使用jasypt对密码进行加密解密
jasypt是现在springboot中常用的配置文件加密解密工具,网络中也有许多教程,但是感觉都很模糊,不全,经过我这些天的踩坑,我来总结一下。
一、经典用法:
1.导包,导入依赖,不同的版本会匹配相对应的版本,有些版本会存在冲突,可以自我修改版本号
<dependency>
<groupId>com.github.ulisesbocchio</groupId>
<artifactId>jasypt-spring-boot-starter</artifactId>
<version>2.1.0</version>
</dependency>
2.配置文件application.yml注入密钥
jasypt:
encryptor:
password: 自己的密钥
3.使用测试类生成对应的加密密码,替换掉自己的密码
@Autowired
private StringEncryptor encryptor;
@Test
void testPassword() {
System.out.print("加密后的密钥"+encryptor.encrypt("123"));
System.out.print("解密后的密钥"+encryptor.decrypt(encryptor.encrypt("123")));
}
最后再将生成的密钥放入ENC()的括号中,替换之前的密码。实际上就是调用的StringEncryptor 的encrypt加密方法和decrypt解密方法,在我们项目启动的时候,会自动扫描获取jasypt.encryptor.password,即获取我们的盐值,然后扫描配置文件中所有配置,有ENC()的就提取出来调用解密方法进行解密,没有的就不会进行操作,最后就实现了密文的自动解密成明文
4.自定义标识,如果不想使用ENC()
jasypt:
encryptor:
property:
prefix: xxx( # 加密前缀
suffix: ) # 加密后缀
二、进阶使用
如果盐值就这样放在yml里面,跟没配置差不多
1.所以正常情况下,运维保存盐值,生成密文交给开发写入配置文件,在项目启动的时候,后面跟上-Djasypt.encryptor.password=password,这样别人拿到密文也没法破密,这就是将盐值作为启动参数
2.启动类加入 System.setProperty(“jasypt.encryptor.password”, “password”);,这样好像也能实现,但是我没实现,网上的看到都实现了
3.配置文件改成jasypt.encryptor.password=${JASYPT_PASSWORD},或者项目启动的时候跟上这个,在环境变量中配置盐值
4.写配置类,自动注入盐值
@Configuration
public class Encryptor{
@Bean("jasyptStringEncryptor")
public StringEncryptor createPBEDefault(Environment e) {
PooledPBEStringEncryptor encryptor = new PooledPBEStringEncryptor();
SimpleStringPBEConfig config = new SimpleStringPBEConfig();
config.setPassword("password");
config.setAlgorithm(getProperty(e, "jasypt.encryptor.algorithm", "PBEWithMD5AndDES"));
config.setKeyObtentionIterations(getProperty(e, "jasypt.encryptor.key-obtention-iterations", "1000"));
config.setPoolSize(getProperty(e, "jasypt.encryptor.pool-size", "1"));
config.setProviderName(getProperty(e, "jasypt.encryptor.provider-name", null));
config.setProviderClassName(getProperty(e, "jasypt.encryptor.provider-class-name", null));
config.setSaltGeneratorClassName(getProperty(e, "jasypt.encryptor.salt-generator-classname", "org.jasypt.salt.RandomSaltGenerator"));
config.setIvGeneratorClassName(getProperty(e, "jasypt.encryptor.iv-generator-classname", "org.jasypt.iv.NoIvGenerator"));
config.setStringOutputType(getProperty(e, "jasypt.encryptor.string-output-type", "base64"));
encryptor.setConfig(config);
return encryptor;
}
private static String getProperty(Environment environment, String key, String defaultValue) {
return environment.getProperty(key, defaultValue);
}
}
5.大佬还可以自定义算法:只需要写一个配置类,实现StringEncryptor就行了
@Configuration
public class JasyptStringEncryptor implements StringEncryptor{
private static final Logger LOG = LoggerFactory.getLogger(JasyptStringEncryptor.class);
@Bean(name = "jasypt.encryptor.bean:jasyptStringEncryptor")
public StringEncryptor createPBEDefault(Environment e) {
PooledPBEStringEncryptor encryptor = new PooledPBEStringEncryptor();
SimpleStringPBEConfig config = new SimpleStringPBEConfig();
config.setPassword("password");
config.setAlgorithm(getProperty(e, "jasypt.encryptor.algorithm", "PBEWithMD5AndDES"));
config.setKeyObtentionIterations(getProperty(e, "jasypt.encryptor.key-obtention-iterations", "1000"));
config.setPoolSize(getProperty(e, "jasypt.encryptor.pool-size", "1"));
config.setProviderName(getProperty(e, "jasypt.encryptor.provider-name", null));
config.setProviderClassName(getProperty(e, "jasypt.encryptor.provider-class-name", null));
config.setSaltGeneratorClassName(getProperty(e, "jasypt.encryptor.salt-generator-classname", "org.jasypt.salt.RandomSaltGenerator"));
config.setIvGeneratorClassName(getProperty(e, "jasypt.encryptor.iv-generator-classname", "org.jasypt.iv.NoIvGenerator"));
config.setStringOutputType(getProperty(e, "jasypt.encryptor.string-output-type", "base64"));
encryptor.setConfig(config);
return encryptor;
}
@Override
public String encrypt(String message) {
// TODO Auto-generated method stub
LOG.debug("password : {}",message);
return null;
}
@Override
public String decrypt(String encryptedMessage) {
// TODO Auto-generated method stub
LOG.debug("password : {}",encryptedMessage);
return null;
}
}
启动的时候会自动在配置文件中读取ENC()的密文,然后用大佬写的解密方式进行解密,注意加密和解密方法得自己实现