1 Introduction
In the previous article, we introduce Jasypt
their usage, you can view the details [Java] How to use the excellent library of cryptographic libraries Jasypt to protect your sensitive information? . Such a weapon, use it properly, it will be more effective. This article will introduce Springboot integration Jasypt
, to achieve security configuration information, such as database connections, account number and password, the interface credential information.
Jasypt can encrypt information Springboot lot, are:
- System Property System Variables
- Envirnment Property Environment Variables
- Command Line argument command line parameters
- Application.properties application configuration file
- Yaml properties Application Profiles
- other custom property sources other configuration files
After testing, 3.0.0 and 2.1.2 have problems Springboot 2.1.9 version with the latest version of jasypt-spring-boot, as used herein, 2.1.1 success.
2 How to join dependence
Jasypt integrated into Springboot is another open source project Jasypt-the Spring-the Boot , there are three main ways to integrate:
2.1 jasypt-spring-boot-starter
If the project uses @SpringBootApplication
or @EnableAutoConfiguration
annotations, add the following in the pom can depend on the configuration information for the entire Spring environment encryption and decryption.
<dependency>
<groupId>com.github.ulisesbocchio</groupId>
<artifactId>jasypt-spring-boot-starter</artifactId>
<version>2.1.1</version>
</dependency>
2.2 jasypt-spring-boot
If the project does not use @SpringBootApplication
or @EnableAutoConfiguration
annotation, we rely on the use of the following, and then add annotations in the Java class configuration @EnableEncryptableProperties
.
<dependency>
<groupId>com.github.ulisesbocchio</groupId>
<artifactId>jasypt-spring-boot</artifactId>
<version>2.1.1</version>
</dependency>
Configuration classes are as follows:
@Configuration
@EnableEncryptableProperties
public class MyApplication {
}
2.3 decrypting the encrypted particular configuration
If you do not want to use a combination of all configuration information for encryption and decryption, you can use annotations to @EncryptablePropertySource
specify the configuration file, dependent as follows:
<dependency>
<groupId>com.github.ulisesbocchio</groupId>
<artifactId>jasypt-spring-boot</artifactId>
<version>2.1.1</version>
</dependency>
Configuration classes are as follows:
@Configuration
@EncryptablePropertySource(name = "EncryptedProperties", value = "classpath:encrypted.properties")
public class MyApplication {
}
3 generates an encrypted character
There are many ways to generate an encrypted character, used several ways in practice.
3.1 Java Command Line
Jasypt provides a class specifically for encryption and decryption, a main method, call as follows:
java -cp ./jasypt-1.9.3.jar org.jasypt.intf.cli.JasyptPBEStringEncryptionCLI password=pkslow algorithm=PBEWithMD5AndTripleDES input=larry
The output is:
----ENVIRONMENT-----------------
Runtime: Oracle Corporation Java HotSpot(TM) 64-Bit Server VM 25.212-b10
----ARGUMENTS-------------------
input: larry
algorithm: PBEWithMD5AndTripleDES
password: pkslow
----OUTPUT----------------------
SUfiOs8MvmAUjg+oWl/6dQ==
3.2 Script command
Jasypt provides us with a script, can be directly used for encryption and decryption, can be downloaded from http://www.jasypt.org/download.html. After the download, unzip the file are:
# 解压后文件
LICENSE.txt NOTICE.txt README.txt apidocs bin lib
# bin文件夹的文件
decrypt.bat decrypt.sh
digest.bat digest.sh
encrypt.bat encrypt.sh
listAlgorithms.bat listAlgorithms.sh
In the following bin directory, we can choose what script to produce ciphertext according to their own system, using the same parameters and the Java command. In fact, the script is a tool for Java class encapsulates the call. Use as follows:
$ sh encrypt.sh password=pkslow algorithm=PBEWithMD5AndTripleDES input=larry
----ENVIRONMENT-----------------
Runtime: Oracle Corporation Java HotSpot(TM) 64-Bit Server VM 25.212-b10
----ARGUMENTS-------------------
input: larry
algorithm: PBEWithMD5AndTripleDES
password: pkslow
----OUTPUT----------------------
xRvdeEnk7zgKtX5uVGCIug==
3.3 Java Code
Since it is a Java library, it certainly can be used to decrypt the encrypted code to Java. Specific details can refer to [Java] How to use the excellent library library Jasypt encryption to protect your sensitive information? .
