区块链扩展技术>> microprofile-config-jasypt>> 返回
项目作者: chrisgleissner

项目描述 :
Encrypted passwords for Eclipse MicroProfile Config using Jasypt
高级语言: Java
项目地址: git://github.com/chrisgleissner/microprofile-config-jasypt.git


microprofile-config-jasypt

Maven Central
Build Status
Coverage Status
Maintainability

Encrypted properties for Quarkus and Eclipse Microprofile Config.

Eclipse MicroProfile Config with Jasypt Encryption

An Eclipse Microprofile Config library
for Jasypt-encrypted properties. This means you can use secrets in publicly accessible
property files and decrypt them transparently at runtime.

  • For an example on how to use this library with Quarkus see below.
  • This repo requires at least Java 8 and is automatically tested on OpenJDK 11.

Encryption

First, encrypt a property. For example, either of the following two commands encrypts a property foo using a password pwd: 

  1. ./microprofile-config-jasypt/encrypt.sh pwd foo
  2. mvn -f microprofile-config-jasypt/pom.xml validate -Pencrypt -Djasypt.password=pwd -Dproperty=foo

This will print the encrypted property:

  1. foo -> ENC(eu82k78q/boBye5P574UwNdafDuy9VRy19tdlmM9IeYXWkVIdChdZybEx41rRbdv)

Then use the entire ENC(...)-delimited string as your property value, e.g. in a src/main/resources/application.properties
file.

The name of the property file is configurable, and it may be on the classpath or the filesystem. See the configuration
section below for details.

Decryption

Add this to your pom.xml:

  1. <dependency>
  2.     <groupId>com.github.chrisgleissner.config</groupId>
  3.     <artifactId>microprofile-config-jasypt</artifactId>
  4.     <version>1.0.5</version>
  5. </dependency>

Then add a file at src/main/resources/META-INF/services/org.eclipse.microprofile.config.spi.ConfigSource with the content

  1. com.github.chrisgleissner.config.microprofile.jasypt.JasyptConfigSource

Finally set the JASYPT_PASSWORD environment variable when starting your application. As per the previous example, set JASYPT_PASSWORD=pwd.

Any ENC(...)-delimited property in a classpath:application.properties file (configurable) gets decoded at run-time.

Configuration

You can customize microprofile-config-jasypt via environment variables or system properties as per the following table.

Alternatively, you can subclass com.github.chrisgleissner.config.microprofile.jasypt.JasyptConfigSource,
override its methods, and specify the fully qualified name of your subclass in a
META-INF/services/org.eclipse.microprofile.config.spi.ConfigSource file on the classpath.

Environment variable System property name Default value Description
JASYPT_PASSWORD jasypt.password none Password used for encrypting property values
JASYPT_KEY jasypt.key none Synonym for JASYPT_PASSWORD
JASYPT_ALGORITHM jasypt.algorithm PBEWithHMACSHA512AndAES_256 Encryption algorithm
JASYPT_ITERATIONS jasypt.iterations 1000 Jasypt key obtention iterations
JASYPT_PROPERTIES jasypt.properties classpath:application.properties,config/application.properties Comma-separated property filenames, see below.

Property filenames specified via JASYPT_PROPERTIES are resolved against the classpath if using the classpath: prefix,
otherwise against the filesystem relative to the current working directory.

Encrypted Properties in Quarkus

Two Quarkus-based examples are included.

The microprofile-config-jasypt-quarkus-example
module shows how to configure the default JasyptConfigSource as per the instructions above:

  • Encrypted properties can be used both for normal and for profile-specific properties, eg. properties with the %prod. prefix.
  • For demonstration purposes only, the LogPropertiesBean in this module logs all properties on startup.

The microprofile-config-jasypt-quarkus-override-example
module expands on this and shows how to override
the default JasyptConfigSource with a CustomJasyptConfigSource.

Decryption Example

To verify successful decryption, run the following from the repository root:

  1. mvn clean install
  2. (cd microprofile-config-jasypt-quarkus-example && JASYPT_PASSWORD=pwd java -jar target/*-runner.jar)

…and observe the log contains decrypted passwords:

  1. 2020-05-24 11:52:53,598 INFO  [com.git.chr.con.mic.jas.qua.LogPropertiesBean] (main) ConfigSource(name=jasypt-config, ordinal=275):
  2. {quarkus.datasource.password=sa, quarkus.log.console.color=true, quarkus.datasource.username=sa, quarkus.log.console.level=TRACE, quarkus.flyway.migrate-at-start=true, quarkus.hibernate-orm.database.generation=validate, config.password=sa, quarkus.datasource.db-kind=h2, quarkus.hibernate-orm.log.sql=false, quarkus.datasource.jdbc.url=jdbc:h2:mem:test, quarkus.log.console.enable=true, quarkus.http.port=8080}

Failed Decryption Example

To verify a failed decryption, run the following from repository root whilst intentionally specifying a wrong JASYPT_PASSWORD:

  1. mvn clean install
  2. (cd microprofile-config-jasypt-quarkus-example && JASYPT_PASSWORD=wrong-pwd java -jar target/*-runner.jar)

…and observe the log contains encrypted passwords:

  1. 2020-05-24 11:53:19,318 INFO  [com.git.chr.con.mic.jas.qua.LogPropertiesBean] (main) ConfigSource(name=jasypt-config, ordinal=275):
  2. {quarkus.datasource.password=ENC(MCK/0Y9BnM7WVAyNq4gxjcPpGkDvu379ymjnsN2GCtowKxiPJXFHiSK7jI4rYfop), quarkus.log.console.color=true, quarkus.datasource.username=sa, quarkus.log.console.level=TRACE, quarkus.flyway.migrate-at-start=true, quarkus.hibernate-orm.database.generation=validate, config.password=ENC(MCK/0Y9BnM7WVAyNq4gxjcPpGkDvu379ymjnsN2GCtowKxiPJXFHiSK7jI4rYfop), quarkus.datasource.db-kind=h2, quarkus.hibernate-orm.log.sql=false, quarkus.datasource.jdbc.url=jdbc:h2:mem:test, quarkus.log.console.enable=true, quarkus.http.port=8080}