In practice, some configuration information of the project needs to be encrypted to reduce the risk of sensitive information leakage. For example, when using Druid, the password of the database can be encrypted based on the public and private key encryption method it provides.
But more often, sensitive information such as Redis password and MQ password also need to be encrypted, which is not so convenient at this time. This article introduces Jasypt, a Java class library, and demonstrates how to encrypt configuration file information based on the Spring Boot project.
A simple SpringBoot project
Let's first create a simple Spring Boot project and build a scenario where encrypted data is used.
Whether through Idea or the official website, first create a Spring Boot project, the core dependencies are:
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-web</artifactId>
</dependency>
<!-- 为了方便,通常会引入Lombok依赖 -->
<dependency>
<groupId>org.projectlombok</groupId>
<artifactId>lombok</artifactId>
</dependency>
Create a configuration file class ConfigProperties:
@Data
@Component
public class ConfigProperties {
@Value("${conf.url}")
private String url;
@Value("${conf.password}")
private String password;
}
Configuration properties from the configuration file are injected into this class for subsequent use.
Create a Controller class to test and verify that it works properly:
@RestController
@RequestMapping("/")
public class ConfigController {
@Resource
private ConfigProperties configProperties;
@RequestMapping
public void print(){
System.out.println(configProperties.getUrl());
System.out.println(configProperties.getPassword());
}
}
Corresponding to the ConfigProperties class, the configuration in application.properties is as follows:
conf.url=127.0.0.1
conf.password=admin123
At this point, start the project, access the Controller, and the configuration information can be printed out normally, indicating that the program can run normally.
However, the password item is directly displayed in plain text in the configuration file. If others see the configuration file, the password may be leaked.
Jasypt-based encryption
In view of the above situation, we usually encrypt sensitive information to avoid the exposure of plaintext password information and improve the security level.
The basic idea of encryption is to store encrypted content in the configuration file and decrypt it when parsing the configuration file injection.
But if you get the project source code and know the encryption algorithm and secret key, you can definitely decrypt it. The encryption here is just an extra layer of security protection, but it is not a panacea.
Let's take a look at how to encrypt based on Jasypt.
Integration steps
The following is a transformation and upgrade based on the above Spring Boot project.
Environmental preparation
Different versions of Jasypt use different methods. Here we will demonstrate based on version 3.0.4, JDK8, and Spring Boot 2.5.5.
Before using it, first check whether the JCE version with unlimited length is installed in the JRE of JDK8, otherwise, an exception of decryption failure will be thrown when the encryption operation is performed.
Go to the $JAVA_HOME/jre/lib/security directory to check whether the two jar packages local_policy.jar and US_export_policy.jar are included. If it is not included, download it from Oracle's official website. The download address is: https://www.oracle.com/java/technologies/javase-jce8-downloads.html.
The download file is: jce_policy-8.zip
The file contains three files:
README.txt
local_policy.jar
US_export_policy.jar
Check whether there are these two jar package files in the $JAVA_HOME/jre/lib/security directory, if not, copy them into it, and consider overwriting if there are.
import dependencies
It is relatively simple to integrate Jasypt in Spring Boot, and the following dependencies can be directly introduced:
<dependency>
<groupId>com.github.ulisesbocchio</groupId>
<artifactId>jasypt-spring-boot-starter</artifactId>
<version>3.0.4</version>
</dependency>
At this point, the automatic configuration of the Jasypt component has taken effect, and only the data that needs to be encrypted needs to be processed.
In order to facilitate the encryption of the password, you can also introduce the corresponding plugin in the build element in pom.xml, which will be used later:
<plugin>
<groupId>com.github.ulisesbocchio</groupId>
<artifactId>jasypt-maven-plugin</artifactId>
<version>3.0.4</version>
</plugin>
So far, all the preparatory work has been completed.
Content encryption
There are many ways to encrypt content, here are two ways to be introduced.
Method 1: The unit test class generates ciphertext;
Build the following unit test class to encrypt the password using the default instantiated StringEncryptor:
@SpringBootTest
class SpringBootJasyptApplicationTests {
@Autowired
private StringEncryptor stringEncryptor;
@Test
void contextLoads() {
String qwerty1234 = stringEncryptor.encrypt("admin123");
System.out.println(qwerty1234);
}
}
Among them, "admin123" is the content to be encrypted. Execute the above procedure to print the encrypted content. All encrypted content in this form adopts the default value.
Method 2: Generate ciphertext through Maven plugin
The Maven plugin of Jasypt has been introduced above, and the password can be generated through the corresponding command.
Step 1: Add the encrypted password to the configuration file:
jasypt.encryptor.password=afx11
Then modify the data that needs to be encrypted in the configuration file, add "DEC(" before the data, add ")" at the end of the data, and modify it as follows:
conf.password=DEC(admin123)
The DEC() added here is a high-speed plug-in, and this part of the content needs to be encrypted. Note that the keyword here is DEC.
Step 2: Execute the Maven command to encrypt the above data
The command executes the following commands:
mvn jasypt:encrypt -Djasypt.encryptor.password=afx11
At this point, look at the conf.password data in the configuration file has become:
jasypt.encryptor.password=afx11
conf.url=127.0.0.1
conf.password=ENC(209eBdF3+jsV2f8kDjs4NOCzgBxnVgETlR5q2KfhYo5DW2jqvLknv0TndEkXOXm0)
Note that the original DEC has become ENC, and the original plaintext password has become encrypted ciphertext.
At this point, if you want to view the plaintext, execute the following command:
mvn jasypt:decrypt -Djasypt.encryptor.password=afx11
This command will not change the ciphertext in the configuration file to plaintext, and will only output the plaintext result on the console.
jasypt.encryptor.password=afx11
conf.url=127.0.0.1
conf.password=DEC(admin123)
After the above operations, all the transformation steps have been completed, just start the system for verification.
How the password is passed
After completing the above steps, directly start the system, access the corresponding request, and you will find that the original password has been successfully printed out.
In the above example, we put the encrypted password in the application.properties file, which is not safe. If you look at the code, you will know how to decrypt it. Usually, there is another way to pass parameters: pass the password in the start command.
for example:
java -jar jasypt-spring-boot-demo-0.0.1-SNAPSHOT.jar --jasypt.encryptor.password=password
In this way, the password does not need to be stored in the code, which increases security to a certain extent. Of course, it can also be passed through environment variables, so that even developers can't get the production password.
summary
So much is said about the use of Jasypt and its integration with Spring Boot. For more information, please refer to the official documentation. If you still have a lot of passwords stored in plaintext in your project, it is really necessary to consider using a similar framework for encryption.
Example source code address:
https://github.com/secbr/springboot-all/tree/master/springboot-jasyptOfficial source address:
https://github.com/ulisesbocchio/jasypt-spring-boot
Original link:
https://mp.weixin.qq.com/s/omiNa_ZPHq6_V2HqPZTyTwAuthor: Program New Horizons
If you think this article is helpful to you, you can retweet, follow and support