项目中敏感信息一般需要进行加密处理,比如数据库密码,Spring Boot内置不提供加密支持,不能加密属性文件的数据,在官方文档中提供了自定义Environment和Spring Cloud Vault两种解决方案。另外,可以使用jasypt-spring-boot。
Jasypt Spring Boot
集成jasypt-spring-boot
有三种方式集成jasypt-spring-boot:
- 项目中如使用了@SpringBootApplication或@EnableAutoConfiguration,简单地添加jasypt-spring-boot-starter到classpath将在整个Spring环境中启用加密属性
<dependency>
<groupId>com.github.ulisesbocchio</groupId>
<artifactId>jasypt-spring-boot-starter</artifactId>
<version>2.1.0</version>
</dependency>- 添加jasypt-spring-boot到classpath,添加@EnableEncryptableProperties到main Configuration class将在整个Spring环境中启用加密属性
<dependency>
<groupId>com.github.ulisesbocchio</groupId>
<artifactId>jasypt-spring-boot</artifactId>
<version>2.1.0</version>
</dependency>@Configuration
@EnableEncryptableProperties
public class MyApplication {
...
}- 添加jasypt-spring-boot到classpath,使用@EncrytablePropertySource声明独立的加密属性文件
@Configuration
@EncryptablePropertySource(name = "EncryptedProperties", value = "classpath:encrypted.properties")
public class MyApplication {
...
}或者使用@EncryptablePropertySources:
@Configuration
@EncryptablePropertySources({@EncryptablePropertySource("classpath:encrypted.properties"),
@EncryptablePropertySource("file:/path/to/encrypted2.properties")})
public class MyApplication {
....
}@EncryptablePropertySource也支持YAML文件。
加密配置
| Key | Required | Default Value |
|---|---|---|
| jasypt.encryptor.password | True | - |
| jasypt.encryptor.algorithm | False | PBEWithMD5AndDES |
| jasypt.encryptor.bean | False | jasyptStringEncryptor |
| jasypt.encryptor.keyObtentionIterations | False | 1000 |
| jasypt.encryptor.poolSize | False | 1 |
| jasypt.encryptor.providerName | False | null |
| jasypt.encryptor.saltGeneratorClassname | False | org.jasypt.salt.RandomSaltGenerator |
| jasypt.encryptor.stringOutputType | False | base64 |
| jasypt.encryptor.proxyPropertySources | False | false |
| jasypt.encryptor.property.prefix | False | ENC( |
| jasypt.encryptor.property.suffix | False | ) |
默认,加密算法为PBEWithMD5AndDES,加解密bean name为jasyptStringEncryptor,加密的密码使用ENC()包裹。
所有这些属性都可在属性文件中配置,但加密密码不应存储在属性文件中,而应使用系统属性、命令行参数传入,只要名称为jasypt.encryptor.password即可:
java -jar jasypt-spring-boot-demo.jar --jasypt.encryptor.password=password
或
java -Djasypt.encryptor.password=password -jar jasypt-spring-boot-demo.jar也可以在application.properties 或 application.yml中使用环境变量:
jasypt.encryptor.password=${JASYPT_ENCRYPTOR_PASSWORD:}配置文件示例:
spring:
jpa:
database-platform: org.hibernate.dialect.PostgreSQLDialect
hibernate:
ddl-auto: update
properties:
hibernate:
default_schema: heroes
format_sql: true
jdbc:
lob:
non_contextual_creation: true
show-sql: true
datasource:
platform: postgresql
driver-class-name: org.postgresql.Driver
url: jdbc:postgresql://localhost:5432/postgres
username: hero
password: ENC(a3Ehaf0f/S1Rt6JfOGfQ+w==)
initialization-mode: never
jasypt:
encryptor:
algorithm: PBEWithMD5AndDES
password: 1qefhQH7mRR4LADVettR
stringOutputType: base64
property:
prefix: ENC(
suffix: )生成加密的密码
使用CLI工具JasyptPBEStringEncryptionCLI生成加密密码,如下:
java -cp jasypt-1.9.2.jar org.jasypt.intf.cli.JasyptPBEStringEncryptionCLI input="password" password=secretkey algorithm=PBEWithMD5AndDES执行后,输出如下:
----ENVIRONMENT-----------------
Runtime: Oracle Corporation Java HotSpot(TM) 64-Bit Server VM 25.191-b12
----ARGUMENTS-------------------
algorithm: PBEWithMD5AndDES
input: hero
password: 1qefhQH7mRR4LADVettR
----OUTPUT----------------------
a3Ehaf0f/S1Rt6JfOGfQ+w==生成后,使用ENC(加密的密码)替换明文密码即可。
自定义Environment
待续
Spring Cloud Vault
待续
原文地址:http://blog.51cto.com/7308310/2338146
时间: 2024-10-13 18:18:08