Shulou(Shulou.com)06/02 Report--

This article mainly explains "how to encrypt the database configuration items in Java". The explanation in the article is simple and clear and easy to learn and understand. Please follow the editor's train of thought to study and learn "how to encrypt database configuration items in Java".

First look at a typical configuration file. Omit.

# # configuring MySQL Database connection

Spring.datasource.driver-class-name=com.mysql.jdbc.Driver

Spring.datasource.url=jdbc:mysql://121.196.xxx.xxx:3306/user?useUnicode=true&characterEncoding=utf-8

Spring.datasource.username=root

Spring.datasource.password=123456

# # configuring Redis Cache connection

Redis.host=121.196.xxx.xxx

Redis.port=6379

Redis.password=111111

# # configuring SMS SMS connection

Ali.sms.access_key_id=2zHmLdxAes7Bbe2w

Ali.sms.access_key_secret=bImWdv6iy0him8ly

... Omit.

This is an excerpt from a typical Spring Boot project application.properties configuration file.

Shh... Tell me secretly, is that what a lot of friends have written?

At first glance, there is nothing wrong with this. Many people will take it for granted. Including myself, I have seen a lot of projects (including many open source projects) written this way.

But after careful consideration, I found that:

Right! The configuration files of many projects, including database passwords, cache passwords, or Key of some third-party services, are allocated directly inside, without any encryption processing!

Some people will say that this configuration file is my own anyway, what is the risk?

Well, I've seen an example before when a programmer uploaded his company's project code to his GitHub warehouse, and forgot to deal with the configuration file, resulting in a leak of the company's database. The key point is that the company is also a hotel management company, so the consequences can be imagined.

On the other hand, if all the important information in the configuration file of that project had been encrypted, there is a good chance that this would not have happened. Therefore, even if it is the configuration file of the project, the important information must be encrypted!

What information needs to be encrypted?

In general, all configuration items (or fields) related to information security in the project configuration file should be dealt with, such as:

Database used, cached password

Password of middleware and message queue used

Access_Key of various third-party services used

Communication information for other third-party services

... Wait

All in all, key fields should be protected, at least not in plain text directly in the configuration file!

How to encrypt configuration items?

The method is very simple and can be done in a few steps, so let's demonstrate a minimalist version:

1. First set up a basic Spring Boot project

I won't repeat it any more.

2. Introduce jasypt-spring-boot encryption component

Introduce Jasypt, a powerful encryption library, through jasypt-spring-boot, an out-of-the-box encryption component.

Com.github.ulisesbocchio

Jasypt-spring-boot-starter

3.0.2

3. Configure the encryption key

Add the following configuration to Spring Boot's project configuration file application.properties:

Jasypt.encryptor.password=CodeSheep

It can be understood that jasypt will use this custom encryption key to encrypt important items in the configuration file.

4. Encryption test

In order to facilitate testing, we directly extend the startup class of the Spring Boot project, execute the encryption test code when the project starts, and directly see the effect.

@ SpringBootApplication

Public class SpringBootConfigEncryptApplication implements CommandLineRunner {

@ Autowired

Private ApplicationContext appCtx

@ Autowired

Private StringEncryptor codeSheepEncryptorBean

Public static void main (String [] args) {

SpringApplication.run (SpringBootConfigEncryptApplication.class, args)

}

@ Override

Public void run (String... Args) throws Exception {

Environment environment = appCtx.getBean (Environment.class)

/ / first get the original plaintext information in the configuration file

String mysqlOriginPswd = environment.getProperty ("spring.datasource.password")

String redisOriginPswd = environment.getProperty ("redis.password")

String aliSmsOriginAk = environment.getProperty ("ali.sms.access_key_secret")

/ / encryption

String mysqlEncryptedPswd = encrypt (mysqlOriginPswd)

String redisEncryptedPswd = encrypt (redisOriginPswd)

String aliSmsEncryptedAk = encrypt (aliSmsOriginAk)

/ / print the results before and after encryption

System.out.println ("MySQL original plaintext password is:" + mysqlOriginPswd)

System.out.println ("Redis original plaintext password is:" + redisOriginPswd)

System.out.println ("Aliyun SMS original AccessKey password is:" + aliSmsOriginAk)

System.out.println ("=")

System.out.println ("the result of MySQL original plaintext password encrypted is:" + mysqlEncryptedPswd)

System.out.println ("the result of Redis original plaintext password encrypted is:" + redisEncryptedPswd)

System.out.println ("the encrypted result of Aliyun SMS's original AccessKey password is:" + aliSmsEncryptedAk)

}

Private String encrypt (String originPassord) {

String encryptStr = codeSheepEncryptorBean.encrypt (originPassord)

Return encryptStr

}

Private String decrypt (String encryptedPassword) {

String decryptStr = codeSheepEncryptorBean.decrypt (encryptedPassword)

Return decryptStr

}

}

Run the project and print on the console:

The original plaintext password of MySQL is: 123456

The original plaintext password of Redis is: 111111

The original AccessKey password of Aliyun SMS is: bImWdv13da894mly

= =

The result of MySQL original plaintext password encrypted is: IV7SyeQOfG4GhiXeGLboVgOLPDO+dJMDoOdmEOQp3KyVjruI+dKKeehsTriWPKbo

The result of Redis original plaintext password encrypted is: litUkxJ3fN6+//Emq3vZ+y4o7ZOnZ8doOy7NrgJIDLoNWGG0m3ygGeQh/dEroKvv

The encrypted result of Aliyun SMS's original AccessKey password is: MAhrOs20DY0RU/c1IKyLCt6dWZqLLOO4wUcK9GBgSxNII3C+y+SRptors+FyNz55xNDslhDnpWllhcYPwZsO5A==

5. Modify the configuration file to replace the configuration item to be encrypted

We can get the encryption result obtained in the previous step and replace the original plaintext password in the configuration file with the corresponding result in the previous step, like this:

So all the important information in the wall crack recommended configuration file is handled in this way!

