最近项目(Spring Boot)突然要做安全基线,其中最重要的一点是不能将密码明文存储在项目配置文件中,为了解决这个问题,我们需要引入一个 jasypt-spring-boot-starter 库。下面是该库的使用方式:
<dependency> <groupId>com.github.ulisesbocchio</groupId> <artifactId>jasypt-spring-boot-starter</artifactId> <version>1.14</version> </dependency>
下面类使用 JDK 内置的 API 编写了一个 DES 加密解密工具,代码如下:
package com.hxstrive.springboot2.config_encrypt.utils;
import javax.crypto.Cipher;
import javax.crypto.SecretKey;
import javax.crypto.SecretKeyFactory;
import javax.crypto.spec.DESKeySpec;
import java.security.InvalidKeyException;
import java.security.NoSuchAlgorithmException;
import java.security.SecureRandom;
import java.security.spec.InvalidKeySpecException;
/**
* DES常用解密加密工具类
*
* @author hxstrive.com
*/
public class DesUtil {
/**
* 默认的字符编码
*/
private static final String DEFAULT_CHARSET = "UTF-8";
/**
* 秘钥字符串
*/
private static final String PASSWORD = "E6oQo-Tbqv^kVwQtT90sRJ9yQ534gXTvosRgm5$OWu8brv3ZE4PUHi-Ul%YisBrC";
/**
* 算法名称
*/
private static final String ALGORITHM = "DES";
private static SecretKey getSecretkey() throws InvalidKeyException, NoSuchAlgorithmException,
InvalidKeySpecException {
// 创建一个DESKeySpec对象,PASSWORD可任意指定
DESKeySpec desKey = new DESKeySpec(PASSWORD.getBytes());
// 创建一个密匙工厂
SecretKeyFactory keyFactory = SecretKeyFactory.getInstance(ALGORITHM);
// 生成密钥
return keyFactory.generateSecret(desKey);
}
/**
* 解密DES
*
* @param datasource 需要加密的内容
* @return 解密后的明文数据
*/
public static String decrypt(String datasource) {
try {
// 生成密钥
SecretKey secretkey = getSecretkey();
// 指定获取DES的Cipher对象
Cipher cipher = Cipher.getInstance(ALGORITHM);
// 用密匙初始化Cipher对象
cipher.init(Cipher.DECRYPT_MODE, secretkey, new SecureRandom());
// 真正开始解密操作
return new String(cipher.doFinal(parseHexStr2Byte(datasource)));
} catch (Throwable e) {
e.printStackTrace();
}
return null;
}
/**
* 加密DES
*
* @param datasource 需要加密的内容
* @return 加密的内容
*/
public static String encrypt(String datasource) {
try {
SecretKey secretKey = getSecretkey();
//指定获取DES的Cipher对象
Cipher cipher = Cipher.getInstance(ALGORITHM);
//用密匙初始化Cipher对象
cipher.init(Cipher.ENCRYPT_MODE, secretKey, new SecureRandom());
//数据加密
return parseByte2HexStr(cipher.doFinal(datasource.getBytes(DEFAULT_CHARSET)));
} catch (Throwable e) {
e.printStackTrace();
}
return null;
}
public static String parseByte2HexStr(byte[] buf) {
StringBuffer sb = new StringBuffer();
for (int i = 0; i < buf.length; ++i) {
String hex = Integer.toHexString(buf[i] & 255);
if (hex.length() == 1) {
hex = '0' + hex;
}
sb.append(hex.toUpperCase());
}
return sb.toString();
}
private static byte[] parseHexStr2Byte(String hexStr) {
if (hexStr.length() < 1) {
return null;
} else {
byte[] result = new byte[hexStr.length() / 2];
for (int i = 0; i < hexStr.length() / 2; ++i) {
int high = Integer.parseInt(hexStr.substring(i * 2, i * 2 + 1), 16);
int low = Integer.parseInt(hexStr.substring(i * 2 + 1, i * 2 + 2), 16);
result[i] = (byte) (high * 16 + low);
}
return result;
}
}
}下面通过实现 StringEncryptor 接口,该接口提供了两个方法,分别为 encrypt() 加密,decrypt() 加密,代码如下:
package com.hxstrive.springboot2.config_encrypt.custom;
import com.hxstrive.springboot2.config_encrypt.utils.DesUtil;
import org.jasypt.encryption.StringEncryptor;
import org.springframework.stereotype.Component;
/**
* 自定义配置文件解密类,StringEncryptor 来自 jasypt-spring-boot-starter 组件
*
* @author hxstrive.com
*/
@Component("configItemEncryptor")
public class ConfigItemEncryptor implements StringEncryptor {
@Override
public String encrypt(String s) {
throw new UnsupportedOperationException("Encryption operations are not supported");
}
@Override
public String decrypt(String s) {
return DesUtil.decrypt(s);
}
}# 配置自定义的解密组件,组件自动调用 decrypt(String s) 方法 # 对配置值为 ENC() 格式的值进行解密 jasypt.encryptor.bean=configItemEncryptor # 模拟加密配置 jdbc.username=root # 注意:必须使用 ENC() 的方式指定加密后的密码,这样便于组件识别 # 其中 53E35BFE7A4E6A458A7CABD9A629FFFF 为加密后的密文 jdbc.password=ENC(53E35BFE7A4E6A458A7CABD9A629FFFF)
下面是 Spring Boot 启动类,该类注入了加密的配置项,通过该类可以验证配置是否解密成功。代码如下:
