当我们使用一些第三方SDK或服务时,一般需要配置如密钥、授权码、AID等隐私信息,此外大多数人都有代码提交仓库的好习惯【是吧?】 有时候会因为一些失误操作而将自己的隐私数据发布到gitee\github上,就完球了。 我最近看了些博客,尝试了下使用Jasypt
来保证配置文件的安全性
- 首先导入maven包
这里使用的新版3.0.4
<dependency>
<groupId>com.github.ulisesbocchio</groupId>
<artifactId>jasypt-spring-boot-starter</artifactId>
<version>3.0.4</version>
</dependency>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-configuration-processor</artifactId>
<optional>true</optional>
</dependency>
- 编写一个自己使用的加密解密的小工具
package com.lyne.moyu.uc.utils;
import org.jasypt.encryption.pbe.PooledPBEStringEncryptor;
import org.jasypt.encryption.pbe.config.SimpleStringPBEConfig;
/**
* Keafmd * * @ClassName: JasyptUtils
* @Description:
* @date: 2022-04-25 11:18
*/public class JasyptUtils {
/**
* Jasypt生成加密结果
*
* @param password 配置文件中设定的加密密码 jasypt.encryptor.password
* @param value 待加密值
* @return
*/
public static String encryptPwd(String password, String value) {
PooledPBEStringEncryptor encryptOr = new PooledPBEStringEncryptor();
encryptOr.setConfig(cryptOr(password));
String result = encryptOr.encrypt(value);
return result;
}
/**
* 解密
*
* @param password 配置文件中设定的加密密码 jasypt.encryptor.password
* @param value 待解密密文
* @return
*/
public static String decyptPwd(String password, String value) {
PooledPBEStringEncryptor encryptOr = new PooledPBEStringEncryptor();
encryptOr.setConfig(cryptOr(password));
String result = encryptOr.decrypt(value);
return result;
}
/**
* @param password salt
* @return
*/
public static SimpleStringPBEConfig cryptOr(String password) {
SimpleStringPBEConfig config = new SimpleStringPBEConfig();
config.setPassword(password);
// 3.0.4版自动解密默认加密算法是PBEWITHHMACSHA512ANDAES_256,
// 1.8及以下版本可能需要自己替换安全文件,也可以在配置实体时修改
config.setAlgorithm("PBEWITHHMACSHA512ANDAES_256");
config.setKeyObtentionIterations("1000");
config.setPoolSize("1");
config.setProviderName("SunJCE");
config.setSaltGeneratorClassName("org.jasypt.salt.RandomSaltGenerator");
config.setIvGeneratorClassName("org.jasypt.iv.RandomIvGenerator");
config.setStringOutputType("base64");
return config;
}
public static void main(String[] args) {
// 加密
// 盐值替换成自己熟悉的口令,此口令为解密密钥,需要妥善保管。
// 盐值也需要在第三步写入配置文件
System.out.println(encryptPwd("your salt", "123456"));
}
}
- 使用加密的后的密文
在配置文件中使用EMC()函数和生成的密文替换你的敏感数据,,同时声明你的jasypt密钥 这里演示mysql的密码
spring:
application:
name: u-center
profiles:
active: dev
jackson:
date-format: yyyy-MM-dd HH:mm:ss
time-zone: GMT+8
mvc:
throw-exception-if-no-handler-found: true
static-path-pattern: /**
web:
resources:
add-mappings: false
datasource:
url: jdbc:mysql://localhost:3306/mo_yu_ucenter?userUnicode=true&useSSL=false&serverTimezone=Asia/Shanghai&characterEncoding=utf-8&allowPublicKeyRetrieval=true
driver-class-name: com.mysql.cj.jdbc.Driver
type: com.alibaba.druid.pool.DruidDataSource
username: root
password: ENC(lG4hT3FdNsFdWPmUCob7D4YUHZqyaSXEH/uYzfAWh58lSVwBz6wLd02jSgXbNHzH)
jasypt:
encryptor:
password: your salt
## 优化加密密钥
在配置文件中声明加密密码等于脱裤子放屁,这样之前的操作等于没做 我的思路的是将jasypt密码存放在一个新的配置文件中,在你提交到仓库时将该文件忽略或删除,以保证密码本地可知。
在资源目录下创建一个配置文件来存放密码
jasypt.properties
jasypt.password=your salt
创建一个配置实体来读取配置文件
/**
* @author lyne
* @date 2022/11/28
*/@Component
@PropertySource("classpath:jasypt.properties")
@ConfigurationProperties(prefix = "jasypt")
public class JasyptProperties {
private String password;
public String getPassword() {
return password;
}
public void setPassword(String password) {
this.password = password;
}
}
重写jasyptStringEncryptor
/**
* @author lyne
* @date 2022/11/28
*/@Configuration
public class JasyptConfig {
@Autowired
private JasyptProperties myJasyptProperties;
@Bean("jasyptStringEncryptor")
public StringEncryptor jasyptStringEncryptor(Singleton<JasyptEncryptorConfigurationProperties> configProps) {
PooledPBEStringEncryptor encryptor = new PooledPBEStringEncryptor();
JasyptEncryptorConfigurationProperties jasyptProperties = configProps.get();
SimpleStringPBEConfig config = new SimpleStringPBEConfig();
config.setPassword(myJasyptProperties.getPassword());
config.setAlgorithm(jasyptProperties.getAlgorithm());
config.setKeyObtentionIterations(jasyptProperties.getKeyObtentionIterations());
config.setPoolSize(jasyptProperties.getPoolSize());
config.setProviderName(jasyptProperties.getProviderName());
config.setSaltGeneratorClassName(jasyptProperties.getSaltGeneratorClassname());
config.setIvGeneratorClassName(jasyptProperties.getIvGeneratorClassname());
config.setStringOutputType(jasyptProperties.getStringOutputType());
encryptor.setConfig(config);
return encryptor;
}
}
修改.gitignore
.DS_Store
material-ui/node_modules
/dist
logs
# Compiled class file
*.class
target/
test/
test
# Log file
*.log
# local env files
.env.local
.env.*.local
# Log files
npm-debug.log*
yarn-debug.log*
yarn-error.log*
pnpm-debug.log*
# Editor directories and files
.idea
.vscode
*.suo
*.ntvs*
*.njsproj
*.sln
*.sw?
*.jar
*.war
*.nar
*.ear
*.zip
*.tar.gz
*.rar
*.iml
# virtual machine crash logs, see http://www.java.com/en/download/help/error_hotspot.xml
hs_err_pid*
# privacy Files
jasypt.properties
over