JavaSpringBoot

第一种Jasypt加密

Maven依赖

不同的SpringBoot版本引入的jasypt版本不同
SpringBoot版本号1依赖

  1. <!-- Jasypt加密 -->
  2. <dependency>
  3. <groupId>com.github.ulisesbocchio</groupId>
  4. <artifactId>jasypt-spring-boot-starter</artifactId>
  5. <version>2.0.0</version>
  6. </dependency>

SpringBoot版本号2依赖

  1. <dependency>
  2. <groupId>com.github.ulisesbocchio</groupId>
  3. <artifactId>jasypt-spring-boot-starter</artifactId>
  4. <version>3.0.3</version>
  5. </dependency>

在配置中心增加相关配置

  1. jasypt.encryptor.password=henghe #加密密钥

或者
为了防止salt(盐)泄露,反解出密码。可以在项目部署的时候使用命令传入salt(盐)值:

  1. java -jar xxx.jar -Djasypt.encryptor.password=henghe

将application.yml或配置中心中重要的配置改为加密格式

  1. password: ENC(tnJpIM6iACWO/wRI//7XsbBqy/Mpx6MG1hXe4S7U4cNWmGhajnUSeXmBmQiniKEU)

SpringBoot程序在启动会自动检测appliction.yml或者配置中心中有ENC(xx)的配置并做解密

加解密的测试类

  1. import org.jasypt.encryption.pbe.PooledPBEStringEncryptor;
  2. import org.jasypt.encryption.pbe.StandardPBEByteEncryptor;
  3. import org.jasypt.encryption.pbe.config.SimpleStringPBEConfig;
  4. /**
  5. * @Copyright (C), 2018-2018
  6. * @Descripition : Jasypt安全框架加密类工具包
  7. */
  8. public class JasyptUtils {
  9. /**
  10. * Jasypt生成加密结果
  11. *
  12. * @param password 配置文件中设定的加密密码 jasypt.encryptor.password
  13. * @param value 待加密值
  14. * @return
  15. */
  16. public static String encryptPwd(String password, String value) {
  17. PooledPBEStringEncryptor encryptOr = new PooledPBEStringEncryptor();
  18. encryptOr.setConfig(cryptOr(password));
  19. String result = encryptOr.encrypt(value);
  20. return result;
  21. }
  22. /**
  23. * 解密
  24. *
  25. * @param password 配置文件中设定的加密密码 jasypt.encryptor.password
  26. * @param value 待解密密文
  27. * @return
  28. */
  29. public static String decyptPwd(String password, String value) {
  30. PooledPBEStringEncryptor encryptOr = new PooledPBEStringEncryptor();
  31. encryptOr.setConfig(cryptOr(password));
  32. String result = encryptOr.decrypt(value);
  33. return result;
  34. }
  35. /**
  36. * @param password salt
  37. * @return
  38. */
  39. public static SimpleStringPBEConfig cryptOr(String password) {
  40. SimpleStringPBEConfig config = new SimpleStringPBEConfig();
  41. config.setPassword(password);
  42. config.setAlgorithm(StandardPBEByteEncryptor.DEFAULT_ALGORITHM);
  43. config.setKeyObtentionIterations("1000");
  44. config.setPoolSize("1");
  45. config.setProviderName(null);
  46. config.setSaltGeneratorClassName("org.jasypt.salt.RandomSaltGenerator");
  47. config.setStringOutputType("base64");
  48. return config;
  49. }
  50. public static void main(String[] args) {
  51. // 加密
  52. System.out.println(encryptPwd("EbfYkitulv73I2p0mXI50JMXoaxZTKJ7", "root@1234"));
  53. // 解密
  54. // mysql@1234
  55. // System.out.println(decyptPwd("EbfYkitulv73I2p0mXI50JMXoaxZTKJ7", "bgWQ4OfVCUJ1ExsqNhGV+KKBgpx8alv+"));
  56. // root@1234
  57. // System.out.println(decyptPwd("EbfYkitulv73I2p0mXI50JMXoaxZTKJ7", "tdHzge8YvviOJaiV/+P6uQ9wgB44D1aH"));
  58. }
  59. }

第二种,自定义class

实现EnvironmentPostProcessor

从Spring Boot 1.3开始,可以在应用程序上下文刷新之前使用EnvironmentPostProcessor来自定义应用程序的EnvironmentEnvironment表示当前应用程序运行的环境,它可以统一访问各种属性源中的属性,如属性文件、JVM系统属性、系统环境变量和Servlet上下文参数。使用EnvironmentPostProcessor可以在bean初始化之前对Environment进行修改
EnvironmentPostProcessor可以在创建应用程序上下文之前,添加或者修改环境配置。
EnvironmentPostProcessor接口实现代表:ConfigFileApplicationListener

