHash.Length; i++) finalHash[i] = (byte)(finalHash[i] ^ firstHash[i - 1]); return finalHash; } } }
请注意,插件实现仅重写了
GetPassword
,并提供了一个实现来使用 4.1 协议加密密码。在GetPassword
主体中添加以下行,以确认插件已有效使用。Debug.WriteLine("Calling MySqlNativePasswordPlugin2.GetPassword");
提示您也可以在该方法上设置断点。
在配置文件中启用新插件
<?xml version="1.0"?> <configuration> <configSections> <section name="MySQL" type="MySql.Data.MySqlClient.MySqlConfiguration, MySql.Data"/> </configSections> <MySQL> <AuthenticationPlugins> <add name="mysql_native_password" type="AuthPluginTest.MySqlNativePasswordPlugin2, AuthPluginTest"></add> </AuthenticationPlugins> </MySQL> <startup><supportedRuntime version="v4.0" sku=".NETFramework,Version=v4.0"/> </startup></configuration>
运行应用程序。在 Visual Studio 中,您将在调试窗口中看到消息
Calling MySqlNativePasswordPlugin2.GetPassword
。
继续增强身份验证逻辑,如果您需要,可以重写更多方法。