1. 程式人生 > >Spring Boot加密屬性值

Spring Boot加密屬性值

專案中敏感資訊一般需要進行加密處理,比如資料庫密碼,Spring Boot內建不提供加密支援,不能加密屬性檔案中的資料,在官方文件中提供了自定義Environment和Spring Cloud Vault兩種解決方案。另外,可以使用jasypt-spring-boot

Jasypt Spring Boot

整合jasypt-spring-boot

有三種方式整合jasypt-spring-boot:

  • 專案中如使用了@SpringBootApplication或@EnableAutoConfiguration,簡單地新增jasypt-spring-boot-starter到classpath將在整個Spring環境中啟用加密屬性
<dependency>
    <groupId>com.github.ulisesbocchio</groupId>
    <artifactId>jasypt-spring-boot-starter</artifactId>
    <version>2.1.0</version>
</dependency>
  • 新增jasypt-spring-boot到classpath,新增@EnableEncryptableProperties到main Configuration class將在整個Spring環境中啟用加密屬性
<dependency>
    <groupId>com.github.ulisesbocchio</groupId>
    <artifactId>jasypt-spring-boot</artifactId>
    <version>2.1.0</version>
</dependency>
@Configuration
@EnableEncryptableProperties
public class MyApplication {
    ...
}
  • 新增jasypt-spring-boot到classpath,使用@EncrytablePropertySource宣告獨立的加密屬性檔案
@Configuration
@EncryptablePropertySource(name = "EncryptedProperties", value = "classpath:encrypted.properties")
public class MyApplication {
    ...
}

或者使用@EncryptablePropertySources:

@Configuration
@EncryptablePropertySources({@EncryptablePropertySource("classpath:encrypted.properties"),
        @EncryptablePropertySource("file:/path/to/encrypted2.properties")})
public class MyApplication {
    ....
}

@EncryptablePropertySource也支援YAML檔案。

加密配置

Key Required Default Value
jasypt.encryptor.password True -
jasypt.encryptor.algorithm False PBEWithMD5AndDES
jasypt.encryptor.bean False jasyptStringEncryptor
jasypt.encryptor.keyObtentionIterations False 1000
jasypt.encryptor.poolSize False 1
jasypt.encryptor.providerName False null
jasypt.encryptor.saltGeneratorClassname False org.jasypt.salt.RandomSaltGenerator
jasypt.encryptor.stringOutputType False base64
jasypt.encryptor.proxyPropertySources False false
jasypt.encryptor.property.prefix False ENC(
jasypt.encryptor.property.suffix False )

預設,加密演算法為PBEWithMD5AndDES,加解密bean name為jasyptStringEncryptor,加密的密碼使用ENC()包裹。
所有這些屬性都可在屬性檔案中配置,但加密密碼不應儲存在屬性檔案中,而應使用系統屬性、命令列引數傳入,只要名稱為jasypt.encryptor.password即可:

java -jar jasypt-spring-boot-demo.jar --jasypt.encryptor.password=password
或
java -Djasypt.encryptor.password=password -jar jasypt-spring-boot-demo.jar

也可以在application.properties 或 application.yml中使用環境變數:

jasypt.encryptor.password=${JASYPT_ENCRYPTOR_PASSWORD:}

配置檔案示例:

spring:
  jpa:
    database-platform: org.hibernate.dialect.PostgreSQLDialect
    hibernate:
      ddl-auto: update
    properties:
      hibernate:
        default_schema: heroes
        format_sql: true
        jdbc:
          lob:
            non_contextual_creation: true
    show-sql: true
  datasource:
    platform: postgresql
    driver-class-name: org.postgresql.Driver
    url: jdbc:postgresql://localhost:5432/postgres
    username: hero
    password: ENC(a3Ehaf0f/S1Rt6JfOGfQ+w==)
    initialization-mode: never
jasypt:
  encryptor:
    algorithm: PBEWithMD5AndDES
    password: 1qefhQH7mRR4LADVettR
    stringOutputType: base64
    property:
      prefix: ENC(
      suffix: )

生成加密的密碼

使用CLI工具JasyptPBEStringEncryptionCLI生成加密密碼,如下:

java -cp jasypt-1.9.2.jar org.jasypt.intf.cli.JasyptPBEStringEncryptionCLI input="password" password=secretkey algorithm=PBEWithMD5AndDES

執行後,輸出如下:

----ENVIRONMENT-----------------

Runtime: Oracle Corporation Java HotSpot(TM) 64-Bit Server VM 25.191-b12 

----ARGUMENTS-------------------

algorithm: PBEWithMD5AndDES
input: hero
password: 1qefhQH7mRR4LADVettR

----OUTPUT----------------------

a3Ehaf0f/S1Rt6JfOGfQ+w==

自定義Environment

待續

Spring Cloud Vault

待續