如何在Spring的属性文件中存储加密的密码
[英]How to store password as encrypted in properties file in Spring
问题描述
I am very new in Spring framework and I am using Spring framework to manage my database connections and so on. 
我是Spring框架中的新手,我使用Spring框架来管理我的数据库连接等等。 Applicaiton reads my db connection parameters from a property file. Applicaiton从属性文件中读取我的数据库连接参数。 The thing I need is to store my connection password in property file as encrypted. 我需要的是将我的连接密码存储在属性文件中作为加密。 Here is my datasource xml file 这是我的datasource xml文件
<?xml version="1.0" encoding="UTF-8"?>
<beans xmlns="http://www.springframework.org/schema/beans"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:tx="http://www.springframework.org/schema/tx"
xsi:schemaLocation="
http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-2.0.xsd
http://www.springframework.org/schema/tx http://www.springframework.org/schema/tx/spring-tx-2.0.xsd">
<bean class="org.springframework.beans.factory.config.PropertyPlaceholderConfigurer">
<property name="location">
<value>file:${DBConfigFile}</value>
</property>
</bean>
<bean id="myDataSource" class="com.mchange.v2.c3p0.ComboPooledDataSource" destroy-method="close">
<property name="driverClass" value="${jdbc.driverClassName}" />
<property name="jdbcUrl" value="${jdbc.url}" />
<property name="user" value="${jdbc.username}" />
<property name="password" value="${jdbc.password}" />
<property name="initialPoolSize"><value>3</value></property>
<property name="minPoolSize"><value>3</value></property>
<property name="maxPoolSize"><value>50</value></property>
<property name="idleConnectionTestPeriod"><value>200</value></property>
<property name="acquireIncrement"><value>1</value></property>
<property name="maxStatements"><value>0</value></property>
<property name="numHelperThreads"><value>3</value></property>
</bean>
</beans>
I am thiking to write the password encrypted to property file and I am wondering if Spring can decrypt it with an algorithm automatically. 我很想写加密到属性文件的密码,我想知道Spring是否可以自动解密它。 Is it possible with configuration. 是否可以配置。 Thank you in advance. 先感谢您。
5 个解决方案
解决方案1
7 2012-07-25 08:45:14
As far I known Spring does not support this ability, but some other project may be helpfull: 到目前为止,我知道Spring不支持这种能力,但其他一些项目可能会有所帮助:
Jasypt library offers support for encrypted application configuration (and also integrates with Spring).
Jasypt库提供对加密应用程序配置的支持(并且还与Spring集成)。 See details: http://www.jasypt.org/encrypting-configuration.html 详情请见: http : //www.jasypt.org/encrypting-configuration.html OWASP Project provides EncryptedProperties interfaces with DefaultEncryptedProperties and ReferenceEncryptedProperties implementations which may be used in your application.
OWASP Project提供了EncryptedProperties接口,可以在您的应用程序中使用DefaultEncryptedProperties和ReferenceEncryptedProperties实现。 See also: https://www.owasp.org/index.php/How_to_encrypt_a_properties_file 另见: https : //www.owasp.org/index.php/How_to_encrypt_a_properties_file
解决方案2
6 2015-11-19 17:43:39
I am using spring 4 and jasypt 1.9. 我正在使用spring 4和jasypt 1.9。 Jasypt documentation does not provide explicit support for spring 4. I could not locate class named EncryptablePropertyPlaceholderConfigurer with org.jasypt:jasypt:1.9.2 dependency either. Jasypt文档没有提供对spring 4的明确支持。我找不到名为EncryptablePropertyPlaceholderConfigurer类与org.jasypt:jasypt:1.9.2依赖。
I wrote a simple static encryption utility java class (this uses jasypt API). 我写了一个简单的静态加密实用程序java类(这使用jasypt API)。
public class EncryptionUtil {
static PooledPBEStringEncryptor encryptor = null;
static {
encryptor = new PooledPBEStringEncryptor();
encryptor.setPoolSize(4);
// There are various approaches to pull this configuration via system level properties.
encryptor.setPassword("parashar");
encryptor.setAlgorithm("PBEWITHMD5ANDDES");
}
public static String encrypt(String input) {
return encryptor.encrypt(input);
}
public static String decrypt(String encryptedMessage) {
return encryptor.decrypt(encryptedMessage);
}
}
I used this utility to encrypt the passwords I intended to keep in my property files. 我使用此实用程序来加密我打算保留在我的属性文件中的密码。
I then simply used spring EL to decrypt the properties back in my spring config xml. 然后我简单地用spring EL来解析我的spring config xml中的属性。
<property name="password" value="#{T(amit.parashar.EncryptionUtil).decrypt('${db.password}')}" />
EDIT : To answer on how to hide the encryption password : 编辑:回答如何隐藏加密密码:
Use system args while bringing up your java process.
for eg : java -Dwhatismyencpawd="parashar"
and use it like 并使用它
encryptor.setPassword(java.lang.System.getProperty("whatismyencpawd"));
This way only the app admin would know the password. 这样只有应用管理员才能知道密码。 This way password will be visible as part of ps command though on a UNIX box. 这样,虽然在UNIX机器上,密码将作为ps命令的一部分显示。
or You can configure and read from OS level environment variable as well. 或者您也可以配置和读取OS级环境变量。
解决方案3
1 2012-07-25 08:43:22
It doesn't make any sense, because if the Spring can decrypt it, then everybody else could too. 它没有任何意义,因为如果Spring可以解密它,那么其他人也可以。 This encryption will not make any difference, it doesn't protect anything. 这种加密不会有任何区别,它不会保护任何东西。 It gives only dangerous thing - false feeling of protection. 它只给出危险的东西 - 错误的保护感。
Maybe you could use some another way of the database authentication, eg MS SQL server allows use Windows Security instead of password authentication. 也许您可以使用另一种数据库身份验证方式,例如MS SQL Server允许使用Windows安全性而不是密码身份验证。 The same for Postgres (it gives access by user account or using SSL certificates). Postgres也是如此(它通过用户帐户或使用SSL证书进行访问)。
解决方案4
1 2017-01-10 17:52:38
您可以使用spring cloud config提供的加密和解密
解决方案5
0 2014-01-24 22:17:47
您可以编写一个解密密码的bean,然后将bean注入需要密码的任何内容中
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.