案例代码: https://github.com/q279583842q/springcloud-e-book
非对称加密
一, 什么是非对称加密 (Asymmetric encryption)
二, Java-keytool 使用说明
非对称加密我们需要生成对应的公钥和私钥, jdk 中提供的有 java-keytool 工具帮助我们生成, 执行如下命令:
keytool -genkeypair -alias "config-info" -keyalg "RSA" -keystore c:\tools\encryp-info.keystore
三, 创建服务项目
1. 创建项目
创建一个 SpringCloud 项目
2.pom 文件
- <project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
- xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
- <modelVersion>4.0.0</modelVersion>
- <parent>
- <groupId>org.springframework.boot</groupId>
- <artifactId>spring-boot-starter-parent</artifactId>
- <version>1.5.13.RELEASE</version>
- </parent>
- <groupId>com.bobo</groupId>
- <artifactId>config-server-encryption-SRA</artifactId>
- <version>0.0.1-SNAPSHOT</version>
- <dependencyManagement>
- <dependencies>
- <dependency>
- <groupId>org.springframework.cloud</groupId>
- <artifactId>spring-cloud-dependencies</artifactId>
- <version>Dalston.SR1</version>
- <type>pom</type>
- <scope>import</scope>
- </dependency>
- </dependencies>
- </dependencyManagement>
- <dependencies>
- <dependency>
- <groupId>org.springframework.boot</groupId>
- <artifactId>spring-boot-starter-web</artifactId>
- </dependency>
- <dependency>
- <groupId>org.springframework.cloud</groupId>
- <artifactId>spring-cloud-starter-eureka</artifactId>
- </dependency>
- <dependency>
- <groupId>org.springframework.cloud</groupId>
- <artifactId>spring-cloud-config-server</artifactId>
- </dependency>
- </dependencies>
- <build>
- <plugins>
- <plugin>
- <groupId>org.springframework.boot</groupId>
- <artifactId>spring-boot-maven-plugin</artifactId>
- </plugin>
- </plugins>
- </build>
- </project>
3. 配置文件
- spring.application.name=config-server-encryption-SRA
- server.port=9060
- # 设置服务注册中心地址, 指向另一个注册中心
- eureka.client.serviceUrl.defaultZone=http://dpb:123456@eureka1:8761/eureka/,http://dpb:123456@eureka2:8761/eureka/
- #Git 配置
- spring.cloud.config.server.Git.uri=https://gitee.com/dengpbs/config
- #spring.cloud.config.server.Git.username=
- #spring.cloud.config.server.Git.password=
- #keytool -genkeypair -alias "config-info" -keyalg "RSA" -keystore c:\tools\encryp-info.keystore
- # keystore 文件的路径
- encrypt.key-store.location=classpath:encryp-info.keystore
- # alias 指定密钥对的别名, 该别名是公开的;
- encrypt.key-store.alias=config-info
- # storepass 密钥仓库
- encrypt.key-store.password=123456
- # keypass 用来保护所生成密钥对中的私钥
- encrypt.key-store.secret=123456
将生成的 keystore 文件拷贝到 classpath 目录下
4. 启动测试
测试加密状态: http://localhost:9060/encrypt/status
加密
- public class Test1 {
- /**
- * 通过 RestTemplate 来加密数据
- * @param args
- */
- public static void main(String[] args) {
- String url = "http://127.0.0.1:9060/encrypt";
- RestTemplate template = new RestTemplate();
- ResponseEntity<String> msg = template.postForEntity(url, "123456", String.class);
- System.out.println(msg.getBody());
- }
- }
四, 创建客户端项目
1. 创建项目
拷贝上个案例的客户端程序.
2.pom 文件
- <project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
- xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
- <modelVersion>4.0.0</modelVersion>
- <parent>
- <groupId>org.springframework.boot</groupId>
- <artifactId>spring-boot-starter-parent</artifactId>
- <version>1.5.13.RELEASE</version>
- <relativePath /> <!-- lookup parent from repository -->
- </parent>
- <groupId>com.bobo</groupId>
- <artifactId>config-e-book-product-provider-sra</artifactId>
- <version>0.0.1-SNAPSHOT</version>
- <dependencies>
- <dependency>
- <groupId>org.springframework.boot</groupId>
- <artifactId>spring-boot-starter-Web</artifactId>
- </dependency>
- <dependency>
- <groupId>org.mybatis.spring.boot</groupId>
- <artifactId>mybatis-spring-boot-starter</artifactId>
- <version>1.3.4</version>
- </dependency>
- <dependency>
- <groupId>org.springframework.boot</groupId>
- <artifactId>spring-boot-starter-test</artifactId>
- <scope>test</scope>
- </dependency>
- <dependency>
- <groupId>org.springframework.cloud</groupId>
- <artifactId>spring-cloud-starter-eureka</artifactId>
- </dependency>
- <dependency>
- <groupId>MySQL</groupId>
- <artifactId>MySQL-connector-java</artifactId>