加密解密工具类

  1. package com.yss.henghe.iris.configuration;
  2. /**
  3. * @Description
  4. * @Date 2021/12/1 16:36
  5. */
  6. import java.util.Base64;
  7. import javax.crypto.Cipher;
  8. import java.security.KeyFactory;
  9. import java.security.interfaces.RSAPrivateKey;
  10. import java.security.interfaces.RSAPublicKey;
  11. import java.security.spec.PKCS8EncodedKeySpec;
  12. import java.security.spec.X509EncodedKeySpec;
  13. public class RSAEncryptDecrypt
  14. {
  15. // 公钥
  16. private static String publicKey = "MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAqfkYJn8BHttyGrQYcoXTZK8Za" +
  17. "MVUkqhEdFIyWZhnUQz6Jr299IkBCrbTnKcQTn3ekyQl5/F+j2p8YuNQDBJiq46T/srI+zh1XIaTIKJoOI8M4ploKOztJ8IP" +
  18. "L9ucdnv/tEdGDD9kY5JILa5DQnem9HkaS55kGJX6Oet6CRiNekwiG4+K61SjyfqxuLcqm7v2gH2nvTnkci9FLwtErpdF4uT" +
  19. "Mv6LB46Z9Hpg5iVsHDbwnwqOCfirgwdalJQTy+jcn9UqqNTsneREOxTtt9JQEnsDE/4UIPAYiU6cQDRJ5YrXR56LYC/0g55" +
  20. "KpMVnMIJgS5Y/YVt66QHtUTCVmmSgxAQIDAQAB";
  21. // 私钥
  22. private static String privateKey = "MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQCp+" +
  23. "RgmfwEe23IatBhyhdNkrxloxVSSqER0UjJZmGdRDPomvb30iQEKttOcpxBOfd6TJCXn8X6Panxi41AMEmKrjpP+" +
  24. "ysj7OHVchpMgomg4jwzimWgo7O0nwg8v25x2e/+0R0YMP2RjkkgtrkNCd6b0eRpLnmQYlfo563oJGI16TCIbj4rrVKPJ+" +
  25. "rG4tyqbu/aAfae9OeRyL0UvC0Sul0Xi5My/osHjpn0emDmJWwcNvCfCo4J+" +
  26. "KuDB1qUlBPL6Nyf1Sqo1Oyd5EQ7FO230lASewMT/hQg8BiJTpxANEnlitdHnotgL/SDnkqkxWcwgmBLlj" +
  27. "9hW3rpAe1RMJWaZKDEBAgMBAAECggEBAIHEloaVglJ/sf7nLp8IwxrkgB64QVhytUillKFItOBxau53A" +
  28. "HaYvr3iVW8NMWrruClYeMQ7YKe34d1RtMRyqPhXs2/cfFMoiJmqeNt6gt1jga/i9V4BfRJUm2mrXiorg" +
  29. "06s97LUFx3aCdcua1Vsqn+NkeDXvY3zuwXLXPFi2GjcRBnwZL9S2i8mxCSChWy8ePjYW34bJ7viTQ7hf" +
  30. "Hz5VNA0hqMQrmgzUADq5xelnhQKsEWBaHHhLTKGYF0yNmRJ7zQJkiSncxIrzD5dvRH88Ms2nJ7lJlb1F" +
  31. "YEpZ8URlK63ofOskvcpvXFH3g7yvi6j9rCRFAL/i2UnP+lFimQ+bs0CgYEA7ZdVrSGMsKRwaX7+lmCTu" +
  32. "5cR6V74ohZKyDyzp8PcOBxvPmjY5tIULK++12xyOpsMHAwAoKfRedRrvS9vm525g5A+fioALXE74/d2A7" +
  33. "E/psO6hO89W5AcA91wMTZXLLGZ8JD0LBQp3u4dNGyyZLpDMTgM1WUsted1mOn2msRkK68CgYEAtySKlvaL" +
  34. "8Rw70LMMYZUUJ6BbUsR85aJHZ3JPsisM01PgEgcJiZHfThVZHqUgEU0noqRDzIVVKk9C1Gqx+t6F3JqU8" +
  35. "Cewop+nIKboLH5vMr+7OqM5hXLSx9g8Mm779k9P4+u7Kvq4/fY38d7kVayr3TVb5g0jEo1ugsHonwMsKk8Cg" +
  36. "YBa791/EqRCx+2us0jGTdi9qCjW5d7MSzP8SB+LSs/zOg7qGD9MuYO3Rt0Inx1piQathXqIAzOOKdvC4XEaYtgqnv8" +
  37. "MUw8WVYzSyFiHOURfk/LEBr25WgMfB5Z1f5MGLEP7a7/JTz5ncUQEWMY+/3vQTt+6narrRNgh2wrkWd7tSQKBgGIs" +
  38. "YWpZUVz3UI0oXbu1iW9Qg4PTtkv2eKZYXaZZc2+ZJ6UiRpeLLZQS14oY5B7CKDwEKB/rXWLnyCBL7YpYXJOL/cjazd" +
  39. "HvGUzki9LGF9+xbbEaLEx/58OfA23ZlpFLpLy98cAxVJc2tHigje/rNtnGr7ObWTCpxhKr1YHf1n37AoGBAI64k/lV4" +
  40. "FJn57cJnIZPp1jjapxSouxO063Z5BTYVsA6/cqXgbNPt1S8TnZRaRB2qtVrN5otRuueO6GIRJf6XTXvwxLV4xQAA/Z5" +
  41. "g2q2gelK7/ChYRdVn6Fwtnwx4iPBkH6FK+eQ0E8BfcJ5f6XPWp8N7ZpaZrd+dyc3r7uW78gG";
  42. //加密
  43. public static byte[] encrypt(byte[] str, String publicKey) throws Exception
  44. {
  45. // base64编码的公钥
  46. byte[] decoded = Base64.getDecoder().decode(publicKey);
  47. RSAPublicKey pubKey = (RSAPublicKey) KeyFactory.getInstance("RSA")
  48. .generatePublic(new X509EncodedKeySpec(decoded));
  49. // RSA加密
  50. Cipher cipher = Cipher.getInstance("RSA");
  51. cipher.init(Cipher.ENCRYPT_MODE, pubKey);
  52. return cipher.doFinal(str);
  53. }
  54. //解密
  55. public static byte[] decrypt(byte[] str) throws Exception
  56. {
  57. // base64编码的私钥
  58. byte[] decoded = Base64.getDecoder().decode(privateKey);
  59. RSAPrivateKey priKey = (RSAPrivateKey) KeyFactory.getInstance("RSA")
  60. .generatePrivate(new PKCS8EncodedKeySpec(decoded));
  61. // RSA解密
  62. Cipher cipher = Cipher.getInstance("RSA");
  63. cipher.init(Cipher.DECRYPT_MODE, priKey);
  64. return cipher.doFinal(str);
  65. }
  66. public static void main(String[] args) throws Exception
  67. {
  68. byte[] message = "1q2w3eROOT!".getBytes();
  69. System.out.println("原始字符串为:" + new String(message));
  70. byte[] messageEn = encrypt(message, publicKey);
  71. String encryPassword = new String(Base64.getEncoder().encode(messageEn));
  72. System.out.println("加密后的Base64字符串为:" + encryPassword);
  73. String str = new String(Base64.getEncoder().encode(messageEn));
  74. byte[] decode = Base64.getDecoder().decode(str);
  75. byte[] messageDe = RSAEncryptDecrypt.decrypt(decode);
  76. System.out.println("还原后的字符串为:" + new String(messageDe));
  77. }
  78. }

