springboot项目配置文件加密

1背景:

springboot项目中要求不能采用明文密码,故采用配置文件加密.

目前采用有密码的有redis nacos rabbitmq mysql 这些配置文件

2技术

2.1 redis nacos rabbitmq 配置文件加密

采用加密方式是jasypt 加密

2.1.1 加密步骤

2.1.2 引入maven依赖
<!-- 加密相关start -->
     <dependency>
         <groupId>com.github.ulisesbocchio</groupId>
         <artifactId>jasypt-spring-boot-starter</artifactId>
         <version>3.0.3</version>
     </dependency>
     <!-- 加密相关end -->

2.1.3 加注解@EnableEncryptableProperties

在启动类中加入@EnableEncryptableProperties

2.1.4 在配置文件中配置盐 加密方案

jasypt:
  encryptor:
    # 加密算法
    algorithm: PBEWITHHMACSHA512ANDAES_256
    # 加密使用的盐
    password: jaspyt_password

2.1.5 编写测试类加密/解密密码

/**
 * @author 
 * @description: 加密解密测试
 */
@SpringBootTest(classes = MycodeApplication.class)
@RunWith(SpringRunner.class)
@EnableEncryptableProperties
public class JasyptTest {

    @Autowired
    private StringEncryptor stringEncryptor;


    /**
     * 加密解密测试
     */
    @Test
    public void jasyptTest() {
        // 加密
        System.out.println(stringEncryptor.encrypt("nacos"));    // JSrINYe4IBotHndGjX1hnmY3mtPNUJlXjP12cx1+pHqUz2FNXGPu3Frnajh3QCXg
        // 解密
        System.out.println(stringEncryptor.decrypt("0q/CVaDpjJ/kG7Je5Z2GjL99ahQvOxqjLXDHsDShkQIZlmnI7UWup7Sltd2N4cV7"));
       // System.out.println(stringEncryptor.decrypt("rP4MtUODPjDz66wFfm20DR0y5YvWCI8bX1cKcoyPmEzPBZ7ylVJuyUAZL1dz7gfW"));    // root
    }

    public static void main(String[] args) throws Exception{
      /*  String[] arr = ConfigTools.genKeyPair(512);
        System.out.println("privateKey:"+arr[0]);
        System.out.println("publicKey:"+arr[1]);

        String publicKey ="MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBAJByhUUvx4LNlBZFWDhyhaTRvy2J0W9QJ2XXccOJaCBPhUb9Af7UnyaYUra0pRvwlX1VqMCtM4n3du5IpXedAwcCAwEAAQ==";

        String encryptStr = "XgBw9PoKkns4FP1oYIvLc7U+tjawEl8VWvSmcLYI5ekxUm0CoDa2saIB8ndQylo2jNXfqbYm6jz8Vzq7dOOpXg==";
        System.out.println("encryptStr:"+encryptStr);
        System.out.println("decryptStr:"+ConfigTools.decrypt(publicKey,encryptStr));*/
        String privateKey ="MIIBVQIBADANBgkqhkiG9w0BAQEFAASCAT8wggE7AgEAAkEAkHKFRS/Hgs2UFkVYOHKFpNG/LYnRb1AnZddxw4loIE+FRv0B/tSfJphStrSlG/CVfVWowK0zifd27kild50DBwIDAQABAkAn8kPA2nHGTqwBbLP1CFbFOeww38g3jGcY1vfzJ3DQXj/tf2fiBtiwzXQkB9c2+Z24XiXBo/fo3c1tTOxEtdHBAiEA9S+svZgwa1ZM2QpKmrkcXC5wdN/2FaptTWGOK0yjCp8CIQCW0W7QYwsbPcLKDTLLZ9iCDT6ckx3sl/ynnPeWc34WmQIgJ8x7T7M6eNHjW3+uKHtPvS7UlkQcX9vwLhVdzG1+MaUCIQCROnM+72DOhpaAAl2bSRBPi3lzRKdYILMGpDw2AFi2YQIhAO5eAxXQwe65AM2lVg+0C38rwMBvmyqU0ljnOLkRkL1t";
        String encryptStr = ConfigTools.encrypt(privateKey,"Safm@987");
        System.out.println(encryptStr);

        String dbpassword = ConfigTools.decrypt("MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBAJByhUUvx4LNlBZFWDhyhaTRvy2J0W9QJ2XXccOJaCBPhUb9Af7UnyaYUra0pRvwlX1VqMCtM4n3du5IpXedAwcCAwEAAQ==", "XgBw9PoKkns4FP1oYIvLc7U+tjawEl8VWvSmcLYI5ekxUm0CoDa2saIB8ndQylo2jNXfqbYm6jz8Vzq7dOOpXg==");
        System.out.println(dbpassword);
        //System.out.println();
    }
}

2.1.6 在用加密之后的秘钥替换要来的密码

注意要用ENC()包裹起来 注意要用ENC()包裹起来
注意要用ENC()包裹起来

server:
  port: 9105
jasypt:
  encryptor:
    # 加密算法
    algorithm: PBEWITHHMACSHA512ANDAES_256
    # 加密使用的盐
    password: jaspyt_password
spring:
  mvc:
    pathmatch:
      matching-strategy: ant_path_matcher
  main:
    allow-circular-references: true
  application:
    name: dp-ccb
  ### cloud 相关配置
  cloud:
    nacos:
      discovery:
        server-addr: 172.0.0.1:8848
        namespace: public
        username: nacos
        # 使用ENC()包裹,标识为加密之后的,否则无法解密,会报错
        password: ENC(rP4MtUODPjDz66wFfm20DR0y5YvWCI8bX1cKcoyPmEzPBZ7ylVJuyUAZL1dz7gfW)