- <version>5.1.47</version>
- </dependency>
- <dependency>
- <groupId>com.bobo</groupId>
- <artifactId>e-book-product-service</artifactId>
- <version>0.0.1-SNAPSHOT</version>
- </dependency>
- <dependency>
- <groupId>org.springframework.cloud</groupId>
- <artifactId>spring-cloud-starter-config</artifactId>
- </dependency>
- </dependencies>
- <dependencyManagement>
- <dependencies>
- <dependency>
- <groupId>org.springframework.cloud</groupId>
- <artifactId>spring-cloud-dependencies</artifactId>
- <version>Dalston.SR5</version>
- <type>pom</type>
- <scope>import</scope>
- </dependency>
- </dependencies>
- </dependencyManagement>
- <build>
- <plugins>
- <plugin>
- <groupId>org.springframework.boot</groupId>
- <artifactId>spring-boot-maven-plugin</artifactId>
- </plugin>
- </plugins>
- </build>
- </project>
3.Bootstrap 文件
- spring.application.name=config-e-book-product-provider-sra
- server.port=9001
- #\u8BBE\u7F6E\u670D\u52A1\u6CE8\u518C\u4E2D\u5FC3\u5730\u5740\uFF0C\u6307\u5411\u53E6\u4E00\u4E2A\u6CE8\u518C\u4E2D\u5FC3
- eureka.client.serviceUrl.defaultZone=http://dpb:123456@eureka1:8761/eureka/,http://dpb:123456@eureka2:8761/eureka/
- # 配置中心服务端的链接信息
- # 默认 false, 这里设置 true, 表示开启读取配置中心的配置
- spring.cloud.config.discovery.enabled=true
- # 对应 eureka 中的配置中心 serviceId, 默认是 configserver
- spring.cloud.config.discovery.serviceId=config-server-encryption-SRA
- #Git 标签
- spring.cloud.config.label=master
4. 仓库文件
在 Git 中创建 config-e-book-product-provider-sra.properties 文件
- #--------------db----------------
- mybatis.type-aliases-package=com.book.product.pojo
- mybatis.mapper-locations=classpath:com/bobo/product/mapper/*.xml
- spring.datasource.driverClassName=com.MySQL.jdbc.Driver
- spring.datasource.url=jdbc:MySQL://localhost:3306/book-product?useUnicode=true&characterEncoding=UTF-8&zeroDateTimeBehavior=convertToNull
- spring.datasource.username={
- cipher
- }AQBTQaUuvTsXQ9Y4tr9Vq5BrEASk7ItrtNsQemtjgMd8anL5bMeo+NJVJ2kEKOzEdITiEGAguUTs78I9XGBZNI2DaNcySNjmKIi6NRX9ury1Fd9tGzT4ViZyNf2IcaUhwb7Yx0HBiHAyOxVDB1wStCUTUj3sD7/MZxw3VQeUMueti4j7giyHg2xGnKW1NnKNxKjpiUKY1uz3Ag2DZwdLQnAvmm90Y290HNNMDzq8ROrHbxXmyGCAlpmHXWloLZ0r7eBNkLvG7Hnnx9vDmWWyiRxSPiJo2UszmnKf5vN8hQZYIU83AjXMkOGolpPkOhg4nsoQS9++oF/AYGGydthxmuI9zsX8L6JXWBioo72yAXX8sw7doAp71ABuv2ivwd8njo8=
- spring.datasource.password={
- cipher
- }AQBZKEptQk2RBf+3DJ1tlHbmFKiuNtjwIbq8qf1kjIkkteYmxcrTfPmO5DYFuRd/xsVlKAfK+pfsn1nPntBjqMQYPvDPMy7LkcYe/gA4Q8/9d97Fn8o0TRv3VcYLvnPbn77S3CWBG/80LngQjLSbpShrUJdf7saC1ksBFDTmLMjlClJudIv3SpzkEVWZ8gc/UJoJSCHT/p3IAIxIGG6zQwYxv04tHYzMV+mxy5bgg6G6K+tQ9RShd0KkedtJHKTWaF3fJWfQHgy4eK5+d4UCinUso0pQg+kQpEgcszgK4+2jOnmf5O0OYzlzUkdAhYvqHFvi6qzQSh63KRTvkxAXSWZK6H8ku11Il3zJzNkiaJTK4bIFDKjV4ZSUbluzNxA946M=
5. 测试
启动服务端和客户端访问.
直接访问服务端查看: http://localhost:9060/config-e-book-product-provider-SRA/default
我们发现当我们知道服务端的访问地址后, 其实可以拿到解密后的明文, 这种是我们加密中的漏铜, 这时我们可以通过添加安全认证来解决.
五, 安全认证
服务端项目集成 Security
添加 security 依赖
- <dependency>
- <groupId>
- org.springframework.boot
- </groupId>
- <artifactId>
- spring-boot-starter-security
- </artifactId>
- </dependency>
修改配置
在 application.properties 中添加如下信息
- # 安全认证
- # 开启基于 http basic 的安全认证
- security.basic.enabled=true
- security.user.name=dpb
- security.user.password=123456
测试
http://localhost:9060/config-e-book-product-provider-SRA/default
客户端认证
因为服务端开启了完全认证, 所以客户端也必然要响应的添加. 所以在 Bootstrap.properties 中添加对应的账号信息即可:
- spring.application.name=config-e-book-product-provider-sra
- server.port=9001
- #\u8BBE\u7F6E\u670D\u52A1\u6CE8\u518C\u4E2D\u5FC3\u5730\u5740\uFF0C\u6307\u5411\u53E6\u4E00\u4E2A\u6CE8\u518C\u4E2D\u5FC3
- eureka.client.serviceUrl.defaultZone=http://dpb:123456@eureka1:8761/eureka/,http://dpb:123456@eureka2:8761/eureka/
- # 配置中心服务端的链接信息
- # 默认 false, 这里设置 true, 表示开启读取配置中心的配置
- spring.cloud.config.discovery.enabled=true
- # 对应 eureka 中的配置中心 serviceId, 默认是 configserver
- spring.cloud.config.discovery.serviceId=config-server-encryption-SRA
- #Git 标签
- spring.cloud.config.label=master
- # 安全保护
- spring.cloud.config.username=dpb
- spring.cloud.config.password=123456
这样就堵住了加密后信息在服务端显示的漏洞咯
来源: https://www.cnblogs.com/dengpengbo/p/11094623.html