Spring Boot加密屬性值
阿新 • • 發佈:2019-01-03
專案中敏感資訊一般需要進行加密處理,比如資料庫密碼,Spring Boot內建不提供加密支援,不能加密屬性檔案中的資料,在官方文件中提供了自定義Environment和Spring Cloud Vault兩種解決方案。另外,可以使用jasypt-spring-boot。
Jasypt Spring Boot
整合jasypt-spring-boot
有三種方式整合jasypt-spring-boot:
- 專案中如使用了@SpringBootApplication或@EnableAutoConfiguration,簡單地新增jasypt-spring-boot-starter到classpath將在整個Spring環境中啟用加密屬性
<dependency>
<groupId>com.github.ulisesbocchio</groupId>
<artifactId>jasypt-spring-boot-starter</artifactId>
<version>2.1.0</version>
</dependency>- 新增jasypt-spring-boot到classpath,新增@EnableEncryptableProperties到main Configuration class將在整個Spring環境中啟用加密屬性
<dependency>
<groupId>com.github.ulisesbocchio</groupId>
<artifactId>jasypt-spring-boot</artifactId>
<version>2.1.0</version>
</dependency>@Configuration
@EnableEncryptableProperties
public class MyApplication {
...
}- 新增jasypt-spring-boot到classpath,使用@EncrytablePropertySource宣告獨立的加密屬性檔案
@Configuration
@EncryptablePropertySource(name = "EncryptedProperties", value = "classpath:encrypted.properties")
public class MyApplication {
...
}或者使用@EncryptablePropertySources:
@Configuration
@EncryptablePropertySources({@EncryptablePropertySource("classpath:encrypted.properties"),
@EncryptablePropertySource("file:/path/to/encrypted2.properties")})
public class MyApplication {
....
}@EncryptablePropertySource也支援YAML檔案。
加密配置
| Key | Required | Default Value |
|---|---|---|
| jasypt.encryptor.password | True | - |
| jasypt.encryptor.algorithm | False | PBEWithMD5AndDES |
| jasypt.encryptor.bean | False | jasyptStringEncryptor |
| jasypt.encryptor.keyObtentionIterations | False | 1000 |
| jasypt.encryptor.poolSize | False | 1 |
| jasypt.encryptor.providerName | False | null |
| jasypt.encryptor.saltGeneratorClassname | False | org.jasypt.salt.RandomSaltGenerator |
| jasypt.encryptor.stringOutputType | False | base64 |
| jasypt.encryptor.proxyPropertySources | False | false |
| jasypt.encryptor.property.prefix | False | ENC( |
| jasypt.encryptor.property.suffix | False | ) |
預設,加密演算法為PBEWithMD5AndDES,加解密bean name為jasyptStringEncryptor,加密的密碼使用ENC()包裹。
所有這些屬性都可在屬性檔案中配置,但加密密碼不應儲存在屬性檔案中,而應使用系統屬性、命令列引數傳入,只要名稱為jasypt.encryptor.password即可:
java -jar jasypt-spring-boot-demo.jar --jasypt.encryptor.password=password
或
java -Djasypt.encryptor.password=password -jar jasypt-spring-boot-demo.jar也可以在application.properties 或 application.yml中使用環境變數:
jasypt.encryptor.password=${JASYPT_ENCRYPTOR_PASSWORD:}配置檔案示例:
spring:
jpa:
database-platform: org.hibernate.dialect.PostgreSQLDialect
hibernate:
ddl-auto: update
properties:
hibernate:
default_schema: heroes
format_sql: true
jdbc:
lob:
non_contextual_creation: true
show-sql: true
datasource:
platform: postgresql
driver-class-name: org.postgresql.Driver
url: jdbc:postgresql://localhost:5432/postgres
username: hero
password: ENC(a3Ehaf0f/S1Rt6JfOGfQ+w==)
initialization-mode: never
jasypt:
encryptor:
algorithm: PBEWithMD5AndDES
password: 1qefhQH7mRR4LADVettR
stringOutputType: base64
property:
prefix: ENC(
suffix: )生成加密的密碼
使用CLI工具JasyptPBEStringEncryptionCLI生成加密密碼,如下:
java -cp jasypt-1.9.2.jar org.jasypt.intf.cli.JasyptPBEStringEncryptionCLI input="password" password=secretkey algorithm=PBEWithMD5AndDES執行後,輸出如下:
----ENVIRONMENT-----------------
Runtime: Oracle Corporation Java HotSpot(TM) 64-Bit Server VM 25.191-b12
----ARGUMENTS-------------------
algorithm: PBEWithMD5AndDES
input: hero
password: 1qefhQH7mRR4LADVettR
----OUTPUT----------------------
a3Ehaf0f/S1Rt6JfOGfQ+w==自定義Environment
待續
Spring Cloud Vault
待續