springboot中增强druid实现数据库账号密码加解密 -凯发k8国际

       针对目前越来越严的安全等级要求，我们在做产品研发和项目开发时，越来越需要注意安全问题，各种账号密码的在配置文件中明文存储就是一个很大的安全隐患。

        现针对数据库密码加解密方面，利用druid工具类进行数据库加密，实现项目配置文件中数据库密码密文存储，一定程度上保证了数据安全。

        步骤一：pom中引入druid依赖

        
        
            com.alibaba
            druid-spring-boot-starter
            1.1.17
        

        步骤二：添加druid的filter

package com.huatech.cloud.filter;
import java.security.publickey;
import org.springframework.beans.factory.annotation.value;
import org.springframework.stereotype.component;
import com.alibaba.druid.filter.filteradapter;
import com.alibaba.druid.filter.config.configtools;
import com.alibaba.druid.pool.druiddatasource;
import com.alibaba.druid.proxy.jdbc.datasourceproxy;
import lombok.extern.slf4j.slf4j;
@slf4j
@component
public class druiddatasourcefilter extends filteradapter {
    
	
    @value("${crypto.public-key}")
    private string decryptkey;
	
    @override
    public void init(datasourceproxy datasourceproxy) {
		if (!(datasourceproxy instanceof druiddatasource)) {
            log.error("configloader only support druiddatasource");
            return;
        }
        druiddatasource datasource = (druiddatasource) datasourceproxy;
        // 判断是否需要解密，如果需要就进行解密行动
        if (isnotempty(decryptkey)) {
            decrypt(datasource);
        }
    }
	
    public void decrypt(druiddatasource datasource) {
        try {
            string encryptedusername = null, encryptedpassword = null;
           
            if (encryptedusername == null || encryptedusername.length() == 0) {
            	encryptedusername = datasource.getusername();
            }
            
            if (encryptedpassword == null || encryptedpassword.length() == 0) {
                encryptedpassword = datasource.getpassword();
            }
            publickey publickey =  configtools.getpublickey(decryptkey);
            string usernameplaintext = configtools.decrypt(publickey, encryptedusername);
            string passwordplaintext = configtools.decrypt(publickey, encryptedpassword);
            datasource.setusername(usernameplaintext);
            datasource.setpassword(passwordplaintext);
            
        } catch (exception e) {
            throw new illegalargumentexception("failed to decrypt.", e);
        }
    }
    
    public boolean isnotempty(string source) {
    	return source != null && !"".equals(source.trim());
    }
	
}

        步骤三：通过druid的configtools工具类生成秘钥对，最后一个参数为待加密内容

java -cp druid-1.1.17.jar com.alibaba.druid.filter.config.configtools abc
privatekey:miibvaibadanbgkqhkig9w0baqefaascat4wgge6ageaakeall2kkahx1etx6v/a8jrtmltvd4h/3yectn0rdkero2z/itpndt/gp7w1ptoussurd/n4evbmwnwaurzbbrywgwidaqabakb9dy693ksyshdlgth4ehogabahzg6ovaoqnhzd65ua5i6sd1ehgt3jjlvnfovenopzgy0teyoionwtlzib/njhaieaymu9c6l89kivoishc/xpexgj1lteo4ik/zlj6gnbye8ciqc9qdbmctux8fneyjmdsluwxjyuncmvsoe0cnijy37mrqigtbnudefdmufvb/l t78on1knpggj1nketzm2vz0yiakcifphz8gc9kn0qoabd5rl1mw4hkaenu0g/jiaw32b7pgbaieaoozbdtng4irlw47/5sdwiunyrc2bhr59rapqnkkia1a=
publickey:mfwwdqyjkozihvcnaqebbqadswawsajbajs9ipab8dxrv lfwpca05i7b3eb/98nnltdexzbk6ns/yltzxbf4d 1tt0zrrelkw/zebfwzfjcglk8ww0wmimcaweaaq==
password:n9noez2waetpzsjc6ui2v3wzvaorbx5jppzsl4ixulfca49wihgzf71c3hv6z6gm3s8mvmk0ief5rwdr5 p63g==

        步骤四：application.yml中配置数据源信息和秘钥对公钥

#配置数据源
spring:
  datasource:
    druid:
      type: com.alibaba.druid.pool.druiddatasource
      driverclassname: com.mysql.cj.jdbc.driver
      url: jdbc:mysql://localhost:3306/weapp-mall?servertimezone=asia/shanghai&characterencoding=utf8&usessl=false&useaffectedrows=true
      username: n9noez2waetpzsjc6ui2v3wzvaorbx5jppzsl4ixulfca49wihgzf71c3hv6z6gm3s8mvmk0ief5rwdr5 p63g==

      password: n9noez2waetpzsjc6ui2v3wzvaorbx5jppzsl4ixulfca49wihgzf71c3hv6z6gm3s8mvmk0ief5rwdr5 p63g==
# rsa算法加解密配置，配置公钥
crypto: 
  public-key: mfwwdqyjkozihvcnaqebbqadswawsajbajs9ipab8dxrv lfwpca05i7b3eb/98nnltdexzbk6ns/yltzxbf4d 1tt0zrrelkw/zebfwzfjcglk8ww0wmimcaweaaq==

