Spring Boot加密屬性文件數據
阿新 • • 發佈:2019-01-03
.post art upd table require ttr dial out environ 項目中敏感信息一般需要進行加密處理,比如數據庫密碼,Spring Boot內置不提供加密支持,不能加密屬性文件的數據,在官方文檔中提供了自定義Environment和Spring Cloud Vault兩種解決方案。另外,可以使用jasypt-spring-boot。
Jasypt Spring Boot
集成jasypt-spring-boot
有三種方式集成jasypt-spring-boot:
- 項目中如使用了@SpringBootApplication或@EnableAutoConfiguration,簡單地添加jasypt-spring-boot-starter到classpath將在整個Spring環境中啟用加密屬性
<dependency>
<groupId>com.github.ulisesbocchio</groupId>
<artifactId>jasypt-spring-boot-starter</artifactId>
<version>2.1.0</version>
</dependency>
- 添加jasypt-spring-boot到classpath,添加@EnableEncryptableProperties到main Configuration class將在整個Spring環境中啟用加密屬性
<dependency>
<groupId>com.github.ulisesbocchio</groupId>
<artifactId>jasypt-spring-boot</artifactId>
<version>2.1.0</version>
</dependency>
@Configuration
@EnableEncryptableProperties
public class MyApplication {
...
}
- 添加jasypt-spring-boot到classpath,使用@EncrytablePropertySource聲明獨立的加密屬性文件
@Configuration
@EncryptablePropertySource(name = "EncryptedProperties", value = "classpath:encrypted.properties")
public class MyApplication {
...
}
或者使用@EncryptablePropertySources:
@Configuration
@EncryptablePropertySources({@EncryptablePropertySource("classpath:encrypted.properties"),
@EncryptablePropertySource("file:/path/to/encrypted2.properties")})
public class MyApplication {
....
}
@EncryptablePropertySource也支持YAML文件。
加密配置
Key | Required | Default Value |
---|---|---|
jasypt.encryptor.password | True | - |
jasypt.encryptor.algorithm | False | PBEWithMD5AndDES |
jasypt.encryptor.bean | False | jasyptStringEncryptor |
jasypt.encryptor.keyObtentionIterations | False | 1000 |
jasypt.encryptor.poolSize | False | 1 |
jasypt.encryptor.providerName | False | null |
jasypt.encryptor.saltGeneratorClassname | False | org.jasypt.salt.RandomSaltGenerator |
jasypt.encryptor.stringOutputType | False | base64 |
jasypt.encryptor.proxyPropertySources | False | false |
jasypt.encryptor.property.prefix | False | ENC( |
jasypt.encryptor.property.suffix | False | ) |
默認,加密算法為PBEWithMD5AndDES,加解密bean name為jasyptStringEncryptor,加密的密碼使用ENC()包裹。
所有這些屬性都可在屬性文件中配置,但加密密碼不應存儲在屬性文件中,而應使用系統屬性、命令行參數傳入,只要名稱為jasypt.encryptor.password即可:
java -jar jasypt-spring-boot-demo.jar --jasypt.encryptor.password=password
或
java -Djasypt.encryptor.password=password -jar jasypt-spring-boot-demo.jar
也可以在application.properties 或 application.yml中使用環境變量:
jasypt.encryptor.password=${JASYPT_ENCRYPTOR_PASSWORD:}
配置文件示例:
spring:
jpa:
database-platform: org.hibernate.dialect.PostgreSQLDialect
hibernate:
ddl-auto: update
properties:
hibernate:
default_schema: heroes
format_sql: true
jdbc:
lob:
non_contextual_creation: true
show-sql: true
datasource:
platform: postgresql
driver-class-name: org.postgresql.Driver
url: jdbc:postgresql://localhost:5432/postgres
username: hero
password: ENC(a3Ehaf0f/S1Rt6JfOGfQ+w==)
initialization-mode: never
jasypt:
encryptor:
algorithm: PBEWithMD5AndDES
password: 1qefhQH7mRR4LADVettR
stringOutputType: base64
property:
prefix: ENC(
suffix: )
生成加密的密碼
使用CLI工具JasyptPBEStringEncryptionCLI生成加密密碼,如下:
java -cp jasypt-1.9.2.jar org.jasypt.intf.cli.JasyptPBEStringEncryptionCLI input="password" password=secretkey algorithm=PBEWithMD5AndDES
執行後,輸出如下:
----ENVIRONMENT-----------------
Runtime: Oracle Corporation Java HotSpot(TM) 64-Bit Server VM 25.191-b12
----ARGUMENTS-------------------
algorithm: PBEWithMD5AndDES
input: hero
password: 1qefhQH7mRR4LADVettR
----OUTPUT----------------------
a3Ehaf0f/S1Rt6JfOGfQ+w==
生成後,使用ENC(加密的密碼)替換明文密碼即可。
自定義Environment
待續
Spring Cloud Vault
待續
Spring Boot加密屬性文件數據