6. View the result of password decryption

@ SpringBootApplication

Public class SpringBootConfigEncryptApplication implements CommandLineRunner {

@ Autowired

Private ApplicationContext appCtx

@ Autowired

Private StringEncryptor codeSheepEncryptorBean

Public static void main (String [] args) {

SpringApplication.run (SpringBootConfigEncryptApplication.class, args)

}

@ Override

Public void run (String... Args) throws Exception {

Environment environment = appCtx.getBean (Environment.class)

/ / first get the configuration items in the configuration file

String mysqlOriginPswd = environment.getProperty ("spring.datasource.password")

String redisOriginPswd = environment.getProperty ("redis.password")

String aliSmsOriginAk = environment.getProperty ("ali.sms.access_key_secret")

/ / print the decrypted result

System.out.println ("MySQL original plaintext password is:" + mysqlOriginPswd)

System.out.println ("Redis original plaintext password is:" + redisOriginPswd)

System.out.println ("Aliyun SMS original AccessKey password is:" + aliSmsOriginAk)

}

}

Print the results:

The original plaintext password of MySQL is: 123456

The original plaintext password of Redis is: 111111

The original AccessKey password of Aliyun SMS is: bImWdv13da894mly

Obviously, when used in the code, the jasypt-spring-boot component automatically decrypts the configuration item encryption field of the ENC () syntax package, and the data is restored.

Children, do you have a lot of question marks?

At this time, I would like to make sure that many friends express doubts, such as:

1. The encryption key must be placed in ENC (). Why ENC?

2. Although the original configuration items related to information security are encrypted, if the custom encryption key jasypt.encryptor.password=CodeSheep is leaked, won't others still have the chance to decrypt it?

In response to these problems, move on.

Custom encryption prefix

If you do not want to use the ENC provided by jasypt by default to mark the encrypted field, you can replace it with a custom prefix tag. For example, if I want to use CodeSheep () to mark the encrypted field, you only need to configure the prefix in the configuration file:

Jasypt.encryptor.property.prefix=CodeSheep (

Jasypt.encryptor.property.suffix=)

At this point, the encrypted field can be placed in the field of the CodeSheep () tag:

Make encryption more secure

Although after the encryption above, there is no doubt that configuration items related to information security will become more secure!

But if the custom encryption key jasypt.encryptor.password=CodeSheep in the configuration file is leaked, it is still possible for our encryption field to be decrypted by others, so there are several things we can do to make encryption more secure.

1. Use a custom encryptor

When experimenting with encryption above, the default encryption rules are used, which can make it insecure when a custom encryption key is compromised. To do this, we can customize encryption rules.

Customizing encryption rules is very simple. You only need to provide a custom cipher configuration class. For example, here I customize a cryptographer named codeSheepEncryptorBean:

@ Configuration

Public class CodeSheepEncryptorCfg {

@ Bean (name = "codeSheepEncryptorBean")

Public StringEncryptor codesheepStringEncryptor () {

PooledPBEStringEncryptor encryptor = new PooledPBEStringEncryptor ()

SimpleStringPBEConfig config = new SimpleStringPBEConfig ()

Config.setPassword ("CodeSheep")

Config.setAlgorithm ("PBEWITHHMACSHA512ANDAES_256")

Config.setKeyObtentionIterations ("1000")

Config.setPoolSize ("1")

Config.setProviderName ("SunJCE")

Config.setSaltGeneratorClassName ("org.jasypt.salt.RandomSaltGenerator")

Config.setIvGeneratorClassName ("org.jasypt.iv.RandomIvGenerator")

Config.setStringOutputType ("base64")

Encryptor.setConfig (config)

Return encryptor

}

}

Note that the name name of Bean needs to be explicitly specified (the default name is jasyptStringEncryptor). If you use a custom name like here, you also need to specify the name of bean in the application.properties configuration file of Spring Boot, like this:

Jasypt.encryptor.bean=codeSheepEncryptorBean

2. The encryption key should not be written in the configuration file

If you think that the encryption key may be compromised (after all, it is written in the configuration file), we can simply remove the encryption key from the configuration file and replace it in three ways:

Method 1: bring it directly as the command line parameter when the program starts

Java-jar yourproject.jar-- jasypt.encryptor.password=CodeSheep

Method 2: bring it directly as the application environment variable when the program starts.

Java-Djasypt.encryptor.password=CodeSheep-jar yourproject.jar

Method 3: it can even be brought in as a system environment variable.

For example, if we set the system environment variable JASYPT_ENCRYPTOR_PASSWORD = CodeSheep in advance, we can simply make the following configuration in the project configuration file of Spring Boot:

Jasypt.encryptor.password=$ {JASYPT_ENCRYPTOR_PASSWORD:}

Thank you for your reading, the above is the content of "how to encrypt the database configuration item in Java". After the study of this article, I believe you have a deeper understanding of how to encrypt the database configuration item in Java, and the specific use needs to be verified in practice. Here is, the editor will push for you more related knowledge points of the article, welcome to follow!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.