jhipster - 在 Jhipster 注册表应用程序的配置文件中使用时如何加密 Jasypt.encryptor.pasword 属性

Question

我正在使用 JHipster 注册表 APP，并通过使用 Jasypt 库从所有微服务的集中配置中加密用户名和密码来使用本地加密。

在执行此操作时，我观察到我尝试加密默认用户名和密码（admin/admin）的那一刻，在中央配置文件夹中加密如下所述，我已经配置了 gateway.yml（所有微服务通用配置的中央配置文件）

spring:
  datasource:
    type: com.zaxxer.hikari.HikariDataSource
    url: jdbc:mysql://localhost:3306/gateway?useUnicode=true&characterEncoding=utf8&useSSL=false&useLegacyDatetimeCode=false&serverTimezone=UTC&createDatabaseIfNotExist=true
    **username: ENC(HLr1wJLGRZPuHVMUgEhiUQ==)
    password: ENC(HLr1wJLGRZPuHVMUgEhiUQ==)**
    hikari:
      poolName: Hikari
      auto-commit: false
      data-source-properties:
        cachePrepStmts: true
        prepStmtCacheSize: 250
        prepStmtCacheSqlLimit: 2048
        useServerPrepStmts: true

  jpa:
     database-platform: org.hibernate.dialect.MySQLInnoDBDialect
     database: MYSQL
     openInView: false
     show-sql: true
  liquibase:
      drop-first: true
      # Remove 'faker' if you do not want the sample data to be loaded automatically
      contexts: dev

eureka:
  instance:
    prefer-ip-address: true
  client:
    service-url:
      defaultZone: 
       # Jasypt Encryptor property================       
       http://**ENC(iNeA5NB8uu+MIXdPXBNzSw==):ENC(iNeA5NB8uu+MIXdPXBNzSw==)**@localhost:8761/eureka/

# ===========================================
# Jasypt Encryptor property
#============================================
jasypt:
  encryptor:
    password: jasyptkey

我也为 Jasypt-maven spring boot starter 配置添加了所需的依赖项到注册表应用程序项目，如下所示，它编译并显示注册表也完美

 <dependency>
            <groupId>com.github.ulisesbocchio</groupId>
            <artifactId>jasypt-spring-boot-starter</artifactId>
            <version>2.0.0</version>
        </dependency>

我面临的问题是发现客户端/云配置服务器客户端无法识别端点 URI。

我也分享了微服务应用程序（网关）中的bootstrap.yml文件以供参考，如果那里有任何遗漏。

微服务应用bootstarp.yml文件是这样的

spring:
  application:
    name: gateway
  profiles:
    active: dev
    include: composite
  cloud:
    config:
      fail-fast: false 
      uri: http://admin:${jhipster.registry.password}@localhost:8761/config/decrypt
      

      # name of the config server's property source (file.yml) that we want to use
      name: gateway
      profile: dev

请建议在配置或任何其他替代方法时出现问题，或者它不支持基于 Jasypt 的加密/解密或需要配置更多的东西？

Answer 1

我已经找到了解决这个问题的办法。我所做的唯一更改是通过 Jasypt 加密库，我尝试使用传统的 JHipster 注册表应用程序 Cloud Config Server 加密/解密策略。对于类似的事情，我不得不喜欢使用任何 Spring Cloud Config 服务器 Discovery 和 eureka。因此，我在通过 boostrap.yml 中的 JHipster-Registry 应用程序中的 central-config 文件夹使用本机文件系统使用集中配置时，我在注册表应用程序端禁用了 Spring Cloud 配置服务器的加密属性，如下所示

spring:
  application:
    name: jhipster-registry
  profiles:
    active: dev
    include: composite
  cloud:
    config:
      server:

        #git:
         # uri: https://github.com/debjupiter18/central-config-server
          #skipSslValidation: true
        bootstrap: true
        **encrypt.enabled: false**

