springboot配置文件nacos密码不能出现明文问题解决

用户3315782798282232
1,760 阅读1分钟

背景:

遇到客户要求,客户的安全扫描出配置文件bootstrap.properties里出现nacos的明文密码,要求整改。

临时想了个修复方案,跳过扫描:

一、将bootstrap.properties中的nacos密码相关配置,使用占位符方式标识出来。

spring.cloud.nacos.discovery.password=${INNER_NACOS_PASSWORD}
spring.cloud.nacos.discovery.server-addr=${INNER_NACOS_ADDR}

spring.cloud.nacos.config.password=${INNER_NACOS_PASSWORD}
spring.cloud.nacos.config.server-addr=${INNER_NACOS_ADDR}

二、在启动脚本/环境变量中写入对应的地址、密码值,可以绕过代码扫描

JVM_OPTS="
......
 -DINNER_NACOS_PASSWORD=Nacos_654321
 -DINNER_NACOS_ADDR=10.0.16.143:18117
"

java $JVM_OPTS -jar project.jar

拓展方案:

后面想着能不能在启动脚本/环境变量中填入密文,然后在Spring容器刷新之前把环境变量中的密文修改成明文,这样对于配置文件或者启动脚本。看到blog.csdn.net/aa348699531… 初始化器 ApplicationInitializer的方式来实现。

步骤一、

新建类NacosDecryptPropertiesInitiallizer

@SuppressWarnings("ALL")
@Slf4j
public class NacosDecryptPropertiesInitiallizer implements ApplicationContextInitializer<ConfigurableApplicationContext>, Ordered {

    private static final List<String> NACOS_PASSWORD_SET = Arrays.asList(
            "spring.cloud.nacos.password",
            "spring.cloud.nacos.config.password",
            "spring.cloud.nacos.discovery.password");

    private static final String NACOS_PASSWORD_DECRYPT = "nacos-password-decrypt";

    private static final String NACOS_ENCRYPT_ENABLE = "encrypt.nacos.enable";

    @Override
    public void initialize(ConfigurableApplicationContext applicationContext) {
        ConfigurableEnvironment environment = applicationContext.getEnvironment();
        if ("true".equals(environment.getProperty(NACOS_ENCRYPT_ENABLE))) {
            environment.getPropertySources().remove(NACOS_PASSWORD_DECRYPT);
            Properties properties = new Properties();
            NACOS_PASSWORD_SET.forEach(key->{
                String value = environment.getProperty(key,"");
                if (StringUtils.isNotBlank(value)){
                    try {
                        String decrypt = RSAUtils.decrypt(value);
                        properties.put(key, decrypt);
                    } catch (Exception e) {
                        log.info("解密失败{}", ExceptionUtils.getRootCause(e).toString());
                    }
                }
            });
            PropertiesPropertySource propertiesPropertySource = new PropertiesPropertySource(NACOS_PASSWORD_DECRYPT, properties);
            environment.getPropertySources().addFirst(propertiesPropertySource);
        }
    }

    @Override
    public int getOrder() {
        return HIGHEST_PRECEDENCE;
    }
}

步骤二、

在项目启动类中往初始化方法中添加一个自定义系统初始化器。

public static void main(String[] args) {
    SpringApplication springApplication = new SpringApplication(Application.class);
    springApplication.addInitializers(new NacosDecryptPropertiesInitiallizer());
    springApplication.run(args);
}
avatar
文章
阅读
粉丝