案例代碼:https://github.com/q279583842q/springcloud-e-book
非對稱加密
一、什么是非對稱加密(Asymmetric encryption)
二、Java-keytool 使用說明
非對稱加密我們需要生成對應的公鑰和私鑰,jdk中提供的有java-keytool工具幫助我們生成,執行如下命令:
keytool -genkeypair -alias "config-info" -keyalg "RSA" -keystore c:\tools\encryp-info.keystore
三、創建服務項目
1.創建項目
創建一個SpringCloud項目
2.pom文件
<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
<modelVersion>4.0.0</modelVersion>
<parent>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-parent</artifactId>
<version>1.5.13.RELEASE</version>
</parent>
<groupId>com.bobo</groupId>
<artifactId>config-server-encryption-SRA</artifactId>
<version>0.0.1-SNAPSHOT</version>
<dependencyManagement>
<dependencies>
<dependency>
<groupId>org.springframework.cloud</groupId>
<artifactId>spring-cloud-dependencies</artifactId>
<version>Dalston.SR1</version>
<type>pom</type>
<scope>import</scope>
</dependency>
</dependencies>
</dependencyManagement>
<dependencies>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-web</artifactId>
</dependency>
<dependency>
<groupId>org.springframework.cloud</groupId>
<artifactId>spring-cloud-starter-eureka</artifactId>
</dependency>
<dependency>
<groupId>org.springframework.cloud</groupId>
<artifactId>spring-cloud-config-server</artifactId>
</dependency>
</dependencies>
<build>
<plugins>
<plugin>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-maven-plugin</artifactId>
</plugin>
</plugins>
</build>
</project>
3.配置文件
spring.application.name=config-server-encryption-SRA
server.port=9060
#設置服務注冊中心地址,指向另一個注冊中心
eureka.client.serviceUrl.defaultZone=http://dpb:123456@eureka1:8761/eureka/,http://dpb:123456@eureka2:8761/eureka/
#Git 配置
spring.cloud.config.server.git.uri=https://gitee.com/dengpbs/config
#spring.cloud.config.server.git.username=
#spring.cloud.config.server.git.password=
#keytool -genkeypair -alias "config-info" -keyalg "RSA" -keystore c:\tools\encryp-info.keystore
# keystore 文件的路徑
encrypt.key-store.location=classpath:encryp-info.keystore
# alias 指定密鑰對的別名,該別名是公開的;
encrypt.key-store.alias=config-info
# storepass 密鑰倉庫
encrypt.key-store.password=123456
# keypass 用來保護所生成密鑰對中的私鑰
encrypt.key-store.secret=123456
將生成的keystore文件拷貝到classpath目錄下
4.啟動測試
測試加密狀態:http://localhost:9060/encrypt/status
加密
public class Test1 {
/**
* 通過RestTemplate來加密數據
* @param args
*/
public static void main(String[] args) {
String url = "http://127.0.0.1:9060/encrypt";
RestTemplate template = new RestTemplate();
ResponseEntity<String> msg = template.postForEntity(url, "123456", String.class);
System.out.println(msg.getBody());
}
}
四、創建客戶端項目
1.創建項目
拷貝上個案例的客戶端程序。
2.pom文件
<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
<modelVersion>4.0.0</modelVersion>
<parent>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-parent</artifactId>
<version>1.5.13.RELEASE</version>
<relativePath /> <!-- lookup parent from repository -->
</parent>
<groupId>com.bobo</groupId>
<artifactId>config-e-book-product-provider-sra</artifactId>
<version>0.0.1-SNAPSHOT</version>
<dependencies>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-web</artifactId>
</dependency>
<dependency>
<groupId>org.mybatis.spring.boot</groupId>
<artifactId>mybatis-spring-boot-starter</artifactId>
<version>1.3.4</version>
</dependency>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-test</artifactId>
<scope>test</scope>
</dependency>
<dependency>
<groupId>org.springframework.cloud</groupId>
<artifactId>spring-cloud-starter-eureka</artifactId>
</dependency>
<dependency>
<groupId>mysql</groupId>
<artifactId>mysql-connector-java</artifactId>
<version>5.1.47</version>
</dependency>
<dependency>
<groupId>com.bobo</groupId>
<artifactId>e-book-product-service</artifactId>
