基于安全需求,禁止使用硬编码方式将密码写入代码中,更不能直接将明文密码写入到配置文件中,针对此安全需求建议使用 jasypt加密法。
Java Simplified Encryption
Jasypt is a java library which allows the developer to add basic encryption capabilities to his/her projects with minimum effort, and without the need of having deep knowledge on how cryptography works.
- High-security, standards-based encryption techniques, both for unidirectional and bidirectional encryption. Encrypt passwords, texts, numbers, binaries...
- Transparent integration with Hibernate.
- Suitable for integration into Spring-based applications and also transparently integrable with Spring Security.
- Integrated capabilities for encrypting the configuration of applications (i.e. datasources).
- Specific features for high-performance encryption in multi-processor/multi-core systems.
- Open API for use with any JCE provider.
如何使用
1.maven项目中引入jar
<dependency>
<groupId>com.github.ulisesbocchio</groupId>
<artifactId>jasypt-spring-boot-starter</artifactId>
<version>2.1.0</version>
</dependency>
2.编写jasypt工具类对明文密码加密
public class JasyptUtils {
// 配置项
public static SimpleStringPBEConfig cryptor(String password){
SimpleStringPBEConfig config = new SimpleStringPBEConfig();
config.setPassword(password);
config.setAlgorithm("PBEWithMD5AndDES");
config.setKeyObtentionIterations("1000");
config.setPoolSize("1");
config.setProviderName("SunJCE");
config.setSaltGeneratorClassName("org.jasypt.salt.RandomSaltGenerator");
config.setStringOutputType("base64");
return config;
}
// 加密 salt就是自己定义的密码
public static String encrypt(String salt, String value){
PooledPBEStringEncryptor encryptor = new PooledPBEStringEncryptor();
encryptor.setConfig(cryptor(salt));
return encryptor.encrypt(value);
}
// 解密
public static String decrypt(String salt, String value){
PooledPBEStringEncryptor encryptor = new PooledPBEStringEncryptor();
encryptor.setConfig(cryptor(salt));
return encryptor.decrypt(value);
}
}
3.或者使用jasypt command line 加解密
3.1下载地址https://github.com/jasypt/jasypt/releases/download/jasypt-1.9.3/jasypt-1.9.3-dist.zip
3.2 jasypt-1.9.3-dist\jasypt-1.9.3\bin 目录表下
- A set of .bat files for Windows execution:
- encrypt.bat: for PBE (Password Based Encryption) encryption operations.
- decrypt.bat: for PBE (Password Based Encryption) decryption operations.
- digest.bat: for message digest operations.
- listAlgorithms.bat: for listing the digest and PBE encryption algorithms available in your JVM.
- A set of .sh files for Linux/UNIX execution:
- encrypt.sh: for PBE (Password Based Encryption) encryption operations.
- decrypt.sh: for PBE (Password Based Encryption) decryption operations.
- digest.sh: for message digest operations.
- listAlgorithms.sh: for listing the digest and PBE encryption algorithms available in your JVM.
例如:.
./encrypt.sh input="This is my message to be encrypted" password=MYPAS_WORD
4.获得密串修改配置文件
entry_password:
aes_key: ENC(ZrkJasasasdfwefR5FDaW0Du6xODF/uuuuu=)
aesutils_key: ENC(gIypv0H5qwwddd/ooooo=)
注:获得的秘串要用 ENC(...)包裹起来,用以 jasypt 解密
5.发布项目
发布项目时我们可以把密码写进linux的环境变量中,通过以下方式启动项目时获取
-Djasypt.encryptor.password=%MY_PASSWORD% -Djasypt.encryptor.algorithm=%MY_ALGORITHM%
或者直接写进启动配置中
6.jasypt的源码分析
参考本站大佬的const伐伐spring boot使用jasypt加密原理解析文章