在现代应用开发中,安全性是至关重要的考量因素。Spring Boot应用的配置文件中常常包含数据库密码、API密钥等敏感信息,如果直接以明文形式存储,会带来严重的安全隐患。本文将介绍如何使用Jasypt(Java Simplified Encryption)库来实现Spring Boot配置文件的加密,保护这些敏感信息。
Jasypt(Java Simplified Encryption)是一个Java加密库,它简化了Java应用程序中的加密操作。jasypt-spring-boot-starter是专为Spring Boot设计的starter,可以无缝集成到Spring Boot应用中,实现配置属性的自动加解密。
主要特点:
首先,在项目的pom.xml中添加Jasypt依赖:
xml<dependency>
<groupId>com.github.ulisesbocchio</groupId>
<artifactId>jasypt-spring-boot-starter</artifactId>
<version>3.0.5</version>
</dependency>
创建一个工具类用于加密和解密敏感数据:
javaimport org.jasypt.encryption.pbe.StandardPBEStringEncryptor;
import org.jasypt.iv.RandomIvGenerator;
public class JasyptEncryptorUtils {
private static final String ALGORITHM = "PBEWITHHMACSHA512ANDAES_256";
private static final String PASSWORD = "your-secret-password"; // 测试用,生产环境不要硬编码
public static String encrypt(String input) {
StandardPBEStringEncryptor encryptor = new StandardPBEStringEncryptor();
encryptor.setPassword(PASSWORD);
encryptor.setAlgorithm(ALGORITHM);
encryptor.setIvGenerator(new RandomIvGenerator());
return encryptor.encrypt(input);
}
public static String decrypt(String encryptedInput) {
StandardPBEStringEncryptor encryptor = new StandardPBEStringEncryptor();
encryptor.setPassword(PASSWORD);
encryptor.setAlgorithm(ALGORITHM);
encryptor.setIvGenerator(new RandomIvGenerator());
return encryptor.decrypt(encryptedInput);
}
public static void main(String[] args) {
// 测试加密
String originalValue = "my-sensitive-data";
String encryptedValue = encrypt(originalValue);
System.out.println("原始值: " + originalValue);
System.out.println("加密值: ENC(" + encryptedValue + ")");
// 测试解密
String decryptedValue = decrypt(encryptedValue);
System.out.println("解密值: " + decryptedValue);
}
}
使用上面的工具类加密你的敏感数据。例如,加密数据库密码:
javaString encryptedDbPassword = JasyptEncryptorUtils.encrypt("db@1234");
System.out.println("加密后的数据库密码: ENC(" + encryptedDbPassword + ")");
在application.yml或application.properties中使用加密值:
yamlspring:
datasource:
url: jdbc:mysql://localhost:3306/mydb
username: dbuser
password: ENC(4Bw9Jj3Z6X7yA8vB1cD2eF3gH4iJ5kL6mN7oP8qR9sT0uV1wX2yZ3) # 加密后的密码
有多种方式配置Jasypt的加密密码:
bashexport JASYPT_ENCRYPTOR_PASSWORD=your-secret-password
bashjava -jar your-app.jar --jasypt.encryptor.password=your-secret-password
yamljasypt:
encryptor:
password: your-secret-password
algorithm: PBEWITHHMACSHA512ANDAES_256
iv-generator-classname: org.jasypt.iv.RandomIvGenerator
javaimport com.ulisesbocchio.jasyptspringboot.annotation.EnableEncryptableProperties;
import org.jasypt.encryption.StringEncryptor;
import org.jasypt.encryption.pbe.PooledPBEStringEncryptor;
import org.jasypt.encryption.pbe.config.SimpleStringPBEConfig;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
@Configuration
@EnableEncryptableProperties
public class JasyptConfig {
@Bean("jasyptStringEncryptor")
public StringEncryptor stringEncryptor() {
PooledPBEStringEncryptor encryptor = new PooledPBEStringEncryptor();
SimpleStringPBEConfig config = new SimpleStringPBEConfig();
config.setPassword(System.getProperty("jasypt.encryptor.password"));
config.setAlgorithm("PBEWITHHMACSHA512ANDAES_256");
config.setKeyObtentionIterations("1000");
config.setPoolSize("1");
config.setProviderName("SunJCE");
config.setSaltGeneratorClassName("org.jasypt.salt.RandomSaltGenerator");
config.setIvGeneratorClassName("org.jasypt.iv.RandomIvGenerator");
config.setStringOutputType("base64");
encryptor.setConfig(config);
return encryptor;
}
}
为不同环境配置不同的加密密码:
yaml# application-dev.yml
jasypt:
encryptor:
password: dev-password
# application-prod.yml
jasypt:
encryptor:
password: ${JASYPT_ENCRYPTOR_PASSWORD:} # 从环境变量获取
PBEWITHHMACSHA512ANDAES_256Failed to bind properties under 'spring.datasource.password' to java.lang.String: Reason: java.lang.IllegalStateException: either 'jasypt.encryptor.password' must be provided
解决方案:确保已通过环境变量或命令行参数提供加密密码。
可能原因:
解决方案:
通过Jasypt实现Spring Boot配置文件加密,我们可以有效保护敏感信息,提高应用安全性。关键点包括:
jasypt-spring-boot-starter希望本文能帮助你安全地保护Spring Boot应用中的敏感配置信息。如有任何问题,欢迎在评论区讨论。