<version>0.0.1-SNAPSHOT</version>
</dependency>
<dependency>
<groupId>org.springframework.cloud</groupId>
<artifactId>spring-cloud-starter-config</artifactId>
</dependency>
</dependencies>
<dependencyManagement>
<dependencies>
<dependency>
<groupId>org.springframework.cloud</groupId>
<artifactId>spring-cloud-dependencies</artifactId>
<version>Dalston.SR5</version>
<type>pom</type>
<scope>import</scope>
</dependency>
</dependencies>
</dependencyManagement>
<build>
<plugins>
<plugin>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-maven-plugin</artifactId>
</plugin>
</plugins>
</build>
</project>
3.bootstrap文件
spring.application.name=config-e-book-product-provider-sra
server.port=9001
#\u8BBE\u7F6E\u670D\u52A1\u6CE8\u518C\u4E2D\u5FC3\u5730\u5740\uFF0C\u6307\u5411\u53E6\u4E00\u4E2A\u6CE8\u518C\u4E2D\u5FC3
eureka.client.serviceUrl.defaultZone=http://dpb:123456@eureka1:8761/eureka/,http://dpb:123456@eureka2:8761/eureka/
#配置中心服務端的鏈接信息
#默認 false,這里設置 true,表示開啟讀取配置中心的配置
spring.cloud.config.discovery.enabled=true
#對應 eureka 中的配置中心 serviceId,默認是 configserver
spring.cloud.config.discovery.serviceId=config-server-encryption-SRA
#git 標簽
spring.cloud.config.label=master
4.倉庫文件
在git中創建config-e-book-product-provider-sra.properties文件
#--------------db----------------
mybatis.type-aliases-package=com.book.product.pojo
mybatis.mapper-locations=classpath:com/bobo/product/mapper/*.xml
spring.datasource.driverClassName=com.mysql.jdbc.Driver
spring.datasource.url=jdbc:mysql://localhost:3306/book-product?useUnicode=true&characterEncoding=UTF-8&zeroDateTimeBehavior=convertToNull
spring.datasource.username={cipher}AQBTQaUuvTsXQ9Y4tr9Vq5BrEASk7ItrtNsQemtjgMd8anL5bMeo+NJVJ2kEKOzEdITiEGAguUTs78I9XGBZNI2DaNcySNjmKIi6NRX9ury1Fd9tGzT4ViZyNf2IcaUhwb7Yx0HBiHAyOxVDB1wStCUTUj3sD7/MZxw3VQeUMueti4j7giyHg2xGnKW1NnKNxKjpiUKY1uz3Ag2DZwdLQnAvmm90Y290HNNMDzq8ROrHbxXmyGCAlpmHXWloLZ0r7eBNkLvG7Hnnx9vDmWWyiRxSPiJo2UszmnKf5vN8hQZYIU83AjXMkOGolpPkOhg4nsoQS9++oF/AYGGydthxmuI9zsX8L6JXWBioo72yAXX8sw7doAp71ABuv2ivwd8njo8=
spring.datasource.password={cipher}AQBZKEptQk2RBf+3DJ1tlHbmFKiuNtjwIbq8qf1kjIkkteYmxcrTfPmO5DYFuRd/xsVlKAfK+pfsn1nPntBjqMQYPvDPMy7LkcYe/gA4Q8/9d97Fn8o0TRv3VcYLvnPbn77S3CWBG/80LngQjLSbpShrUJdf7saC1ksBFDTmLMjlClJudIv3SpzkEVWZ8gc/UJoJSCHT/p3IAIxIGG6zQwYxv04tHYzMV+mxy5bgg6G6K+tQ9RShd0KkedtJHKTWaF3fJWfQHgy4eK5+d4UCinUso0pQg+kQpEgcszgK4+2jOnmf5O0OYzlzUkdAhYvqHFvi6qzQSh63KRTvkxAXSWZK6H8ku11Il3zJzNkiaJTK4bIFDKjV4ZSUbluzNxA946M=
5.測試
啟動服務端和客戶端訪問。
直接訪問服務端查看:http://localhost:9060/config-e-book-product-provider-SRA/default
我們發現當我們知道服務端的訪問地址后,其實可以拿到解密后的明文,這種是我們加密中的漏銅,這時我們可以通過添加安全認證來解決。
五、安全認證
服務端項目集成Security
添加security依賴
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-security</artifactId>
</dependency>
修改配置
在application.properties中添加如下信息
# 安全認證
#開啟基於 http basic 的安全認證
security.basic.enabled=true
security.user.name=dpb
security.user.password=123456
測試
http://localhost:9060/config-e-book-product-provider-SRA/default
客戶端認證
因為服務端開啟了完全認證,所以客戶端也必然要響應的添加。所以在bootstrap.properties中添加對應的賬號信息即可:
spring.application.name=config-e-book-product-provider-sra
server.port=9001
#\u8BBE\u7F6E\u670D\u52A1\u6CE8\u518C\u4E2D\u5FC3\u5730\u5740\uFF0C\u6307\u5411\u53E6\u4E00\u4E2A\u6CE8\u518C\u4E2D\u5FC3
eureka.client.serviceUrl.defaultZone=http://dpb:123456@eureka1:8761/eureka/,http://dpb:123456@eureka2:8761/eureka/
#配置中心服務端的鏈接信息
#默認 false,這里設置 true,表示開啟讀取配置中心的配置
spring.cloud.config.discovery.enabled=true
#對應 eureka 中的配置中心 serviceId,默認是 configserver
spring.cloud.config.discovery.serviceId=config-server-encryption-SRA
#git 標簽
spring.cloud.config.label=master
#安全保護
spring.cloud.config.username=dpb
spring.cloud.config.password=123456
這樣就堵住了加密后信息在服務端顯示的漏洞咯