前言
普通的web项目也基本上是把配置存放在配置文件中。如果我们把大量的配置信息都放在配置文件中是会有安全隐患的,那么如何消除这个隐患呢?最直接的方式就是把配置信息中的一些敏感信息(比如数据库密码、中间件密码)加密,然后程序在获取这些配置的时候解密,就可以达到目的。
导包
<!-- ENC加密 -->
<dependency>
<groupId>com.github.ulisesbocchio</groupId>
<artifactId>jasypt-spring-boot-starter</artifactId>
<version>2.1.0</version>
</dependency>
配置加密参数
在application.yml中配置
jasypt:
encryptor:
#这里可以理解成是加解密的时候使用的密钥
password: password
或者在application.properties中配置
#ENC加密
jasypt.encryptor.password=password
测试方法
写一个测试方法,这里直接在单元测试里面来实现给密码加密,得到字符串密码
package com.question.sheep;
import org.jasypt.encryption.StringEncryptor;
import org.junit.Test;
import org.junit.runner.RunWith;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.boot.test.context.SpringBootTest;
import org.springframework.test.context.junit4.SpringRunner;
@RunWith(SpringRunner.class)
@SpringBootTest
public class ENCTest {
@Autowired
StringEncryptor stringEncryptor;
@Test
public void encryptPwd() {
String result = stringEncryptor.encrypt("password");
System.out.println("==================");
System.out.println(result);//密文
System.out.println("==================");
}
}
使用密文替换配置文件
password: ENC(密文)
ENC的加密实现(参数列表)
| Key | Required | Default Value |
|---|---|---|
| jasypt.encryptor.password | True | - |
| jasypt.encryptor.algorithm | False | PBEWITHHMACSHA512ANDAES_256 |
| jasypt.encryptor.key-obtention-iterations | False | 1000 |
| jasypt.encryptor.pool-size | False | 1 |
| jasypt.encryptor.provider-name | False | SunJCE |
| jasypt.encryptor.provider-class-name | False | null |
| jasypt.encryptor.salt-generator-classname | False | org.jasypt.salt.RandomSaltGenerator |
| jasypt.encryptor.iv-generator-classname | False | org.jasypt.iv.RandomIvGenerator |
| jasypt.encryptor.string-output-type | False | base64 |
| jasypt.encryptor.proxy-property-sources | False | false |
| jasypt.encryptor.skip-property-sources | False | empty list |
启动参数 VM options 设置密钥
通过配置tomcat实现对VM options的设置(性能调优,ENC加密等)
设置放置于对应tomcat文件夹的bin/catalina.bat,大约223行
Linux
rem ----- Execute The Requested Command ---------------------------------------
(export) JAVA_OPTS="-Djasypt.encryptor.password=jasypt"
echo Using CATALINA_BASE: "%CATALINA_BASE%"
echo Using CATALINA_HOME: "%CATALINA_HOME%"
echo Using CATALINA_TMPDIR: "%CATALINA_TMPDIR%"
Windows
rem ----- Execute The Requested Command ---------------------------------------
set JAVA_OPTS="-Djasypt.encryptor.password=jasypt"
echo Using CATALINA_BASE: "%CATALINA_BASE%"
echo Using CATALINA_HOME: "%CATALINA_HOME%"
echo Using CATALINA_TMPDIR: "%CATALINA_TMPDIR%"