Wang Xiang's Blog: Configure encrypted password in data-source inside spring configuration file

In prod env, generally password need to be encrypted before put to spring configure file. There are 3 different approaches to achieve it.

1) use jasypt

refer to http://www.jasypt.org/

but it does not support AES algorithm

2) use java based configuration

look like this

 @Configuration
 public class AppConfig {

 }

3) use wrapper class to extends org.springframework.jdbc.datasource.DriverManagerDataSource

jdbc.properties to configure jdbc

jdbc.driverClassName=com.mysql.jdbc.Driver

jdbc.url=jdbc:mysql://localhost/testdb2

jdbc.username=tester2

jdbc.password=45236fe16c32d37d8bdac1f53a75cde9

take note the password is encrypted with AES

key.properties to configure key/iv to encrypt/decrypt password

key.hex=5b518a1640d253003626a1200940eb21

iv.hex=fd9e24303da422dd9e243ac4d03da443

spring configuration

<?xml version="1.0" encoding="UTF-8"?>

<beans xmlns="http://www.springframework.org/schema/beans"

xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:context="http://www.springframework.org/schema/context"

xmlns:jdbc="http://www.springframework.org/schema/jdbc" xmlns:tx="http://www.springframework.org/schema/tx"

xsi:schemaLocation="http://www.springframework.org/schema/jdbc

http://www.springframework.org/schema/jdbc/spring-jdbc-3.1.xsd

http://www.springframework.org/schema/beans

http://www.springframework.org/schema/beans/spring-beans-3.1.xsd

http://www.springframework.org/schema/tx

http://www.springframework.org/schema/tx/spring-tx-3.1.xsd

http://www.springframework.org/schema/context

http://www.springframework.org/schema/context/spring-context-3.1.xsd">

</bean>

<tx:annotation-driven transaction-manager="txManager" />

<context:property-placeholder location="classpath:jdbc.properties,key.properties" />

</bean>

<bean id="emf"

class="org.springframework.orm.jpa.LocalContainerEntityManagerFactoryBean">

</property>

<props>

<prop key="hibernate.dialect">org.hibernate.dialect.MySQL5InnoDBDialect</prop>

</props>

</property>

</bean>

<context:component-scan base-package="wx.jpa2" />

</beans>

wrapper class

package wx.jpa2.dao;

import java.sql.Connection;

import java.sql.SQLException;

import java.util.Properties;

import org.springframework.beans.factory.annotation.Value;

import org.springframework.jdbc.datasource.DriverManagerDataSource;

import org.springframework.stereotype.Component;

import wx.jpa2.util.Crypto;

@Component

public class SecureDataSource extends DriverManagerDataSource {

private String url;

private String username;

private String password;

private @Value("${key.hex}")

String keyHex;

private @Value("${iv.hex}")

String ivHex;

public String getUrl() {

return url;

}

public void setUrl(String url) {

this.url = url;

}

public String getUsername() {

return username;

}

public void setUsername(String username) {

this.username = username;

}

public String getPassword() {

return password;

}

public void setPassword(String password) {

this.password = password;

}

public String getKeyHex() {

return keyHex;

}

public void setKeyHex(String keyHex) {

this.keyHex = keyHex;

}

public String getIvHex() {

return ivHex;

}

public void setIvHex(String ivHex) {

this.ivHex = ivHex;

}

public SecureDataSource() {

}

@Override

protected Connection getConnectionFromDriver(Properties props)

throws SQLException {

props.setProperty("username", username);

props.setProperty("password", getDecryptedPassword());

return getConnectionFromDriverManager(url, props);

}

private String getDecryptedPassword() {

// use key/iv to decrypt the encrypted password via AES

Crypto aes = new Crypto();

return aes.decrypt(keyHex, ivHex, password);

}

Wang Xiang's Blog

Thursday, July 31, 2014

Configure encrypted password in data-source inside spring configuration file

No comments:

Post a Comment