SpringBoot配置文件加密处理

当我们使用一些第三方SDK或服务时，一般需要配置如密钥、授权码、AID等隐私信息，此外大多数人都有代码提交仓库的好习惯【是吧？】 有时候会因为一些失误操作而将自己的隐私数据发布到gitee\github上，就完球了。 我最近看了些博客，尝试了下使用Jasypt来保证配置文件的安全性

1. 首先导入maven包

这里使用的新版3.0.4

<dependency>  
    <groupId>com.github.ulisesbocchio</groupId>  
    <artifactId>jasypt-spring-boot-starter</artifactId>  
    <version>3.0.4</version>  
</dependency>  
  
<dependency>  
    <groupId>org.springframework.boot</groupId>  
    <artifactId>spring-boot-configuration-processor</artifactId>  
    <optional>true</optional>  
</dependency>

1. 编写一个自己使用的加密解密的小工具

package com.lyne.moyu.uc.utils;  
  
import org.jasypt.encryption.pbe.PooledPBEStringEncryptor;  
import org.jasypt.encryption.pbe.config.SimpleStringPBEConfig;  
  
/**  
 * Keafmd * * @ClassName: JasyptUtils  
 * @Description:  
 * @date: 2022-04-25 11:18  
 */public class JasyptUtils {  
   /**  
    * Jasypt生成加密结果  
    *  
    * @param password 配置文件中设定的加密密码 jasypt.encryptor.password  
    * @param value    待加密值  
    * @return  
    */  
   public static String encryptPwd(String password, String value) {  
      PooledPBEStringEncryptor encryptOr = new PooledPBEStringEncryptor();  
      encryptOr.setConfig(cryptOr(password));  
      String result = encryptOr.encrypt(value);  
      return result;  
   }  
  
   /**  
    * 解密  
    *  
    * @param password 配置文件中设定的加密密码 jasypt.encryptor.password  
    * @param value    待解密密文  
    * @return  
    */  
   public static String decyptPwd(String password, String value) {  
      PooledPBEStringEncryptor encryptOr = new PooledPBEStringEncryptor();  
      encryptOr.setConfig(cryptOr(password));  
      String result = encryptOr.decrypt(value);  
      return result;  
   }  
  
   /**  
    * @param password salt  
    * @return  
    */  
   public static SimpleStringPBEConfig cryptOr(String password) {  
      SimpleStringPBEConfig config = new SimpleStringPBEConfig();  
      config.setPassword(password);  
      // 3.0.4版自动解密默认加密算法是PBEWITHHMACSHA512ANDAES_256，
      // 1.8及以下版本可能需要自己替换安全文件，也可以在配置实体时修改
      config.setAlgorithm("PBEWITHHMACSHA512ANDAES_256");  
      config.setKeyObtentionIterations("1000");  
      config.setPoolSize("1");  
      config.setProviderName("SunJCE");  
      config.setSaltGeneratorClassName("org.jasypt.salt.RandomSaltGenerator");  
      config.setIvGeneratorClassName("org.jasypt.iv.RandomIvGenerator");  
      config.setStringOutputType("base64");  
      return config;  
   }  
  
   public static void main(String[] args) {  
      // 加密  
      // 盐值替换成自己熟悉的口令，此口令为解密密钥，需要妥善保管。  
      // 盐值也需要在第三步写入配置文件  
      System.out.println(encryptPwd("your salt", "123456"));  
   }  
}

1. 使用加密的后的密文

在配置文件中使用EMC()函数和生成的密文替换你的敏感数据,，同时声明你的jasypt密钥 这里演示mysql的密码

spring:  
  application:  
    name: u-center  
  profiles:  
    active: dev  
  jackson:  
    date-format: yyyy-MM-dd HH:mm:ss  
    time-zone: GMT+8  
  mvc:  
    throw-exception-if-no-handler-found: true  
    static-path-pattern: /**  
  web:  
    resources:  
      add-mappings: false  
  datasource:  
    url: jdbc:mysql://localhost:3306/mo_yu_ucenter?userUnicode=true&useSSL=false&serverTimezone=Asia/Shanghai&characterEncoding=utf-8&allowPublicKeyRetrieval=true  
    driver-class-name: com.mysql.cj.jdbc.Driver  
    type: com.alibaba.druid.pool.DruidDataSource  
    username: root  
    password: ENC(lG4hT3FdNsFdWPmUCob7D4YUHZqyaSXEH/uYzfAWh58lSVwBz6wLd02jSgXbNHzH)
jasypt:  
  encryptor:  
    password: your salt

## 优化加密密钥

在配置文件中声明加密密码等于脱裤子放屁，这样之前的操作等于没做 我的思路的是将jasypt密码存放在一个新的配置文件中，在你提交到仓库时将该文件忽略或删除，以保证密码本地可知。

在资源目录下创建一个配置文件来存放密码

jasypt.properties

jasypt.password=your salt

创建一个配置实体来读取配置文件

/**  
 * @author lyne  
 * @date 2022/11/28  
 */@Component  
@PropertySource("classpath:jasypt.properties")  
@ConfigurationProperties(prefix = "jasypt")  
public class JasyptProperties {  
   private String password;  
  
   public String getPassword() {  
      return password;  
   }  
  
   public void setPassword(String password) {  
      this.password = password;  
   }  
}

重写jasyptStringEncryptor

/**  
 * @author lyne  
 * @date 2022/11/28  
 */@Configuration  
public class JasyptConfig {  
  
   @Autowired  
   private JasyptProperties myJasyptProperties;  
  
   @Bean("jasyptStringEncryptor")  
   public StringEncryptor jasyptStringEncryptor(Singleton<JasyptEncryptorConfigurationProperties> configProps) {  
      PooledPBEStringEncryptor encryptor = new PooledPBEStringEncryptor();  
      JasyptEncryptorConfigurationProperties jasyptProperties = configProps.get();  
      SimpleStringPBEConfig config = new SimpleStringPBEConfig();  
      config.setPassword(myJasyptProperties.getPassword());  
      config.setAlgorithm(jasyptProperties.getAlgorithm());  
      config.setKeyObtentionIterations(jasyptProperties.getKeyObtentionIterations());  
      config.setPoolSize(jasyptProperties.getPoolSize());  
      config.setProviderName(jasyptProperties.getProviderName());  
      config.setSaltGeneratorClassName(jasyptProperties.getSaltGeneratorClassname());  
      config.setIvGeneratorClassName(jasyptProperties.getIvGeneratorClassname());  
      config.setStringOutputType(jasyptProperties.getStringOutputType());  
      encryptor.setConfig(config);  
      return encryptor;  
   }  
  
}

修改.gitignore

.DS_Store
material-ui/node_modules
/dist
logs
# Compiled class file
*.class
target/
test/
test
# Log file
*.log

# local env files
.env.local
.env.*.local

# Log files
npm-debug.log*
yarn-debug.log*
yarn-error.log*
pnpm-debug.log*

# Editor directories and files
.idea
.vscode
*.suo
*.ntvs*
*.njsproj
*.sln
*.sw?
*.jar
*.war
*.nar
*.ear
*.zip
*.tar.gz
*.rar
*.iml
# virtual machine crash logs, see http://www.java.com/en/download/help/error_hotspot.xml
hs_err_pid*

# privacy Files
jasypt.properties

over