This article mainly introduces the Config configuration center of microservice components to realize user authentication and encryption and decryption of configuration attributes.
Table of contents
1.1. Introduce security dependencies
1.2. Add access configuration to ConfigServer on the server side
1.3. Client ConfigClient adds access configuration
2. Configuration attribute encryption and decryption
(1) Whether the vehicle inspection supports symmetric encryption
(2) Encrypted configuration properties
(3) Save the encrypted content to the configuration center
(1) keytool generates a key file
(2) Prevent maven from ignoring the config.keystore file
(3) Add asymmetric encryption and decryption configuration
(4) Encrypted configuration properties
(5) Modify configuration center attributes
1. User authentication
The previous two articles mainly introduced how to build the operating environment of the Config configuration center. In that environment, any user can access the configuration files of the Config configuration center. This is not allowed in actual development and may easily lead to security problems. Therefore, Generally, user authentication operations are required, and only users who have been granted access rights can access the Config configuration center.
The Config configuration center implements user authentication and depends on the Security module. We only need to introduce spring-security dependencies.
1.1. Introduce security dependencies
<!-- 引入 Security 依赖 -->
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-security</artifactId>
</dependency>
1.2. Add access configuration to ConfigServer on the server side
In the [application.yml] configuration file, add configuration information related to user authentication, as follows:
spring:
# 添加用户认证配置
security:
user:
name: user # 默认就是 user 用户名称
password: root # 登录密码
1.3. Client ConfigClient adds access configuration
The ConfigServer server has added the configuration of Security user authentication, so when the client accesses the server, it needs to bring the user name and password, which needs to be set in the [bootstrap.yml] configuration file in the ConfigClient client project ( note : must be set in the bootstrap.yml configuration file ).
spring:
cloud:
config:
# 用户认证
username: user # 访问 config server 的用户名称
password: root # 访问 config server 的登录密码
After the above three steps, the user authentication function of the Config configuration center has been completed.
2. Configuration attribute encryption and decryption
The configuration attributes of the Config configuration center are currently stored in Git in plain text, but for some private data, encrypted storage must be performed in actual development, so as to avoid security issues caused by configuration file leakage.
There are two ways to encrypt and decrypt configuration attributes: symmetric encryption algorithm and asymmetric encryption algorithm.
2.1. Symmetric encryption
Symmetric encryption is the simplest encryption and decryption algorithm. The same key is used for encryption and decryption. This method also has a disadvantage, that is, once the password is leaked, private data will be leaked.
(1) Whether the vehicle inspection supports symmetric encryption
Start the Config Server server project, and access the [ http://localhost:9999/encrypt/status ] address with a browser to check whether it has the function of symmetric encryption and decryption.
- If the situation shown in the figure below occurs, it means that the encryption and decryption functions are available, but there is still a lack of encryption and decryption key policies.
- How to solve the error shown in the picture above? ? ?
In the [bootstrap.yml] configuration file of the Config Server server project , add the key configuration ( note: must be added in the boostrap.yml file ).
# 对称加解密的key配置
encrypt:
key: config_encrypt_key # 这里自定义写一个加解密使用的key密钥即可
- After configuring the key, restart the ConfigServer server project.
If the above situation occurs, it means that the Config Server server already has an encryption and decryption environment.
(2) Encrypted configuration properties
In the configuration center server, the [http://localhost:9999/encrypt] interface address is provided for encryption operations. We can use the curl command to encrypt attributes in the CMD command line, and then encrypt the encrypted attributes Save it to Git.
The command looks like this:
# -d 后面的内容就是需要加密的明文内容
curl http://localhost:9999/encrypt -d root
(3) Save the encrypted content to the configuration center
Enter the configuration center, find the corresponding configuration file, and then fill in the encrypted content behind the specified attribute. It should be noted that this content must be filled in according to the following rules:
'{cipher}后面跟着加密的内容'
Here is what I configured:
(4) Client testing
Start the client, and then get the password attribute to check whether it is the decrypted content. If so, the symmetric encryption and decryption are successful.
It should be noted that the encryption and decryption of Config occurs on the Config Server server, and the Config Server will obtain the encrypted attributes from Git, and then send the attributes to the Config Client client program after decryption.
2.2. Asymmetric encryption
Asymmetric encryption refers to the use of a pair of keys, one is a public key and the other is a private key. The client uses the public key to encrypt data, and the server uses the private key to decrypt the ciphertext. To use asymmetric encryption, a key configuration file needs to be generated. Here we can use the [keytool] tool that comes with JDK to generate a key configuration file.
(1) keytool generates a key file
Under a certain directory, open the CMD command line window and execute the following command:
# keytool 生成密钥文件的命令工具
# -genkeypair 生成密钥对
# -keystore 用于指定密钥对文件名称路径,我这里就叫做config.keystore文件
# -alias 别名,这叫做config
# -keyalg 非对称加解密算法
# -keypass 密码,这里叫做config
# -storepass 存储密码,这里叫做config
keytool -genkeypair -keystore config.keystore -alias config -keyalg RSA -keypass config -storepass config
After executing the command, you will be asked to enter some content, as follows:
After the execution is successful, a [config.keystore] file will be generated under the corresponding directory, and then copied to the [resources] class path of the Config Server server project.
(2) Prevent maven from ignoring the config.keystore file
By default, maven does not package the config.keystore file into the classes directory, so you need to add the configuration to the pom:
<build>
<resources>
<resource>
<directory>src/main/resources</directory>
</resource>
<resource>
<directory>src/main/java</directory>
<includes>
<include>**/*.xml</include>
<include>**/*.yml</include>
<include>**/*.properties</include>
<include>**/*.keystore</include>
</includes>
<filtering>false</filtering>
</resource>
</resources>
</build>
(3) Add asymmetric encryption and decryption configuration
In the [bootstrap.yml] file in the Config Server server project, add the following configuration information:
# 非对称加密的配置
encrypt:
key-store:
location: classpath:config.keystore # 密钥对文件的路径
alias: config # 密码对别名,和生成密钥对时候那个alias保持一致
password: config # 对应 storepass 的值
secret: config # 对应 keypass 的值,私钥
(4) Encrypted configuration properties
Open the CMD command line window, execute the command, and generate the ciphertext.
The command looks like this:
curl http://localhost:9999/encrypt -d root_2023
(5) Modify configuration center attributes
Modify the password attribute value in the configuration center and replace it with the ciphertext content after asymmetric encryption.
Start the client project and access to test whether the encrypted attributes can be obtained normally.
At this point, the Config configuration center realizes user authentication and configuration attribute encryption and decryption.
In summary, this article is over. It mainly introduces the Config configuration center of microservice components to realize user authentication and configuration attribute encryption and decryption.