         如果觉得rsa加密算法太过复杂，可以使用jasypt工具类来加解密，具体操作如下。

        step1：pom.xml中添加依赖

        
        
            com.alibaba
            druid-spring-boot-starter
            1.1.17
        
        
        
            org.jasypt
            jasypt
            ${jasypt.version}
        

        step2：引入加解密工具类encryptortools

package com.huatech.cloud.config;
import org.jasypt.encryption.stringencryptor;
import org.jasypt.encryption.pbe.standardpbestringencryptor;
import org.jasypt.encryption.pbe.config.environmentpbeconfig;
import org.springframework.beans.factory.annotation.value;
import org.springframework.boot.autoconfigure.condition.conditionalonproperty;
import org.springframework.context.annotation.bean;
import org.springframework.context.annotation.configuration;
import org.springframework.core.ordered;
@configuration
public class encryptortools implements ordered {
	
	@value("${encryptor.password}")
	private string password;
			
	@conditionalonproperty(name = "encryptor.enable", havingvalue = "true", matchifmissing = true)
	@bean
	public stringencryptor stringencryptor() {
		standardpbestringencryptor standardpbestringencryptor = new standardpbestringencryptor();
		environmentpbeconfig config = new environmentpbeconfig();
		config.setpassword(password);                
		standardpbestringencryptor.setconfig(config);
		return standardpbestringencryptor;
	}
	
	public static string decrypt(stringencryptor stringencryptor, final string encodedvalue) {
		if(stringencryptor != null) {
			try {
    			return stringencryptor.decrypt(encodedvalue);
    		}catch(exception e) {
    			return encodedvalue;
    		}
		}else {
			return encodedvalue;
		}
	}
	
    public static string encrypt(stringencryptor stringencryptor, final string plainvaue) {
    	if(stringencryptor != null) {
    		try {
    			return stringencryptor.encrypt(plainvaue);
    		}catch(exception e) {
    			return plainvaue;
    		}
    	}else {
    		return plainvaue;
    	}
    }
    
    public static string encrypt(string password, string plaintext){
        standardpbestringencryptor stringencryptor = new standardpbestringencryptor();
		environmentpbeconfig config = new environmentpbeconfig();
		config.setpassword(password);                
		stringencryptor.setconfig(config);
        return stringencryptor.encrypt(plaintext);
	}
    
    public static void main(string[] args) {
		system.out.println(encrypt("rdc", "root"));
	}
	@override
	public int getorder() {
		return 0;
	}
}

        step3：添加druid的filterjasyptdatasourcefilter

package com.huatech.cloud.filter;
import org.jasypt.encryption.stringencryptor;
import org.springframework.beans.factory.annotation.autowired;
import org.springframework.stereotype.component;
import com.alibaba.druid.filter.filteradapter;
import com.alibaba.druid.pool.druiddatasource;
import com.alibaba.druid.proxy.jdbc.datasourceproxy;
import com.huatech.cloud.config.encryptortools;
import lombok.extern.slf4j.slf4j;
@slf4j
@component
public class jasyptdatasourcefilter extends filteradapter {
    
	@autowired(required = false)
	private stringencryptor stringencryptor;
	 
	@override
    public void init(datasourceproxy datasourceproxy) {
		if (!(datasourceproxy instanceof druiddatasource)) {
            log.error("configloader only support druiddatasource");
            return;
        }
        druiddatasource datasource = (druiddatasource) datasourceproxy;
        // 判断是否需要解密，如果需要就进行解密行动
        datasource.setusername(decrypt(datasource.getusername()));
        datasource.setpassword(decrypt(datasource.getpassword()));
    }
	
	public string decrypt(string ecryptvalue) {
		return encryptortools.decrypt(stringencryptor, ecryptvalue);
	}
	
}

        step4：application.yml中配置数据源信息和加解密密码信息

# jasypt加解密配置
encryptor: 
  enable: true
  password: rdc  
#配置数据源
spring:
  datasource:
    druid:
      type: com.alibaba.druid.pool.druiddatasource
      driverclassname: com.mysql.cj.jdbc.driver
      url: jdbc:mysql://localhost:3306/weapp-mall?servertimezone=asia/shanghai&characterencoding=utf8&usessl=false&useaffectedrows=true
      username: 8rywah2qj7e7iqlb7s3qog==
      password: 8rywah2qj7e7iqlb7s3qog==

 本文相关代码已上传至