2.2 mysql 加密

驱动为DruidDataSource的方式上面的加密方式不能解析密码
加密方式为import com.alibaba.druid.filter.config.ConfigTools.decrypt

2.2.1 技术实现原理

在创建链接的时候注入密码解密器。
springboot项目配置文件加密_第1张图片

2.2.2 代码实现

自己实现DruidPasswordCallback 重写setProperties方法

package com.example.mycode.utils;

import com.alibaba.druid.filter.config.ConfigTools;
import com.alibaba.druid.util.DruidPasswordCallback;
import org.apache.commons.lang3.StringUtils;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

import java.util.Properties;

/**
 * @author sz
 * @version 1.0
 * @date 2023-02-13 21:07
 */

public class MyDataSourceCallback extends DruidPasswordCallback {
    private static final Logger LOGGER = LoggerFactory.getLogger(MyDataSourceCallback.class);


    @Override
    public void setProperties(Properties properties) {

        super.setProperties(properties);
        String password = (String) properties.get("password");
        String publickey = (String) properties.get("publickey");
        if (StringUtils.isNotBlank(password)) {
            try {
                String dbpassword = ConfigTools.decrypt(publickey, password);
                setPassword(dbpassword.toCharArray());
            } catch (Exception e) {
                LOGGER.error("Druid ConfigTools.decrypt", e);
            }
        }
    }
}

2.2.3 用import com.alibaba.druid.filter.config.ConfigTools.decrypt 自带的加密,解密方式 加密密码

public static void main(String[] args) throws Exception{
        String privateKey ="MIIBVQIBADANBgkqhkiG9w0BAQEFAASCAT8wggE7AgEAAkEAkHKFRS/Hgs2UFkVYOHKFpNG/LYnRb1AnZddxw4loIE+FRv0B/tSfJphStrSlG/CVfVWowK0zifd27kild50DBwIDAQABAkAn8kPA2nHGTqwBbLP1CFbFOeww38g3jGcY1vfzJ3DQXj/tf2fiBtiwzXQkB9c2+Z24XiXBo/fo3c1tTOxEtdHBAiEA9S+svZgwa1ZM2QpKmrkcXC5wdN/2FaptTWGOK0yjCp8CIQCW0W7QYwsbPcLKDTLLZ9iCDT6ckx3sl/ynnPeWc34WmQIgJ8x7T7M6eNHjW3+uKHtPvS7UlkQcX9vwLhVdzG1+MaUCIQCROnM+72DOhpaAAl2bSRBPi3lzRKdYILMGpDw2AFi2YQIhAO5eAxXQwe65AM2lVg+0C38rwMBvmyqU0ljnOLkRkL1t";
        String encryptStr = ConfigTools.encrypt(privateKey,"123456");
        System.out.println(encryptStr);

        String dbpassword = ConfigTools.decrypt("MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBAJByhUUvx4LNlBZFWDhyhaTRvy2J0W9QJ2XXccOJaCBPhUb9Af7UnyaYUra0pRvwlX1VqMCtM4n3du5IpXedAwcCAwEAAQ==", "XgBw9PoKkns4FP1oYIvLc7U+tjawEl8VWvSmcLYI5ekxUm0CoDa2saIB8ndQylo2jNXfqbYm6jz8Vzq7dOOpXg==");
        System.out.println(dbpassword);
        //System.out.println();
    }

2.2.4 在配置文件中配置信息

核心关键是配置connectionProperties 和passwordCallbackClassName
注意要connectionProperties 配置公钥和加密的密码
passwordCallbackClassName 要配置自定义的解密限定名

dataSources:
  ds:
    dataSourceClassName: com.alibaba.druid.pool.DruidDataSource
    url: jdbc:mysql://172.27.15.74:3306/alter_table_test?serverTimezone=GMT%2B8&useUnicode=true&characterEncoding=UTF-8&useSSL=false&autoReconnect=true&failOverReadOnly=false&allowMultiQueries=true
    username: root
    password: XgBw9PoKkns4FP1oYIvLc7U+tjawEl8VWvSmcLYI5ekxUm0CoDa2saIB8ndQylo2jNXfqbYm6jz8Vzq7dOOpXg==
    passwordCallbackClassName: com.example.mycode.utils.MyDataSourceCallback
    connectionProperties: config:decrypt=true;publickey=MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBAJByhUUvx4LNlBZFWDhyhaTRvy2J0W9QJ2XXccOJaCBPhUb9Af7UnyaYUra0pRvwlX1VqMCtM4n3du5IpXedAwcCAwEAAQ==;password=XgBw9PoKkns4FP1oYIvLc7U+tjawEl8VWvSmcLYI5ekxUm0CoDa2saIB8ndQylo2jNXfqbYm6jz8Vzq7dOOpXg==
    initial-size: 20
    min-idle: 5
    max-active: 50
    max-wait: 60000
    time-between-eviction-runs-millis: 60000
    min-evictable-idle-time-millis: 300000
    validation-query-timeout: 10000
    test-while-idle: true
    test-on-borrow: false
    test-on-return: false
    pool-prepared-statements: false
    max-pool-prepared-statement-per-connection-size: 20

你可能感兴趣的:(spring,boot,java,后端)