在我的微服务网关应用程序中启用了相同的功能，如下所述

jhipster:
  registry:
     password: '{cipher}a7b13e30356a50ed81275d9428a31543d7f59eb9e374f3063a94464e9f4a5863'

spring:
  application:
    name: gateway
  profiles:
    active: dev
    include: composite
    # The commented value for `active` can be replaced with valid Spring profiles to load.
    # Otherwise, it will be filled in by maven when building the JAR file
    # Either way, it can be overridden by `--spring.profiles.active` value passed in the commandline or `-Dspring.profiles.active` set in `JAVA_OPTS`
    #active: dev
  cloud:
    config:
      server.encrypt.enabled: true
      fail-fast: false # if not in "prod" profile, do not force to use Spring Cloud Config
      uri: http://admin:${jhipster.registry.password}@localhost:8761/config
      #http://admin:password@registry:8761/config/decrypt

      # name of the config server's property source (file.yml) that we want to use
      name: gateway
      profile: dev

在 central-config 文件夹中的gateway.yml文件中修改了两个加密属性，如下所示，因为目标是一个原型，以检查是否能够发现 Eureka 客户端并在这些更改到位的情况下连接到 MYSQL Db。

spring:
  datasource:
    type: com.zaxxer.hikari.HikariDataSource
    url: jdbc:mysql://localhost:3306/gateway?useUnicode=true&characterEncoding=utf8&useSSL=false&useLegacyDatetimeCode=false&serverTimezone=UTC&createDatabaseIfNotExist=true&allowPublicKeyRetrieval=true
    username: root #{cipher}7f21f461454b9c0d99f2f81194257b9b0f77787cfab738b690f73c1ee84a73c4    #ENC(HLr1wJLGRZPuHVMUgEhiUQ==)
    password: '{cipher}7f21f461454b9c0d99f2f81194257b9b0f77787cfab738b690f73c1ee84a73c4' #root
    hikari:
      poolName: Hikari
      auto-commit: false
      data-source-properties:
        cachePrepStmts: true
        prepStmtCacheSize: 250
        prepStmtCacheSqlLimit: 2048
        useServerPrepStmts: true

  jpa:
     database-platform: org.hibernate.dialect.MySQLInnoDBDialect
     database: MYSQL
     openInView: false
     show-sql: true
  liquibase:
      drop-first: true
      # Remove 'faker' if you do not want the sample data to be loaded automatically
      contexts: dev #, faker
# Property to disable logging in GAE since we cannot write to GAE file system
  mail:
    host: localhost
    port: 25
    username:
    password:
  messages:
      cache-duration: PT1S # 1 second, see the ISO 8601 standard
  thymeleaf:
      cache: false
  sleuth:
      sampler:
        probability: 1 # report 100% of traces
  zipkin: # Use the "zipkin" Maven profile to have the Spring Cloud Zipkin dependencies
      base-url: http://localhost:9411
      enabled: false
      locator:
        discovery:
          enabled: true
  security:
      basic.enabled: true
      user.name : admin
      user.password : '{cipher}a7b13e30356a50ed81275d9428a31543d7f59eb9e374f3063a94464e9f4a5863'
eureka:
  instance:
    prefer-ip-address: true
  client:
    register-with-eureka: true
    fetch-registry: true
    service-url:
      defaultZone: http://${spring.security.user.name}:${spring.security.user.password}@localhost:8761/eureka/

最后但并非最不重要的一点是，在两个bootsrap.yml中使用了相同的属性，遵循在配置服务器端启用加密机制的原则，并帮助在服务器端解密相同的属性，这是由于 JHipster 注册表同时充当Cloud Config 服务器和 Eureka 注册表也是如此。

encrypt:
  key: bXktc2VjcmV0LWtleS13aGljaC1zaG91bGQtYmUtY2hhbmdlZC1pbi1wcm9kdWN0aW9uLWFuZC1iZS1iYXNlNjQtZW5jb2RlZAo=
``` in both **bootstarp.yml** file to leverage the Spring cloud config server at JHipster-registry app side, to use the encryption at server side and decryption at client side .

I am able to run the centralized configuration with encryption and deryption, 
I stopped using Jasypt library for now. 
This is working for me, please let me know if any other suggestions or any downside of this solution, can discuss if anybody tried a different approach.