代码审计报告提出的一个问题:
明文暴露配置信息风险
解决方案可以使用jasypt实现
需要使用依赖:
<dependency> <groupId>com.github.ulisesbocchio</groupId> <artifactId>jasypt-spring-boot-starter</artifactId> <version>2.1.0</version> </dependency>
加密实现案例:
import com.yonyou.cloud.repair.RepairApplication; import org.jasypt.encryption.StringEncryptor; import org.junit.Assert; import org.junit.Test; import org.junit.runner.RunWith; import org.springframework.beans.factory.annotation.Autowired; import org.springframework.boot.test.context.SpringBootTest; import org.springframework.test.context.junit4.SpringRunner; @RunWith(SpringRunner.class) @SpringBootTest(classes = RepairApplication.class ) public class DatabaseTest { @Autowired private StringEncryptor encryptor; @Test public void Test() { String url = encryptor.encrypt("10.180.6.116"); String name = encryptor.encrypt("6379"); String password = encryptor.encrypt("cyx_Pass1234"); System.out.println("database url: " + url); System.out.println("database name: " + name); System.out.println("database password: " + password); Assert.assertTrue(url.length() > 0); Assert.assertTrue(name.length() > 0); Assert.assertTrue(password.length() > 0); } }
结合application.yml配置信息的处理:
加密的密文需要加上ENC()修饰,在加载过程处理解密
# 现UAT环境库 url: ENC(3HhbZfqGCMCr+ux/0hUbmMGtnP1v03lj/nSIYpS1mwDN745DC2V/rM3IXeWKRTq0Z67V3l67tpuzaj+IoCAQkjms2HW2Df7bPAFBFC6Q8ixaucMo2JHoMz16jxvCHrlz7CUAwTH/oZpzoqzEbfJgu3bixM5DoaOmQGSeWk67hZVSYoKjx77Oif08fecAid/nobzBSvuzYhcMIylWkWyONg==) username: ENC(Q+bk/oOkE92lcvFJXXzk6RMV1homL+Ij) password: ENC(fzPoG+f1QEM1AfRGqAVCTpJ9bzYNbSAj0jpAX6DNqTk=)
密文加密的盐值配置【yml配置层级就是第一级】:
jasypt:
encryptor:
password: Y6M8fAJQdU7jNp5MW