package com.hxstrive.springboot2.config_encrypt;
import org.springframework.beans.factory.annotation.Value;
import org.springframework.boot.SpringApplication;
import org.springframework.boot.autoconfigure.SpringBootApplication;
import org.springframework.web.bind.annotation.RequestMapping;
import org.springframework.web.bind.annotation.RestController;
import javax.annotation.PostConstruct;
/**
* 验证使用 jasypt-spring-boot-starter 组件处理配置文件密码明文问题
* <p>
* 提前使用 DES 对配置文件的明文密码加密,然后通过 jasypt-spring-boot-starter 实现解密操作
*
* @author hxstrive.com
*/
@RestController
@SpringBootApplication
public class ConfigEncryptApplication {
@Value("${jdbc.username}")
private String jdbcUsername;
@Value("${jdbc.password}")
private String jdbcPassword;
public static void main(String[] args) {
SpringApplication.run(ConfigEncryptApplication.class, args);
}
@PostConstruct
public void init() {
System.out.println("jdbcUsername=" + jdbcUsername);
System.out.println("jdbcPassword=" + jdbcPassword);
}
@RequestMapping("/")
public String index() {
return "jdbcUsername=" + jdbcUsername + ", jdbcPassword=" + jdbcPassword;
}
}运行 Spring Boot 程序,启动日志如下:
. ____ _ __ _ _ /\\ / ___'_ __ _ _(_)_ __ __ _ \ \ \ \ ( ( )\___ | '_ | '_| | '_ \/ _` | \ \ \ \ \\/ ___)| |_)| | | | | || (_| | ) ) ) ) ' |____| .__|_| |_|_| |_\__, | / / / / =========|_|==============|___/=/_/_/_/ :: Spring Boot :: (v2.6.2) 2023-05-09 09:13:10.077 INFO 4072 --- [ restartedMain] c.h.s.c.ConfigEncryptApplication : Starting ConfigEncryptApplication using Java 1.8.0_45 on hxstrive with PID 4072 (D:\learn\spring_boot\springboot2\springboot_config\config_encrypt\target\classes started by Administrator in D:\learn\spring_boot\springboot2) 2023-05-09 09:13:10.077 INFO 4072 --- [ restartedMain] c.h.s.c.ConfigEncryptApplication : No active profile set, falling back to default profiles: default 2023-05-09 09:13:10.341 INFO 4072 --- [ restartedMain] .e.DevToolsPropertyDefaultsPostProcessor : Devtools property defaults active! Set 'spring.devtools.add-properties' to 'false' to disable 2023-05-09 09:13:10.341 INFO 4072 --- [ restartedMain] .e.DevToolsPropertyDefaultsPostProcessor : For additional web related logging consider setting the 'logging.level.web' property to 'DEBUG' 2023-05-09 09:13:12.031 INFO 4072 --- [ restartedMain] ptablePropertiesBeanFactoryPostProcessor : Post-processing PropertySource instances 2023-05-09 09:13:12.131 INFO 4072 --- [ restartedMain] ptablePropertiesBeanFactoryPostProcessor : Converting PropertySource configurationProperties [org.springframework.boot.context.properties.source.ConfigurationPropertySourcesPropertySource] to AOP Proxy 2023-05-09 09:13:12.131 INFO 4072 --- [ restartedMain] ptablePropertiesBeanFactoryPostProcessor : Converting PropertySource servletConfigInitParams [org.springframework.core.env.PropertySource$StubPropertySource] to EncryptablePropertySourceWrapper 2023-05-09 09:13:12.131 INFO 4072 --- [ restartedMain] ptablePropertiesBeanFactoryPostProcessor : Converting PropertySource servletContextInitParams [org.springframework.core.env.PropertySource$StubPropertySource] to EncryptablePropertySourceWrapper 2023-05-09 09:13:12.139 INFO 4072 --- [ restartedMain] ptablePropertiesBeanFactoryPostProcessor : Converting PropertySource systemProperties [org.springframework.core.env.PropertiesPropertySource] to EncryptableMapPropertySourceWrapper 2023-05-09 09:13:12.139 INFO 4072 --- [ restartedMain] ptablePropertiesBeanFactoryPostProcessor : Converting PropertySource systemEnvironment [org.springframework.boot.env.SystemEnvironmentPropertySourceEnvironmentPostProcessor$OriginAwareSystemEnvironmentPropertySource] to EncryptableMapPropertySourceWrapper 2023-05-09 09:13:12.139 INFO 4072 --- [ restartedMain] ptablePropertiesBeanFactoryPostProcessor : Converting PropertySource random [org.springframework.boot.env.RandomValuePropertySource] to EncryptablePropertySourceWrapper 2023-05-09 09:13:12.139 INFO 4072 --- [ restartedMain] ptablePropertiesBeanFactoryPostProcessor : Converting PropertySource Config resource 'class path resource [application.properties]' via location 'optional:classpath:/' [org.springframework.boot.env.OriginTrackedMapPropertySource] to EncryptableMapPropertySourceWrapper 2023-05-09 09:13:12.139 INFO 4072 --- [ restartedMain] ptablePropertiesBeanFactoryPostProcessor : Converting PropertySource devtools [org.springframework.core.env.MapPropertySource] to EncryptableMapPropertySourceWrapper 2023-05-09 09:13:12.343 INFO 4072 --- [ restartedMain] c.u.j.r.DefaultLazyPropertyResolver : Property Resolver custom Bean not found with name 'encryptablePropertyResolver'. Initializing Default Property Resolver 2023-05-09 09:13:12.343 INFO 4072 --- [ restartedMain] c.u.j.d.DefaultLazyPropertyDetector : Property Detector custom Bean not found with name 'encryptablePropertyDetector'. Initializing Default Property Detector 2023-05-09 09:13:12.748 INFO 4072 --- [ restartedMain] o.s.b.w.embedded.tomcat.TomcatWebServer : Tomcat initialized with port(s): 8080 (http) 2023-05-09 09:13:12.764 INFO 4072 --- [ restartedMain] o.apache.catalina.core.StandardService : Starting service [Tomcat] 2023-05-09 09:13:12.779 INFO 4072 --- [ restartedMain] org.apache.catalina.core.StandardEngine : Starting Servlet engine: [Apache Tomcat/9.0.56] 2023-05-09 09:13:12.779 WARN 4072 --- [ restartedMain] o.a.catalina.core.AprLifecycleListener : This listener must only be nested within Server elements, but is in [TomcatEmbeddedContext]. 2023-05-09 09:13:12.779 INFO 4072 --- [ restartedMain] o.a.catalina.core.AprLifecycleListener : An older version [1.2.14] of the Apache Tomcat Native library is installed, while Tomcat recommends a minimum version of [1.2.30] 2023-05-09 09:13:12.779 INFO 4072 --- [ restartedMain] o.a.catalina.core.AprLifecycleListener : Loaded Apache Tomcat Native library [1.2.14] using APR version [1.6.2]. 2023-05-09 09:13:12.779 INFO 4072 --- [ restartedMain] o.a.catalina.core.AprLifecycleListener : APR capabilities: IPv6 [true], sendfile [true], accept filters [false], random [true], UDS [false]. 2023-05-09 09:13:12.779 INFO 4072 --- [ restartedMain] o.a.catalina.core.AprLifecycleListener : APR/OpenSSL configuration: useAprConnector [false], useOpenSSL [true] 2023-05-09 09:13:13.825 INFO 4072 --- [ restartedMain] o.a.catalina.core.AprLifecycleListener : OpenSSL successfully initialized [OpenSSL 1.0.2l 25 May 2017] 2023-05-09 09:13:13.965 INFO 4072 --- [ restartedMain] o.a.c.c.C.[Tomcat].[localhost].[/] : Initializing Spring embedded WebApplicationContext 2023-05-09 09:13:13.965 INFO 4072 --- [ restartedMain] w.s.c.ServletWebServerApplicationContext : Root WebApplicationContext: initialization completed in 3616 ms 2023-05-09 09:13:14.037 INFO 4072 --- [ restartedMain] c.u.j.encryptor.DefaultLazyEncryptor : Found Custom Encryptor Bean com.hxstrive.springboot2.config_encrypt.custom.ConfigItemEncryptor@7abe9fe0 with name: configItemEncryptor jdbcUsername=root jdbcPassword=hello world 2023-05-09 09:13:14.502 INFO 4072 --- [ restartedMain] o.s.b.d.a.OptionalLiveReloadServer : LiveReload server is running on port 35729 2023-05-09 09:13:14.542 INFO 4072 --- [ restartedMain] o.s.b.w.embedded.tomcat.TomcatWebServer : Tomcat started on port(s): 8080 (http) with context path '' 2023-05-09 09:13:14.558 INFO 4072 --- [ restartedMain] c.h.s.c.ConfigEncryptApplication : Started ConfigEncryptApplication in 5.707 seconds (JVM running for 9.975) 2023-05-09 09:13:39.257 INFO 4072 --- [nio-8080-exec-1] o.a.c.c.C.[Tomcat].[localhost].[/] : Initializing Spring DispatcherServlet 'dispatcherServlet' 2023-05-09 09:13:39.257 INFO 4072 --- [nio-8080-exec-1] o.s.web.servlet.DispatcherServlet : Initializing Servlet 'dispatcherServlet' 2023-05-09 09:13:39.257 INFO 4072 --- [nio-8080-exec-1] o.s.web.servlet.DispatcherServlet : Completed initialization in 0 ms
浏览器访问 http://localhost:8080 效果如下图:
川公网安备51010802032098