创建自定义类,实现EnvironmentPostProcessor

  1. package com.yss.henghe.iris.configuration;
  2. import org.springframework.boot.SpringApplication;
  3. import org.springframework.boot.env.EnvironmentPostProcessor;
  4. import org.springframework.core.env.*;
  5. import java.util.*;
  6. /**
  7. * @Description
  8. * @Date 2021/12/1 14:05
  9. */
  10. public class SafetyEncryptProcessor implements EnvironmentPostProcessor{
  11. public static final String SPRING_DATASOURCE_PASSWORD = "spring.datasource.password";
  12. public static final String PASSWORD_ENABLE_ENCRYPT = "password.enable.encrypt";
  13. public static final String TRUE = "true";
  14. @Override
  15. public void postProcessEnvironment(ConfigurableEnvironment environment, SpringApplication application) {
  16. String enableEncrypt = environment.getProperty(PASSWORD_ENABLE_ENCRYPT);
  17. if (TRUE.equals(enableEncrypt)) {
  18. String password = environment.getProperty(SPRING_DATASOURCE_PASSWORD);
  19. Properties properties = new Properties();
  20. byte[] decode = Base64.getDecoder().decode(password);
  21. byte[] messageDe = new byte[0];
  22. try {
  23. messageDe = RSAEncryptDecrypt.decrypt(decode);
  24. } catch (Exception e) {
  25. }
  26. properties.setProperty(SPRING_DATASOURCE_PASSWORD, new String(messageDe));
  27. PropertiesPropertySource propertiesPropertySource = new PropertiesPropertySource(SPRING_DATASOURCE_PASSWORD,
  28. properties);
  29. environment.getPropertySources().addFirst(propertiesPropertySource);
  30. }
  31. }
  32. }

在META-INF下创建spring.factories,并且引入CustomEnvironmentPostProcessor

两种方式,实现 SpringBoot 中数据库密码加密 - 图1
spring.factories:

  1. org.springframework.boot.env.EnvironmentPostProcessor=\
  2. com.yss.henghe.iris.configuration.SafetyEncryptProcessor

将加密后的密码写入到配置文件中

  1. spring.datasource.password

公钥私钥生成方法,利用datax工具,可以生成1024,2048等制定要求的公钥秘钥

Maven依赖

  1. <dependency>
  2. <groupId>com.alibaba.datax</groupId>
  3. <artifactId>datax-core</artifactId>
  4. <version>0.0.1-SNAPSHOT</version>
  5. </dependency>
  1. public static void main(String[] args) throws Exception{
  2. String[] initKey = SecretUtil.initKey();
  3. System.out.printf("%s: %s\n","publicKey",initKey[0]);
  4. System.out.printf("%s: %s\n","privateKey",initKey[1]);
  5. }