4 cipher text and other items
4.1 Cipher text
After the ciphertext, the ciphertext arranged to take the corresponding positions as follows:
username: ENC(SUfiOs8MvmAUjg+oWl/6dQ==)
jasypt:
encryptor:
password: pkslow
algorithm: PBEWithMD5AndTripleDES
Cipher text format default: ENC (ciphertext), this format can jasypt.encryptor.property.prefix
and jasypt.encryptor.property.suffix
configuration, no demonstration here.
4.2 Other configuration items
Configuration information only jasypt.encryptor.password is necessary, configuration items are:
Configuration Item | have to | Default Value |
---|---|---|
jasypt.encryptor.password | True | - |
jasypt.encryptor.algorithm | False | PBEWITHHMACSHA512ANDAES_256 |
jasypt.encryptor.keyObtentionIterations | False | 1000 |
jasypt.encryptor.poolSize | False | 1 |
jasypt.encryptor.providerName | False | SunJCE |
jasypt.encryptor.providerClassName | False | null |
jasypt.encryptor.saltGeneratorClassname | False | org.jasypt.salt.RandomSaltGenerator |
jasypt.encryptor.ivGeneratorClassname | False | org.jasypt.iv.RandomIvGenerator |
jasypt.encryptor.stringOutputType | False | base64 |
jasypt.encryptor.proxyPropertySources | False | false |
5 How to place your key
Key is very important information on what, if you decide the ciphertext really safe. There may be ways following categories:
(1) on application.properties
Such people will be able to get to know the profile of the key, not safe enough. But it is a convenient and simple way. There is ciphertext and key on the same risk profile.
(2) JVM parameters
When you start a Java program plus parameters: -Djasypt.encryptor.password=pkslow
, so as not to put the key in the code to go.
Environment Variables (3) server
The key environmental variables on the linux system to only be able to get access to the server, you are likely to know the key is. E.g:
# 配置profile文件
export JASYPT_PASSWORD = pkslow
# 生效
source /etc/profile
# 运行java程序时
java -jar -Djasypt.encryptor.password=${JASYPT_PASSWORD} xxx.jar
(4) use to store custom Encryptor
Above we have used Encryptor official, in fact, we can customize as follows:
@Bean("jasyptStringEncryptor")
public StringEncryptor stringEncryptor() {
PooledPBEStringEncryptor encryptor = new PooledPBEStringEncryptor();
SimpleStringPBEConfig config = new SimpleStringPBEConfig();
config.setPassword("password");
config.setAlgorithm("PBEWITHHMACSHA512ANDAES_256");
config.setKeyObtentionIterations("1000");
config.setPoolSize("1");
config.setProviderName("SunJCE");
config.setSaltGeneratorClassName("org.jasypt.salt.RandomSaltGenerator");
config.setIvGeneratorClassName("org.jasypt.iv.RandomIvGenerator");
config.setStringOutputType("base64");
encryptor.setConfig(config);
return encryptor;
}
The key in the code itself, people only get jar package and decompile in order to obtain the ciphertext.
If we take the part of the key in the code itself, the other part is configured by external means, which would be more secure.
6 test results
We have completed the ciphertext generation, and now we have to test whether the normal decryption, test code is as follows:
@RestController
@RequestMapping("/jasypt")
public class JasyptController {
@Value("${username}")
private String username;
@GetMapping("/name")
public Mono<String> sendNormalText() {
return Mono.just(username);
}
}
Access the interface, can return the string before encryption, the entire process tested successfully:
7 summary
ARTICLE Jasypt the Springboot integration to achieve security of the configuration information, the actual project application or many.
In addition, if the project is to use Spring Cloud Config, which provides a unified way of encryption and decryption, also easy to use. However, if the application configuration distribution center did not go, or you should use Jasypt.
Welcome to public concern number < pumpkin slow, said >, you will continue to update ...
Welcome Gabor main micro-letters, make a point of the Friends of praise, ha ha ...
More books, more sharing; and more writing, more than finishing.