본문 바로가기

보안/시큐어코딩

spring 설정파일의 설정값 암호화 하기

[방법1]  Jasypt(Java Simplified Encryption)를 이용한 Spring 설정파일의 설정값을 암호화 할 수 있다.


http://www.jasypt.org/ 
에서 버전에 맞는 라이브러리를 다운로드 받는다.

Download Jasypt

Current version: 1.9.2 (February 25th, 2014) [WHAT'S NEW IN JASYPT 1.9]

DOWNLOAD JASYPT (from SourceForge.net)

If you are using Maven for building your project, have a look at Jasypt + Maven for details on adding a dependency on Jasypt.

Jasypt consists of the following artifacts:

  • jasypt (core) [ChangeLog]
  • Spring integration
    • jasypt-spring2 for Spring Framework 2.0 and 2.5 [ChangeLog]
    • jasypt-spring3 for Spring Framework 3.0 [ChangeLog]
    • jasypt-spring31 for Spring Framework 3.1 and newer [ChangeLog]
    • jasypt-acegisecurity for Acegi Security 1.0 [ChangeLog]
    • jasypt-springsecurity2 for Spring Security 2.x [ChangeLog]
    • jasypt-springsecurity3 for Spring Security 3.x and newer [ChangeLog]
  • Hibernate integration
    • jasypt-hibernate3 for Hibernate 3.0, 3.1, 3.2, 3.3, 3.5 and 3.6 [ChangeLog]
    • jasypt-hibernate4 for Hibernate 4.x and newer [ChangeLog]
  • Apache Wicket integration
    • jasypt-wicket13 for Apache Wicket 1.3 and 1.4 [ChangeLog]
    • jasypt-wicket15 for Apache Wicket 1.5 [ChangeLog]

You can also browse the Source Repository here.

 

 

(1) 문자열을 암호화 하는 소스 예제

public class StringEncryptor {

    public static void main(String[] args) {

        List<String> argList = new ArrayList<String>();
        String input = "input=";


        if ( args.length < 1 ) {
            System.out.println("String for encryption must be inserted");
            return;
        }
        else {
            input = input + args[0];
            argList.add(input);
        }

        argList.add("algorithm=PBEWithMD5AndDES");   // 대칭암호화
        argList.add("password=SAMPLE");                  // Key
        argList.add("verbose=false");


        String[] result = new String[argList.size()];
        argList.toArray(result);
        JasyptPBEStringEncryptionCLI.main(result);


    }
}

 

 

(2) 암호화 문자 생성하기

set classpath=jasypt\1.9.0\jasypt-1.9.0.jar
java -cp .;%classpath% com.sample.crypto.StringEncryptor {암호화할 문자}

 

 

(3) Spring 설정파일(ApplicationContext.xml)

<bean id="encryptorConfig"
         class="org.jasypt.encryption.pbe.config.EnvironmentStringPBEConfig">
        <property name="algorithm" value="PBEWithMD5AndDES" />
        <property name="passwordEnvName" value="APP_ENCRYPTION_PASSWORD" />
</bean>

 <bean id="encryptor" class="org.jasypt.encryption.pbe.StandardPBEStringEncryptor">
        <property name="config" ref="encryptorConfig" />

        <!--    StringEncryptor.java 의 Key  -->
        <property name="password" value="SAMPLE " />    

</bean>

<bean id="propertyConfigurer"
         class="org.jasypt.spring3.properties.EncryptablePropertyPlaceholderConfigurer">
        <constructor-arg ref="encryptor" />
        <property name="locations">
               <list>
                   <value>classpath:config/dbConfig.xml</value>
               </list>
        </property>
</bean>   

 

 

(4) DB 연결정보 설정파일(dbConfig.xml)

<entry key="mysql.jdbc.driverClassName">core.log.jdbc.driver.MysqlDriver</entry>
<entry key="mysql.jdbc.url">jdbc:mysql://localhost:3306/sample</entry>
<entry key="mysql.jdbc.username">scott</entry>
<entry key="mysql.jdbc.password">ENC(ne3e529X5YPW2IdfL0G0bg==)</entry>

 

 ENC( ) 안에 암호화된 패스워드를 저장한다.

 

 

>> 참고
http://www.jasypt.org/spring3.html   
http://blog.teamextension.com/quick-jasypt-spring-3-tutorial-626   

 

 

 

 


[방법2] Spring 3.x 에서 Jasypt 사용하여 properties에 저장되는 값들 암호화


 

STEP1.  Jasypt 라이브러리를 다운로드 받는다.

 


STEP2.  DataSource 구성파일 설정하기.

 

Jasypt + Spring 3.0 가이드를 살펴보면 아래와 같은 코드가 추가 되어 있는 것을 확인 할 수 있다.

일반적인 DataSource 설정이라면 propertyConfigurer와 dataSource 부분만 설정 되어 있다.

 

Jasypt를 적용하게 되면,  빈객체가 두개 추가 되었고  propertyConfigurer에서 사용되는 Class도 Jasypt에서 제공되는 Class를 활용하도록 한다.

<bean id="environmentVariablesConfiguration"

          class="org.jasypt.encryption.pbe.config.EnvironmentStringPBEConfig">

     <property name="algorithm" value="PBEWithMD5AndDES" />

     <property name="passwordEnvName" value="APP_ENCRYPTION_PASSWORD" />

</bean>

  

<bean id="configurationEncryptor"

          class="org.jasypt.encryption.pbe.StandardPBEStringEncryptor">

    <property name="config" ref="environmentVariablesConfiguration" />

    <property name="password" value="jasyptPass" />

</bean>

 

<bean id="propertyConfigurer"

           class="org.jasypt.spring3.properties.EncryptablePropertyPlaceholderConfigurer">

     <constructor-arg ref="configurationEncryptor" />

     <property name="locations">

            <list>

                <value>classpath:properties/jdbc.properties</value>

            </list>

     </property>

 </bean>

 

 <!-- DataSource Configuration -->

 <bean id="dataSource" class="org.apache.commons.dbcp.BasicDataSource"

           destroy-method="close">

        <property name="driverClassName" value="${jdbc.driverClassName}"/>

        <property name="url" value="${jdbc.url}"/>

        <property name="username" value="${jdbc.username}"/>

        <property name="password" value="${jdbc.password}"/>

 </bean>

 

 

STEP3.  jdbc.properties 파일값 암호화

 

PBE방식으로 암호화해서 암호화 값을 properties에 대입하도록 한다.

http://www.jasypt.org/api/jasypt/1.8/org/jasypt/encryption/pbe/StandardPBEStringEncryptor.html

 

StandardPBEStringEncryptor Class를 활용한 값 암호화

 StandardPBEStringEncryptor pbeEnc = new StandardPBEStringEncryptor();

 pbeEnc.setPassword("jasyptPass");      // PBE 값(XML PASSWORD설정)

 

 String url = pbeEnc.encrypt("url");

 String username = pbeEnc.encrypt("username");

 String password = pbeEnc.encrypt("password");

 

 System.out.println(url);

 System.out.println(username);

 System.out.println(password);


jdbc.properties 값 예

jdbc.driverClassName=com.mysql.jdbc.Driver

jdbc.url=ENC(bga9c867hgFkE4ALozTBqBWj2C5wPxH8kDa//7Pqlm8DpGbFK6Fod)

jdbc.username=ENC(6gaEuIet0A4zRztWpUkS5w==)

jdbc.password=ENC(XR7FHiFzSBhGT+uIYZJO6w==)