druid database connection pool password encryption processing (official network)

Use ConfigFilter

The functions of ConfigFilter include:

  • Read the configuration from the configuration file
  • Read configuration from remote http file
  • Encryption for database passwords

1 ConfigFilter Configuration

1.1 Configuration file read from local file system

 <bean id="dataSource" class="com.alibaba.druid.pool.DruidDataSource"
     init-method="init" destroy-method="close">
     <property name="filters" value="config" />
     <property name="connectionProperties" value="config.file=file:///home/admin/druid-pool.properties" />
 </bean>

1.2 Profile Read from Remote http Server

 <bean id="dataSource" class="com.alibaba.druid.pool.DruidDataSource"
     init-method="init" destroy-method="close">
     <property name="filters" value="config" />
     <property name="connectionProperties" value="config.file=http://127.0.0.1/druid-pool.properties" />
 </bean>

This configuration makes it easier for multiple instances in an application cluster to read the configuration from the same place, centralize configuration, centralize modification and deployment.

1.3 Use ConfigFilter through jvm startup parameters

DruidData Source supports jvm startup parameter configuration filters, so you can:

java -Ddruid.filters=config ....

2 database password encryption

The database password is written directly in the configuration, which is a great challenge to the operation and maintenance security. Druid provides a way to encrypt database passwords by ConfigFilter.

2.1 Execute command to encrypt database password

Execute the following commands from the command line

java -cp druid-1.1.10.jar com.alibaba.druid.filter.config.ConfigTools you_password

output

privateKey:MIIBVgIBADANBgkqhkiG9w0BAQEFAASCAUAwggE8AgEAAkEA6+4avFnQKP+O7bu5YnxWoOZjv3no4aFV558HTPDoXs6EGD0HP7RzzhGPOKmpLQ1BbA5viSht+aDdaxXp6SvtMQIDAQABAkAeQt4fBo4SlCTrDUcMANLDtIlax/I87oqsONOg5M2JS0jNSbZuAXDv7/YEGEtMKuIESBZh7pvVG8FV531/fyOZAiEA+POkE+QwVbUfGyeugR6IGvnt4yeOwkC3bUoATScsN98CIQDynBXC8YngDNwZ62QPX+ONpqCel6g8NO9VKC+ETaS87wIhAKRouxZL38PqfqV/WlZ5ZGd0YS9gA360IK8zbOmHEkO/AiEAsES3iuvzQNYXFL3x9Tm2GzT1fkSx9wx+12BbJcVD7AECIQCD3Tv9S+AgRhQoNcuaSDNluVrL/B/wOmJRLqaOVJLQGg==
publicKey:MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBAOvuGrxZ0Cj/ju27uWJ8VqDmY7956OGhVeefB0zw6F7OhBg9Bz+0c84RjzipqS0NQWwOb4kobfmg3WsV6ekr7TECAwEAAQ==
password:PNak4Yui0+2Ft6JSoKBsgNPl+A033rdLhFw+L0np1o+HDRrCo9VkCuiiXviEMYwUgpHZUFxb2FpE0YmSguuRww==

Enter your database password and output the encrypted result.

2.2 Configure the data source, prompting Druid data source to decrypt the database password.

<bean id="dataSource" class="com.alibaba.druid.pool.DruidDataSource"
     init-method="init" destroy-method="close">
     <property name="url" value="jdbc:derby:memory:spring-test;create=true" />
     <property name="username" value="sa" />
     <property name="password" value="${password}" />
     <property name="filters" value="config" />
     <property name="connectionProperties" value="config.decrypt=true;config.decrypt.key=${publickey}" />
</bean>

2.3 Configuration parameters to enable ConfigFilter to decrypt passwords

There are three ways to configure:

  1. You can specify config.decrypt=true in the configuration file my.properties
  2. You can also specify config.decrypt=true in Connection Properties of Druid Data Source
  3. You can also specify - Ddruid.config.decrypt=true in the jvm startup parameter

 

Tags: Druid Database jvm Java

Posted on Sun, 06 Oct 2019 15:21:14 -0700 by dtyson2000