背景
随着互联网的不断发展,信息安全越来越被人们所重视,对一些敏感信息的加密要求也越来越高。按等保要求,项目配置文件里的明文密码导致的数据泄漏等问题也需要解决。本文简单介绍基于Jasypt的配置文件加密使用(jasypt-spring-boot-starter方式)。
Jasypt 简介
官网: http://www.jasypt.org/
githup: https://github.com/jasypt/jasypt
简单使用(jasypt-spring-boot-starter)
1、POM依赖
<properties>
<jasypt.version>3.0.4</jasypt.version>
</properties>
<dependencies>
<dependency>
<groupId>com.github.ulisesbocchio</groupId>
<artifactId>jasypt-spring-boot-starter</artifactId>
<version>${jasypt.version}</version>
</dependency>
</dependencies>
2、生成密文账密
2.1、YML配置
jasypt:
encryptor:
# 指定加密的盐值
password: DbG1GppXOsFa2G69PnmADvQFI3esceEhJYbaEIKCcEO5C85JEqGAhfcjFMGnoRFf
2.2、生成密文函数
@SpringBootTest
public class JasyptTest {
private final String orgUsername = "rycloud";
private final String orgPassword = "rycloud";
@Autowired
private StringEncryptor stringEncryptor;
@Test
void encrypt() {
System.out.println("密文username: " + stringEncryptor.encrypt(orgUsername));
System.out.println("密文password: " + stringEncryptor.encrypt(orgPassword));
}
}
3、业务应用中使用
3.1、YML配置
密文配置语法: prefix + 配置密文值 + suffix
Tips:
默认前缀:
ENC(, 默认后缀:)
例:ENC(N1kLdL9IDh3L+hW9CCVV+SXj5do9PaNo3IverJ2cBIpb31FMj1e9uTgoy5PepsZE)
# 此处为演示用,生产千万不要在配置文件中,泄露了就可以直接根据盐值解码成密文了,生产通过jar运行参数方式传入
# 指定加密的盐值,必须和生成密文的盐值一致
# jasypt:
# encryptor:
# password: DbG1GppXOsFa2G69PnmADvQFI3esceEhJYbaEIKCcEO5C85JEqGAhfcjFMGnoRFf
spring:
datasource:
dynamic:
datasource:
# 主库数据源
master:
driver-class-name: oracle.jdbc.driver.OracleDriver
url: jdbc:oracle:thin:@192.168.1.8:1528/xe
# 配置上述2.2中生成的密文账密信息
username: ENC(N1kLdL9IDh3L+hW9CCVV+SXj5do9PaNo3IverJ2cBIpb31FMj1e9uTgoy5PepsZE)
password: ENC(0YZ7rj3/+s5ImEnMe2bactYPpzbbsEhnAy1Avr414tmzKHRs6YLlKbKmJOcgTrNx)
3.2、使用示例
@SpringBootTest
public class ExampleJasyptTests {
private final String orgUsername = "jasypt_name";
private final String orgPassword = "jasypt_password";
@Autowired
private StringEncryptor stringEncryptor;
@Value("${
spring.datasource.dynamic.datasource.master.username}")
private String username ;
@Value("${
spring.datasource.dynamic.datasource.master.password}")
private String password ;
@Test
void encrypt() {
System.out.println("密文username: " + stringEncryptor.encrypt(orgUsername));
System.out.println("密文password: " + stringEncryptor.encrypt(orgPassword));
}
@Test
void decrypt() {
System.out.println("注入的username: " + username);
System.out.println("注入的password: " + password);
Assertions.assertEquals(orgUsername, username);
Assertions.assertEquals(orgPassword, password);
}
}
如图所示
jar运行参数方式传入盐值(jasypt.encryptor.password)
idea 添加VM option参数
-Djasypt.encryptor.password=DbG1GppXOsFa2G69PnmADvQFI3esceEhJYbaEIKCcEO5C85JEqGAhfcjFMGnoRFf
controller
@RequestMapping("/jasypt")
@RestController
public class JasyptTestController {
@Value("${spring.datasource.dynamic.datasource.master.username}")
private String username ;
@Value("${spring.datasource.dynamic.datasource.master.password}")
private String password ;
@GetMapping
public String get(){
return "username: " + username + "\npassword: " + password;
}
}
访问
4、jasypt-spring-boot-starter配置
yml中可以查看jasypt-spring-boot-starter的配置,有需要的话 按需配置即可,包括配置前后缀 等
以上简单介绍了 基于 springboot starter 入门简单使用,其他高级使用参照:https://github.com/ulisesbocchio/jasypt-spring-boot-samples
参考资料
官网: http://www.jasypt.org/
githup: https://github.com/jasypt/jasypt
githup使用案例: https://github.com/ulisesbocchio/jasypt-spring-boot-samples