1.目的
由于系统部署在互联网,配置文件中的数据库账号密码使用明文,存在安全隐患,做等保测试时要求对其加密。
2.实现方法
Jeecg框架本身有PasswordUtil可以使用PBEWITHMD5andDES进行加密,这里为方便改造,且安全性较高,故选择使用此加密方式进行加密。
附:PasswordUtil代码
package org.jeecgframework.core.util;import java.security.Key;
import java.security.SecureRandom;
import javax.crypto.Cipher;
import javax.crypto.SecretKey;
import javax.crypto.SecretKeyFactory;
import javax.crypto.spec.PBEKeySpec;
import javax.crypto.spec.PBEParameterSpec;
public class PasswordUtil {/*** JAVA6支持以下任意一种算法 PBEWITHMD5ANDDES PBEWITHMD5ANDTRIPLEDES* PBEWITHSHAANDDESEDE PBEWITHSHA1ANDRC2_40 PBKDF2WITHHMACSHA1* *//*** 定义使用的算法为:PBEWITHMD5andDES算法*/public static final String ALGORITHM = "PBEWithMD5AndDES";//加密算法public static final String Salt = "63293188";//密钥/*** 定义迭代次数为1000次*/private static final int ITERATIONCOUNT = 1000;/*** 获取加密算法中使用的盐值,解密中使用的盐值必须与加密中使用的相同才能完成操作. 盐长度必须为8字节* * @return byte[] 盐值* */public static byte[] getSalt() throws Exception {// 实例化安全随机数SecureRandom random = new SecureRandom();// 产出盐return random.generateSeed(8);}public static byte[] getStaticSalt() {// 产出盐return Salt.getBytes();}/*** 根据PBE密码生成一把密钥* * @param password* 生成密钥时所使用的密码* @return Key PBE算法密钥* */private static Key getPBEKey(String password) {// 实例化使用的算法SecretKeyFactory keyFactory;SecretKey secretKey = null;try {keyFactory = SecretKeyFactory.getInstance(ALGORITHM);// 设置PBE密钥参数PBEKeySpec keySpec = new PBEKeySpec(password.toCharArray());// 生成密钥secretKey = keyFactory.generateSecret(keySpec);} catch (Exception e) {// TODO Auto-generated catch blocke.printStackTrace();}return secretKey;}/*** 加密明文字符串* * @param plaintext* 待加密的明文字符串* @param password* 生成密钥时所使用的密码* @param salt* 盐值* @return 加密后的密文字符串* @throws Exception*/public static String encrypt(String plaintext, String password, byte[] salt) {Key key = getPBEKey(password);byte[] encipheredData = null;PBEParameterSpec parameterSpec = new PBEParameterSpec(salt, ITERATIONCOUNT);try {Cipher cipher = Cipher.getInstance(ALGORITHM);cipher.init(Cipher.ENCRYPT_MODE, key, parameterSpec);encipheredData = cipher.doFinal(plaintext.getBytes());} catch (Exception e) {}return bytesToHexString(encipheredData);}/*** 解密密文字符串* * @param ciphertext* 待解密的密文字符串* @param password* 生成密钥时所使用的密码(如需解密,该参数需要与加密时使用的一致)* @param salt* 盐值(如需解密,该参数需要与加密时使用的一致)* @return 解密后的明文字符串* @throws Exception*/public static String decrypt(String ciphertext, String password, byte[] salt) {Key key = getPBEKey(password);byte[] passDec = null;PBEParameterSpec parameterSpec = new PBEParameterSpec(getStaticSalt(), ITERATIONCOUNT);try {Cipher cipher = Cipher.getInstance(ALGORITHM);cipher.init(Cipher.DECRYPT_MODE, key, parameterSpec);passDec = cipher.doFinal(hexStringToBytes(ciphertext));}catch (Exception e) {// TODO: handle exception}return new String(passDec);}/*** 将字节数组转换为十六进制字符串* * @param src* 字节数组* @return*/public static String bytesToHexString(byte[] src) {StringBuilder stringBuilder = new StringBuilder("");if (src == null || src.length <= 0) {return null;}for (int i = 0; i < src.length; i++) {int v = src[i] & 0xFF;String hv = Integer.toHexString(v);if (hv.length() < 2) {stringBuilder.append(0);}stringBuilder.append(hv);}return stringBuilder.toString();}/*** 将十六进制字符串转换为字节数组* * @param hexString* 十六进制字符串* @return*/public static byte[] hexStringToBytes(String hexString) {if (hexString == null || hexString.equals("")) {return null;}hexString = hexString.toUpperCase();int length = hexString.length() / 2;char[] hexChars = hexString.toCharArray();byte[] d = new byte[length];for (int i = 0; i < length; i++) {int pos = i * 2;d[i] = (byte) (charToByte(hexChars[pos]) << 4 | charToByte(hexChars[pos + 1]));}return d;}private static byte charToByte(char c) {return (byte) "0123456789ABCDEF".indexOf(c);}public static void main(String[] args) {int i=10;for (int j = 0; j < i; j++) {if((j)%3==0){System.out.print("<br>");}else {System.out.print(j);}}System.out.print(-1%2==0);String str = "root";String password = "root";org.jeecgframework.core.util.LogUtil.info("明文:" + str);org.jeecgframework.core.util.LogUtil.info("密码:" + password);try {byte[] salt = PasswordUtil.getStaticSalt();String ciphertext = PasswordUtil.encrypt(str, password, salt);org.jeecgframework.core.util.LogUtil.info("密文:" + ciphertext);String plaintext = PasswordUtil.decrypt(ciphertext, password, salt);org.jeecgframework.core.util.LogUtil.info("明文:" + plaintext);String result = PasswordUtil.decrypt("ea3d519525358e00", "root", salt);org.jeecgframework.core.util.LogUtil.info("明文:" + result);} catch (Exception e) {e.printStackTrace();}}
}
2.1、加密方式
先通过加密方法把将要加密的数据进行加密,我这边是对数据库用户名和密码都加密处理
加密后数据库配置文件
2.2 spring-mvc-hibernate.xml中配置并添加一个类继承PropertyPlaceholderConfigurer实现使用加密字符串,使用时解密
EncryptPropertyPlaceholderConfigurer.java
package org.jeecgframework.core.config;import org.apache.commons.lang.ObjectUtils;
import org.jeecgframework.core.util.PasswordUtil;
import org.springframework.beans.factory.config.PropertyPlaceholderConfigurer;public class EncryptPropertyPlaceholderConfigurer extends PropertyPlaceholderConfigurer {/** 需要解密的字段 */private String[] encryptPropNames = { "jdbc.username.jeecg", "jdbc.password.jeecg" };
// private String[] encryptPropNames = { "jdbc.password.jeecg" };protected String convertProperty(String propertyName, String propertyValue) {if (isEncryptProp(propertyName)) {// 解密(根据实际内容改成具体解密方法)return PasswordUtil.decrypt(propertyValue,"password",PasswordUtil.getStaticSalt());} else {return propertyValue;}}/*** 判断属性是否需要解密** @param propertyName* @return*/@SuppressWarnings("deprecation")private boolean isEncryptProp(String propertyName) {for (String encryptpropertyName : encryptPropNames) {if (ObjectUtils.equals(encryptpropertyName, propertyName)) {return true;}}return false;}
}不详之处可参考:sping数据源中使用加密的用户名和密码
