前言

上一篇：微服务实战|集中配置组件Config规避敏感信息泄露

上一篇文章中,我们介绍了使用集中配置中心组件ConfigImplemented symmetric encryption algorithm Implemented encryption and decryption of configuration information,This article will introduce the use of asymmetric encryption algorithms to achieve the same function and the security management of the configuration center.

一、ConfigAsymmetric encryption in action

1、生成秘钥文件

使用 JDK In their own digital certificate management toolskeytool .进入jdk安装目录下的bin目录,Execute the following command to generate the key file：

D:\soft\Java\jdk1.8.0_181\bin>keytool -genkeypair -alias config-server -keyalg RSA -dname "CN=cn,OU=cn,O=cn,L=cn,S=cn,C=cn" -keypass 123456 -keystroe d:/config-server.jks -storepass 123456

将生成的config-server.jks文件copy到config-server项目的resource目录下面.

2、配置秘钥

继续修改我们的config-server项目,将bootstrap.yml文件内容修改如下：

#Symmetric encryption configuration
#encrypt:
# key: 123456

#Asymmetric encryption configuration
encrypt:
  key-store:
    location: config-server.jks
    alias: config-server
    password: 123456
    secret: 123456

3、启动验证

启动config-server项目,验证一下加密解密是否正常：

同样访问http://localhost:8005/encrypt/status,返回ok

再来访问http://localhost:8081/encrypt 加密接口：

Also everything works,能够正常加密和解密.

4、项目实战

加密和解密功能正常之后,就要修改我们的配置文件内容了.

修改我们的config-server项目,在repo文件夹下,修改客户端的配置文件configclient-dev.yml,修改内容如下：

#Symmetrically encrypted ciphertext
#app:
# key: '{cipher}5ab3ce1502c40c276074f400aee0be0f6279d6a85bb9d8d315a78c7a91603dde58d4512a6bc9f6492a8eddd34dbeeac0'
#Asymmetric encryption ciphertext
app:
  key: '{cipher}AQBFywM+SuemUIS18U8wXrw96hxmhq26u4UUKCxQ1jLTLEcT7MEldJ9C7H4USE+bxVIlHernOewcfWQBg8SwSqK9MuLr07Z1bTEwPEu8KfbEMKTXJBaK6OOVLPFKjaUS/ezHKlke1DYjPpxuo9QO5GOTXIGZOBIlcclJbBCAc2/JIEK34Na/vJdbmSVtNdo6qLw1ufDNPES5q7pweWrnaP4vmtzV8JSs7+UAOV4caf8Zxrv7Sp6KuxuRlEn2yNPoi9bzf4pBWoqxZ5cUsEkzMb5ZEEkmqXCXT4o6+AWdantXbzUXCVculh0FGHvJnnvzsDjoKnVJm0JULjNa5yWNik42tdqsj4KlW76XWcBNv4ditrNsYz13IhZpwsZGHtqTZ97AwobvaTY/UrV1We5ssx3O'

注意密文前面增加{cipher},这样才能正常解密.

5、验证

最后,再次重启registry项目以及config-server,config-client两个服务,访问client端的hello接口：http://localhost:8007/hello,Also returned to normal plaintext encrypted：

二、Configuration Center Security Management

just now we noticed,visit between us as：http://localhost:8005/encrypt/status、http://localhost:8081/encrypt 等状态,加密、The decryption interface is accessible between.Even we can access the configuration center to get the interface address of the configuration file：http://localhost:8005/configclient/dev：

returned by the browserjsonWhy is the message formatted directly?？Just install this plugin：Chrome浏览器插件：FeHelper

This is also a security risk！We also need to do further security management：

1、引入依赖

继续修改我们的config-server项目的pom文件,增加如下依赖：

<dependency>
    <groupId>org.springframework.boot</groupId>
    <artifactId>spring-boot-starter-security</artifactId>
</dependency>

添加完成之后,重启 config_server 项目,Note that the following log will be printed in the background when restarting：

Using generated security password: 8dc1da66-b6ea-4aa7-a67d-3d02f97e179c

Then the browser accesses the address again： http://localhost:8005/configclient/dev,就会跳转到登录页面,without directly returning configuration information,The default username for the login information isuser,And the password is the random password generated in the log printed above,We can also specify username and password：

2、Increase safety management configuration

修改config-server项目中的application.yml配置文件：

server:
  port: 8005
spring:
  application:
    name: config-server
  profiles:
    active: native #本地文件
  cloud:
    config:
      server:
        native:
          search-locations: classpath:/repo

  security: #Increase safety management configuration
    user:
      name: cxy965
      roles: admin
      password: 123456
eureka:
  client:
    service-url:
      defaultZone: http://localhost:8001/eureka/

这样,You can log in with the username and password we specified.

3、Adjust client calls

Increase safety management configuration,我们重新启动config-client项目,就会发现,Unable to pull configuration from configuration center：

2022-07-28 17:09:03.416  WARN 29296 --- [           main] c.c.c.ConfigServicePropertySourceLocator : Could not locate PropertySource: Could not extract response: no suitable HttpMessageConverter found for response type [class org.springframework.cloud.config.environment.Environment] and content type [text/html;charset=UTF-8]
2022-07-28 17:09:03.418  INFO 29296 --- [           main] com.cxy965.demo.ConfigClientApplication  : No active profile set, falling back to default profiles: default

Means through our configuration information,Unable to get available configuration resources,It is because the configuration center adds security management,The client has no right to access,这时,Just add the user name and password for access on the client side..

修改config-client项目的bootstrap.yml,如下：

spring:
  application:
    name: configclient
  cloud:
    config:
      username: cxy965 #Increased access to configuration center user name information
      password: 123456 #Add password information for accessing configuration center
      name: configclient
      profile: dev
      discovery:
        enabled: true
        service‐id: config-server

eureka:
  client:
    service‐url:
      defaultZone: http://localhost:8001/eureka/

再重新启动就可以了！