问题
I am using JHipster registry APP and used local encryption by using Jasypt library to encrypt username and password from a centralized configuration for all micro-services.
While doing this I observed the moment I try to encrypt default username and password (admin/admin) ,encrypted as mentioned below in the central-config folder , I have configured gateway.yml( central configuration file for all micro-services common configurations)
spring:
datasource:
type: com.zaxxer.hikari.HikariDataSource
url: jdbc:mysql://localhost:3306/gateway?useUnicode=true&characterEncoding=utf8&useSSL=false&useLegacyDatetimeCode=false&serverTimezone=UTC&createDatabaseIfNotExist=true
**username: ENC(HLr1wJLGRZPuHVMUgEhiUQ==)
password: ENC(HLr1wJLGRZPuHVMUgEhiUQ==)**
hikari:
poolName: Hikari
auto-commit: false
data-source-properties:
cachePrepStmts: true
prepStmtCacheSize: 250
prepStmtCacheSqlLimit: 2048
useServerPrepStmts: true
jpa:
database-platform: org.hibernate.dialect.MySQLInnoDBDialect
database: MYSQL
openInView: false
show-sql: true
liquibase:
drop-first: true
# Remove 'faker' if you do not want the sample data to be loaded automatically
contexts: dev
eureka:
instance:
prefer-ip-address: true
client:
service-url:
defaultZone:
# Jasypt Encryptor property================
http://**ENC(iNeA5NB8uu+MIXdPXBNzSw==):ENC(iNeA5NB8uu+MIXdPXBNzSw==)**@localhost:8761/eureka/
# ===========================================
# Jasypt Encryptor property
#============================================
jasypt:
encryptor:
password: jasyptkey
I have added needed dependency tot he registry app project too for Jasypt-maven spring boot starter config as shown below and it compiled and brings up registry also perfectly
<dependency>
<groupId>com.github.ulisesbocchio</groupId>
<artifactId>jasypt-spring-boot-starter</artifactId>
<version>2.0.0</version>
</dependency>
The issue I am facing the discovery client/ cloud config server clients are not able to recognize the end-point URI.
I have shared the bootstrap.yml file from micro-service app( gateway) too for reference if anything missing there.
micro-service app bootstarp.yml file goes like this
spring:
application:
name: gateway
profiles:
active: dev
include: composite
cloud:
config:
fail-fast: false
uri: http://admin:${jhipster.registry.password}@localhost:8761/config/decrypt
# name of the config server's property source (file.yml) that we want to use
name: gateway
profile: dev
Please suggest whant went wrong while configuring or any other alternative way to do this or it doesn't support Jasypt based encryption/decryption or something more needed to be configured?
回答1:
I have figured out a solution for the issue. The only change I made is by passing Jasypt encryption library I tried using traditional JHipster registry app Cloud Config Server encryption/decryption strategy. For that similar thing I had to like using any Spring Cloud Config server Discovery along with eureka. So I while using my centralized configuration using native file system via central-config folder in JHipster-Registry app in boostrap.yml I have disabled the encrypt property of Spring Cloud config server at registry app end like this
spring:
application:
name: jhipster-registry
profiles:
active: dev
include: composite
cloud:
config:
server:
#git:
# uri: https://github.com/debjupiter18/central-config-server
#skipSslValidation: true
bootstrap: true
**encrypt.enabled: false**
Enabled the same at my micro-service gateway app as mentioned below
jhipster:
registry:
password: '{cipher}a7b13e30356a50ed81275d9428a31543d7f59eb9e374f3063a94464e9f4a5863'
spring:
application:
name: gateway
profiles:
active: dev
include: composite
# The commented value for `active` can be replaced with valid Spring profiles to load.
# Otherwise, it will be filled in by maven when building the JAR file
# Either way, it can be overridden by `--spring.profiles.active` value passed in the commandline or `-Dspring.profiles.active` set in `JAVA_OPTS`
#active: dev
cloud:
config:
server.encrypt.enabled: true
fail-fast: false # if not in "prod" profile, do not force to use Spring Cloud Config
uri: http://admin:${jhipster.registry.password}@localhost:8761/config
#http://admin:password@registry:8761/config/decrypt
# name of the config server's property source (file.yml) that we want to use
name: gateway
profile: dev
In the gateway.yml file in the central-config folder has been modified two encryption property as below, as the objective was a prototype to check if able to discover Eureka client and connect to MYSQL Db with these changes in place.
spring:
datasource:
type: com.zaxxer.hikari.HikariDataSource
url: jdbc:mysql://localhost:3306/gateway?useUnicode=true&characterEncoding=utf8&useSSL=false&useLegacyDatetimeCode=false&serverTimezone=UTC&createDatabaseIfNotExist=true&allowPublicKeyRetrieval=true
username: root #{cipher}7f21f461454b9c0d99f2f81194257b9b0f77787cfab738b690f73c1ee84a73c4 #ENC(HLr1wJLGRZPuHVMUgEhiUQ==)
password: '{cipher}7f21f461454b9c0d99f2f81194257b9b0f77787cfab738b690f73c1ee84a73c4' #root
hikari:
poolName: Hikari
auto-commit: false
data-source-properties:
cachePrepStmts: true
prepStmtCacheSize: 250
prepStmtCacheSqlLimit: 2048
useServerPrepStmts: true
jpa:
database-platform: org.hibernate.dialect.MySQLInnoDBDialect
database: MYSQL
openInView: false
show-sql: true
liquibase:
drop-first: true
# Remove 'faker' if you do not want the sample data to be loaded automatically
contexts: dev #, faker
# Property to disable logging in GAE since we cannot write to GAE file system
mail:
host: localhost
port: 25
username:
password:
messages:
cache-duration: PT1S # 1 second, see the ISO 8601 standard
thymeleaf:
cache: false
sleuth:
sampler:
probability: 1 # report 100% of traces
zipkin: # Use the "zipkin" Maven profile to have the Spring Cloud Zipkin dependencies
base-url: http://localhost:9411
enabled: false
locator:
discovery:
enabled: true
security:
basic.enabled: true
user.name : admin
user.password : '{cipher}a7b13e30356a50ed81275d9428a31543d7f59eb9e374f3063a94464e9f4a5863'
eureka:
instance:
prefer-ip-address: true
client:
register-with-eureka: true
fetch-registry: true
service-url:
defaultZone: http://${spring.security.user.name}:${spring.security.user.password}@localhost:8761/eureka/
Last but not the least used same property as mentioned below in both of the bootsrap.yml following the principle of enabling encryption mechanism at Config server end and to help decrypt the same property at server end also, this is due to JHipster registry acting both as Cloud Config server and Eureka registry as well.
encrypt:
key: bXktc2VjcmV0LWtleS13aGljaC1zaG91bGQtYmUtY2hhbmdlZC1pbi1wcm9kdWN0aW9uLWFuZC1iZS1iYXNlNjQtZW5jb2RlZAo=
``` in both **bootstarp.yml** file to leverage the Spring cloud config server at JHipster-registry app side, to use the encryption at server side and decryption at client side .
I am able to run the centralized configuration with encryption and deryption,
I stopped using Jasypt library for now.
This is working for me, please let me know if any other suggestions or any downside of this solution, can discuss if anybody tried a different approach.
来源:https://stackoverflow.com/questions/63389371/how-to-encrypt-jasypt-encryptor-pasword-property-while-using-in-jhipster-registr