背景
对于springboot项目,项目中依赖的配置如:数据库密码、中间件密码等都是明文保存在配置文件中的。
这种方式存在很大的风险,在企业的安全扫描中也通过不了。为了安全的需要,所以要对配置文件进行加密处理。
使用方式
集成 jasypt
pom 引入依赖
<!-- 配置文件加密 -->
<dependency>
<groupId>com.github.ulisesbocchio</groupId>
<artifactId>jasypt-spring-boot-starter</artifactId>
<version>3.0.5</version>
</dependency>
application.yml 中增加
# 秘钥 不支持中文
jasypt:
encryptor:
password: fandf
编写测试类 pom 引入依赖
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-test</artifactId>
</dependency>
package com.fandf.demo;
import org.jasypt.encryption.StringEncryptor;
import org.junit.jupiter.api.Test;
import org.springframework.boot.test.context.SpringBootTest;
import javax.annotation.Resource;
/**
* @author fandongfeng
*/
@SpringBootTest(classes = DemoApplication.class, webEnvironment = SpringBootTest.WebEnvironment.DEFINED_PORT)
public class JasyptTest {
@Resource
private StringEncryptor stringEncryptor;
/**
* example:
* redis:password= 123
* 123 加密后的内容:
* 修改后的配置文件
* redis:password= ENC(QvHbj+BCPR/bnSdDuNKzpoB3Kw9Pvm1bEIaSqlD5Ohhp8rPKBUcj0f5V+QqWsPP0)
* ENC(mVTvp4IddqdaYGqPl9lCQbzM3H/b0B6l)
*/
@Test
public void encrypt() {
String encrypt = stringEncryptor.encrypt("UUID");
//UUID 加密后的内容:AkZs6tdmJojZe74vfIi5BRXbUvqkBiNQrn3RO22GeqW9sBjbNuIcNz+GdqkqJ8DQ
System.out.println(" UUID 加密后的内容:" + encrypt);
String decrypt = stringEncryptor.decrypt(encrypt);
System.out.println("解密后的内容:" + decrypt);
}
}
修改配置文件
fdf:
trace:
enable: true
style: ENC(AkZs6tdmJojZe74vfIi5BRXbUvqkBiNQrn3RO22GeqW9sBjbNuIcNz+GdqkqJ8DQ)
启动项目,看下效果
原理
源码链接:https://github.com/ulisesbocchio/jasypt-spring-boot
查看其自动引入的类
查看 JasyptSpringBootAutoConfiguration 类
EnableEncryptablePropertiesConfiguration
@Configuration
@Import({EncryptablePropertyResolverConfiguration.class, CachingConfiguration.class})
public class EnableEncryptablePropertiesConfiguration {
private static final Logger log = LoggerFactory.getLogger(EnableEncryptablePropertiesConfiguration.class);
public EnableEncryptablePropertiesConfiguration() {
}
@Bean
public static EnableEncryptablePropertiesBeanFactoryPostProcessor enableEncryptablePropertySourcesPostProcessor(ConfigurableEnvironment environment, EncryptablePropertySourceConverter converter) {
return new EnableEncryptablePropertiesBeanFactoryPostProcessor(environment, converter);
}
}
查看 EnableEncryptablePropertiesBeanFactoryPostProcessor
public class EnableEncryptablePropertiesBeanFactoryPostProcessor implements BeanFactoryPostProcessor, Ordered {
private static final Logger log = LoggerFactory.getLogger(EnableEncryptablePropertiesBeanFactoryPostProcessor.class);
private final ConfigurableEnvironment environment;
private final EncryptablePropertySourceConverter converter;
public EnableEncryptablePropertiesBeanFactoryPostProcessor(ConfigurableEnvironment environment, EncryptablePropertySourceConverter converter) {
this.environment = environment;
this.converter = converter;
}
public void postProcessBeanFactory(ConfigurableListableBeanFactory beanFactory) throws BeansException {
log.info("Post-processing PropertySource instances");
MutablePropertySources propSources = this.environment.getPropertySources();
this.converter.convertPropertySources(propSources);
}
public int getOrder() {
return 2147483547;
}
}
这里就基本看明白了,通过 bean 工厂后置处理器,在加载配置文件后进行操作。
对配置文件进行解密这边主要是有两个接口,分别是 EncryptablePropertyDetector、EncryptablePropertyResolver,这两个接口根据名称可以看出来一个是发现器,一个是分解器。
先来看看 EncryptablePropertyDetector
public interface EncryptablePropertyDetector {
boolean isEncrypted(String var1);
String unwrapEncryptedValue(String var1);
}
public class DefaultPropertyDetector implements EncryptablePropertyDetector {
//默认前后缀,可自定义配置
private String prefix = "ENC(";
private String suffix = ")";
public DefaultPropertyDetector() {
}
public DefaultPropertyDetector(String prefix, String suffix) {
Assert.notNull(prefix, "Prefix can't be null");
Assert.notNull(suffix, "Suffix can't be null");
this.prefix = prefix;
this.suffix = suffix;
}
//判断是否按照jasypt约定规则加密的属性
public boolean isEncrypted(String property) {
if (property == null) {
return false;
} else {
String trimmedValue = property.trim();
return trimmedValue.startsWith(this.prefix) && trimmedValue.endsWith(this.suffix);
}
}
//去掉前缀和后缀,返回加密的值
public String unwrapEncryptedValue(String property) {
return property.substring(this.prefix.length(), property.length() - this.suffix.length());
}
}
接着看 EncryptablePropertyResolver
public interface EncryptablePropertyResolver {
String resolvePropertyValue(String var1);
}
//默认实现类
public class DefaultPropertyResolver implements EncryptablePropertyResolver {
private final Environment environment;
// 加密和解密的实现
private StringEncryptor encryptor;
// jasypt默认发现器
private EncryptablePropertyDetector detector;
public DefaultPropertyResolver(StringEncryptor encryptor, Environment environment) {
this(encryptor, new DefaultPropertyDetector(), environment);
}
public DefaultPropertyResolver(StringEncryptor encryptor, EncryptablePropertyDetector detector, Environment environment) {
this.environment = environment;
Assert.notNull(encryptor, "String encryptor can't be null");
Assert.notNull(detector, "Encryptable Property detector can't be null");
this.encryptor = encryptor;
this.detector = detector;
}
@Override
public String resolvePropertyValue(String value) {
// 该方法获取加密的属性,然后使用StringEncryptor解密并返回
return Optional.ofNullable(value)
.map(environment::resolvePlaceholders)
.filter(detector::isEncrypted) // 过滤加密属性
.map(resolvedValue -> {
try {
// 去除前缀和后缀获取真正加密的值
String unwrappedProperty = detector.unwrapEncryptedValue(resolvedValue.trim());
String resolvedProperty = environment.resolvePlaceholders(unwrappedProperty);
// 解密获得明文
return encryptor.decrypt(resolvedProperty);
} catch (EncryptionOperationNotPossibleException e) {
throw new DecryptionException("Unable to decrypt property: " + value + " resolved to: " + resolvedValue + ". Decryption of Properties failed, make sure encryption/decryption " +
"passwords match", e);
}
})
.orElse(value);
}
}
更多技术文章可以查看我的博客地址:http://fandf.top