scene
The company requires that all passwords in the configuration file are not displayed in clear text.
There are usually two schemes:
1. Integrate jasypt for encryption.
2. Use the configuration center for unified management.
Here is jasypt encryption.
process
pom.xml import dependency
There are two ways to achieve this.
Introducing jasypt spring boot starter
You don't need to add @ enableencrypttableproperties to this
<dependency> <groupId>com.github.ulisesbocchio</groupId> <artifactId>jasypt-spring-boot-starter</artifactId> <version>2.1.0</version> </dependency>
Introducing jasypt spring boot
You need to add @ enableencrypttableproperties
The first one is recommended. After all, there are fewer configurations.
Add key to configuration file
The configuration files in yml and properties are as follows:
jasypt:
encryptor:
password: abc123
jasypt.encryptor.password=abc123
The string to be encrypted in the configuration file is enclosed with ENC()
This step requires Mr. to write a ciphertext, and then fill it in. The ciphertext in ENC is the ciphertext.
For example:
spring.datasource.password= ENC(MazBcy1F0QG6AwLwhkaPkg==)
Custom tool class code
If you directly execute the main method, be sure to ensure the password and jasypt. In the configuration file encryptor. The password is consistent, otherwise the result must be different.
@Component
public class JasyptUtils {
private static Logger logger = LoggerFactory.getLogger(JasyptUtils.class);
@Autowired
StringEncryptor encryptor;
// encryption
public String getEncryptResult(String string) {
String encryptResult = encryptor.encrypt(string);
logger.info("Original string:{} ,Encrypted string: {}",string,encryptResult);
return encryptResult;
}
// decrypt
public String getDecryptResult(String string) {
String decryptResult = encryptor.decrypt(string);
logger.info("Encrypted string:{} ,Original string: {}",string,decryptResult);
return decryptResult;
}
public static void main(String[] args) {
StandardPBEStringEncryptor encryptor = new StandardPBEStringEncryptor();
encryptor.setPassword("abcxyz"); // It is equivalent to adding salt to the key. This should be consistent with the configuration file
String string="1234";
String encryptResult = encryptor.encrypt(string);
logger.info("Original string:{} ,Encrypted string: {}",string,encryptResult);
String string2="KyyuLbN5UGc02OArDKNVMA==";
String decryptResult = encryptor.decrypt(string2);
logger.info("Encrypted string:{} ,Original string: {}",string2,decryptResult);
}
}
Tip: encryptor config not found for property jasypt encryptor. algorithm, using default value: PBEWithMD5AndDES
It doesn't matter. If you don't customize the encryption class, the default algorithm is PBEWithMD5AndDES
This sentence is actually equivalent to
encryptor.setAlgorithm("PBEWithMD5AndDES");
Generate multiple times. Is the password generated each time the same
It must be different. The password is different every time it is generated.
But different cipher sequences can be decrypted the same.
Correspondence between jasypt spring boot starter and spring boot starter versions
In their own test items, there is no problem with 2.0.0, but when it comes to production items, an error is reported. Most of them are inconsistent versions.
Solution
Find the version that matches the corresponding springboot.
Sometimes you will find that versions do not strictly follow dependencies. For example, my project is spring, which is 1.5.9. It doesn't support 1.18, but the actual measurement can be used.
The reason is that version dependency is guaranteed to work. If a function happens not to be within the scope of version change, that is, although the version does not correspond, it supports both functions, which is no problem, but it is risky after all.
Common version cross reference relationships
Jasypt spring boot starter dependent spring boot starter
2.1.0 2.0.3.RELEASE 2.2.6.RELEASE
2.0.0 2.0.0.RELEASE 2.2.6.RELEASE
1.18 1.5.10.RELEASE 2.2.6.RELEASE
1.12 1.5.1.RELEASE 2.2.6.RELEASE
1.5 | the official website is empty, and a stackover flow error is reported in the actual measurement
Obviously, the scope of 1.12 is wider. It's good to use this.
However, the lower the version, the better. An error is reported in the actual measurement of 1.5. So just choose the right one.
When introducing dependencies, they are finally placed behind spring*starter
Although I don't know why, I always feel that it's safer.
Is it normal that there is no = = sign after the generated password
This is normal. Some will have '' and some will not.
But they are all the correct passwords.
If the measured string is short, it will generally take '', if it is longer, it will not.
Problems caused by @ in yml
@ in yml is a special character, so if it contains around @ you need to add single quotation marks.
However, when jasypt automatically encrypts the whole file, it will also take the single quotation mark as part of the password. The ciphertext obtained in this way must be wrong.
Solution:
Directly generate the password and then copy it without double quotation marks.
Is the password incorrect
ORA-01017: invalid username/password; logon denied
This means the password is incorrect
If the account has been locked, the password is correct.
The dependency of each version can be seen from the jasypt address on maven's official website:
https://mvnrepository.com/artifact/com.github.ulisesbocchio/jasypt-spring-boot-starter