SpringBoot加密配置属性--SpringCloudVault详解
项⽬中敏感配置信息⼀般需要进⾏加密处理,⽐如数据库密码,Spring Boot内置不提供加密⽀持,不能加密配置⽂件信息,在官⽅⽂档中提供了⾃定义Environment和Spring Cloud Vault两种解决⽅案。使⽤jasypt-spring-boot是另⼀种⽅案。
Spring Cloud Vault为HashiCorp Vault的客户端,⽀持访问HashiCorp Vault内存储的数据,避免了在Spring Boot程序中存储敏感数据。
本⽂详细介绍了如何使⽤jasypt-spring-boot、Spring Cloud Vault和HashiCorp Vault,如何使⽤Vault的AWS Secret、Database Secret、AWS EC2认证和AWS IAM认证。
⾃定义Environment
1⾃⼰实现加解密的⽅法,在配置⽂件中使⽤密⽂,⽐如:
spring:
datasource:
password: a3Ehaf0f/S1Rt6JfOGfQ+w==
jwt:
secret: a3Ehaf0f/S1Rt6JfOGfQ+w==
2实现EnvironmentPostProcessor,在其中执⾏解密操作,简单⽰例如下:
package org.fig;
import org.springframework.boot.SpringApplication;
import org.v.EnvironmentPostProcessor;
springboot推荐算法import org.v.OriginTrackedMapPropertySource;
import org.v.YamlPropertySourceLoader;
import nv.ConfigurableEnvironment;
import nv.MapPropertySource;
import nv.PropertySource;
import io.ClassPathResource;
import io.Resource;
import java.io.IOException;
import java.util.Map;
public class DecryptedEnvironmentPostProcessor implements EnvironmentPostProcessor {
private final YamlPropertySourceLoader loader = new YamlPropertySourceLoader();
@Override
public void postProcessEnvironment(ConfigurableEnvironment environment, SpringApplication application) {
Resource path = new ClassPathResource("l");
PropertySource<Map<String, Object>> propertySource = loadYaml(path);
}
private PropertySource<Map<String, Object>> loadYaml(Resource path) {
if (!ists()) {
throw new IllegalArgumentException("Resource " + path + " does not exist");
}
try {
OriginTrackedMapPropertySource propertySource = (OriginTrackedMapPropertySource) loader.load("custom-resource", path).get(0); return new DecryptedMapPropertySource(propertySource);
} catch (IOException ex) {
throw new IllegalStateException("Failed to load yaml configuration from " + path, ex);
}
}
private static class DecryptedMapPropertySource extends MapPropertySource {
public DecryptedMapPropertySource(OriginTrackedMapPropertySource propertySource) {
Name(), Source());
}
@Override
public Object getProperty(String name) {
Object value = Property(name);
if (value instanceof CharSequence) {
// 执⾏解密,返回明⽂
return "DecryptedValue";
}
return value;
}
}
}
⾃定义的EnvironmentPostProcessor需在META-INF/spring.factories内注册:
org.v.EnvironmentPostProcessor=org.fig.DecryptedEnvironmentPostProcessor
Jasypt Spring Boot
集成jasypt-spring-boot
有三种⽅式集成jasypt-spring-boot:
项⽬中如使⽤了@SpringBootApplication或@EnableAutoConfiguration,简单地添加jasypt-spring-boot-starter到classpath将在整个Spring环境中启⽤加密属性
<dependency>
<groupId>com.github.ulisesbocchio</groupId>
<artifactId>jasypt-spring-boot-starter</artifactId>
<version>2.1.0</version>
</dependency>
添加jasypt-spring-boot到classpath,添加@EnableEncryptableProperties到main Configuration class将在整个Spring环境中启⽤加密属性
<dependency>
<groupId>com.github.ulisesbocchio</groupId>
<artifactId>jasypt-spring-boot</artifactId>
<version>2.1.0</version>
</dependency>
@Configuration
@EnableEncryptableProperties
public class MyApplication {
...
}
添加jasypt-spring-boot到classpath,使⽤@EncrytablePropertySource声明加密的属性或YAML⽂件
@Configuration
@EncryptablePropertySource(name = "EncryptedProperties", value = "classpath:encrypted.properties")
public class MyApplication {
...
}
或者使⽤@EncryptablePropertySources:
@Configuration
@EncryptablePropertySources({@EncryptablePropertySource("classpath:encrypted.properties"),
@EncryptablePropertySource("file:/path/to/encrypted2.properties")})
public class MyApplication {
....
}
默认,加密算法为PBEWithMD5AndDES,加解密bean name为jasyptStringEncryptor,加密的数据需使⽤ENC()包裹。所有这些属性都可在配置⽂件中声明,但加密密码不应存储在配置⽂件中,⽽应使
⽤系统属性、命令⾏参数传⼊,只要名称为ptor.password即可:
java -jar jasypt-spring-boot-demo.jar --ptor.password=password
或
java -ptor.password=password -jar jasypt-spring-boot-demo.jar
也可在application.properties 或 l中使⽤环境变量:
配置⽂件⽰例:
jpa:
database-platform: org.hibernate.dialect.PostgreSQLDialect
hibernate:
ddl-auto: update
properties:
hibernate:
default_schema: heroes
format_sql: true
jdbc:
lob:
non_contextual_creation: true
show-sql: true
datasource:
platform: postgresql
driver-class-name: org.postgresql.Driver
url: jdbc:postgresql://localhost:5432/postgres
username: hero
password: ENC(a3Ehaf0f/S1Rt6JfOGfQ+w==)
initialization-mode: never
jasypt:
encryptor:
algorithm: PBEWithMD5AndDES
password: 1qefhQH7mRR4LADVettR
stringOutputType: base64
property:
prefix: ENC(
suffix: )
⽣成加密数据
使⽤CLI⼯具JasyptPBEStringEncryptionCLI⽣成加密数据,如下:
java -cp jasypt-1.9.2.jar org.jasypt.intf.cli.JasyptPBEStringEncryptionCLI input="inputdata" password=secretkey algorithm=PBEWithMD5AndDES
执⾏后,输出如下:
----ENVIRONMENT-----------------
Runtime: Oracle Corporation Java HotSpot(TM) 64-Bit Server VM 25.191-b12
----ARGUMENTS-------------------
algorithm: PBEWithMD5AndDES
input: hero
password: 1qefhQH7mRR4LADVettR
----OUTPUT----------------------
a3Ehaf0f/S1Rt6JfOGfQ+w==
⽣成后,使⽤ENC(密⽂)替换明⽂数据即可。
HashiCorp Vault
HashiCorp Vault提供集中管理机密(Secret)和保护敏感数据的服务,可通过UI、CLI或HTTP API访问。HashiCorp Vault使⽤GO语⾔编写。
初识HashiCorp Vault
安装HashiCorp Vault
根据您的系统下载HashiCorp Vault,然后解压zip包,其中为⼀可执⾏⽂件。
以linux系统为例:
版权声明:本站内容均来自互联网,仅供演示用,请勿用于商业和其他非法用途。如果侵犯了您的权益请与我们联系QQ:729038198,我们将在24小时内删除。
发表评论