add jasypt for encryption

use jasypt for encryption db password and improve security.

Author: PouyaPouryaie

dockerfile Dockerfiledockerfile renamed to Dockerfile

@@ -4,4 +4,7 @@ MAINTAINER pouya
 EXPOSE 9090
 ADD target/springboot-real-*.jar /springboot-real.jar
 ENTRYPOINT ["java","-jar", "/springboot-real.jar"]
-#ENTRYPOINT ["java","-Djava.security.egd=file:/dev/./urandom","-jar", "/springboot-real-1.0.0.jar"]
+# add jasypt secret-key in jar file:
+#ENTRYPOINT ["java", "-jar", "/springboot-real.jar", "--jasypt.encryptor.password=secret-key"]
+
+#ENTRYPOINT ["java","-Djava.security.egd=file:/dev/./urandom","-jar", "/springboot-real-1.0.0.jar", "--spring.config.location=file:application.properties"]

README.md

@@ -27,7 +27,9 @@ This project, implement instance of basic feature, <br> you maybe want use for A
 - decoupling layer
     - controller, service and repository layer for easy extend
 - flexible search
-    - use CriteriaQuery and CriteriaBuilder for search base on Entity 
+    - use CriteriaQuery and CriteriaBuilder for search base on Entity
+- jasypt
+    - use for encrypt password and added to config file, then decrypted pass in runtime
 
 ## Run guide
 ### Run for develop and debug: <br>
@@ -84,3 +86,26 @@ This project, implement instance of basic feature, <br> you maybe want use for A
 ### dataSource feature
 1 - choose between use simpleDataSource or HikariCp datasource <br>
 2 - you can customize properties for dataSource in application.properties
+
+### database password generator
+if you want to use encrypt password in config file for access database, you must follow below statement. <br>
+
+1 - use jasypt for generate encrypted database password with secret-key
+~~~
+java -cp jasypt-1.9.3.jar org.jasypt.intf.cli.JasyptPBEStringEncryptionCLI input={password} password={secret-key} algorithm=PBEWithMD5AndTripleDES
+~~~
+2 - add output into application.properties <br>
+note: I use '<b>ENC()<b>' as convention to use check password for decrypt or not. <br>
+
+normal datasource:
+~~~
+demo.datasource.password="ENC({output})"
+~~~
+hikari datasource:
+~~~
+hikari.dataSource.password="ENC({output})"
+~~~
+3 - run program and add in program environment secret-key:
+~~~
+--jasypt.encryptor.password={secret-key}
+~~~

docker-compose.yml

@@ -2,11 +2,19 @@ version: '3.9'
 
 services:
   app:
+    # "`-._,-'"`-._,-'"`-._,-'"`-._,-'"`-._,-'"`-._,-'"`-._,-'"`-._,-'"`-._,-
+    # An important note about accessing database encryption:
+    # -----------------------------------------------------------------------
+    #  JASYPT_ENCRYPTOR_PASSWORD: secret-key added to environment to use this function
+    # "`-._,-'"`-._,-'"`-._,-'"`-._,-'"`-._,-'"`-._,-'"`-._,-'"`-._,-'"`-._,-
+    #
     container_name: springapp-with-db
     image: springapp:latest
     build: ./
     ports:
       - "9090:9090"
+    environment:
+#      - JASYPT_ENCRYPTOR_PASSWORD: secret-key
     depends_on:
       - dbpostgresql
   dbpostgresql:

pom.xml

@@ -194,6 +194,13 @@
 			<version>4.0.3</version>
 		</dependency>
 
+		<!--	jasypt-Encryption	-->
+		<dependency>
+			<groupId>com.github.ulisesbocchio</groupId>
+			<artifactId>jasypt-spring-boot-starter</artifactId>
+			<version>3.0.4</version>
+		</dependency>
+
 		<dependency>
 			<groupId>org.springframework.boot</groupId>
 			<artifactId>spring-boot-starter-test</artifactId>

src/main/java/ir/bigz/springbootreal/configuration/HikariDataSourceInit.java

@@ -2,7 +2,9 @@
 
 import com.zaxxer.hikari.HikariConfig;
 import com.zaxxer.hikari.HikariDataSource;
+import org.jasypt.util.text.StrongTextEncryptor;
 import org.springframework.beans.factory.annotation.Autowired;
+import org.springframework.beans.factory.annotation.Value;
 import org.springframework.boot.jdbc.DataSourceBuilder;
 import org.springframework.context.annotation.Bean;
 import org.springframework.context.annotation.Configuration;
@@ -14,8 +16,13 @@
 /**
  * {@link HikariDataSourceInit} use for build connection-pool base on HikariCp with customize properties,
  * and then added to {@link DataSourceConfiguration} class as datasource for use in app.
- * also if you want use for production un comment line 30 and comment line 31 and 32
- * and if you want test with testContainer uncomment line 31 and 32 and comment line 30
+ * also if you want use for production uncomment line 32 and comment line 33 and 34
+ * and if you want test with testContainer uncomment line 33 and 34 and comment line 32
+ *
+ * DataBase password encryption with JASYPT:
+ * first of all use jasypt to encrypted db-password and added into application.properties file,
+ * then uncomment line 34 (encryptorPassword)
+ * at the end add --jasypt.encryptor.password={secret-key} in program environment
  */
 
 //todo i must be find better solution for use hikariDataSource between production and test with testContainer
@@ -26,6 +33,9 @@ public class HikariDataSourceInit{
     @Autowired
     private Environment env;
 
+    @Value("${jasypt.encryptor.password}")
+    String encryptorPassword;
+
     @Bean(name = "HikariDataSourceInit")
     public DataSource dataSource(){
        HikariConfig hikariConfig = new HikariConfig(hikariProperties()); // use for production
@@ -40,21 +50,42 @@ public DataSource dataSource(){
     }
 
     protected DataSource InitDataSource(){
+        String passwordProperty = env.getProperty("demo.datasource.password");
+        String plainPassword = "";
+        if(passwordProperty.contains("ENC(")){
+            plainPassword = decryptPassword(passwordProperty);
+        }else{
+            plainPassword = passwordProperty;
+        }
         return DataSourceBuilder.create()
                 .driverClassName(env.getProperty("demo.datasource.driver-class-name"))
                 .url(env.getProperty("demo.datasource.url"))
                 .username(env.getProperty("demo.datasource.username"))
-                .password(env.getProperty("demo.datasource.password"))
+                .password(plainPassword)
                 .build();
     }
 
     protected Properties hikariProperties(){
+        String passwordProperty = env.getProperty("hikari.dataSource.password");
+        String plainPassword = "";
+        if(passwordProperty.contains("ENC(")){
+            plainPassword = decryptPassword(passwordProperty);
+        }else{
+            plainPassword = passwordProperty;
+        }
         Properties hikariProps = new Properties();
         hikariProps.setProperty("dataSourceClassName", env.getProperty("hikari.dataSourceClassName"));
         hikariProps.setProperty("dataSource.user", env.getProperty("hikari.dataSource.user"));
-        hikariProps.setProperty("dataSource.password", env.getProperty("hikari.dataSource.password"));
+        hikariProps.setProperty("dataSource.password", plainPassword);
         hikariProps.setProperty("dataSource.databaseName", env.getProperty("hikari.dataSource.databaseName"));
         return hikariProps;
     }
 
+    @Bean
+    protected String decryptPassword(String value) {
+        var textEncryptor = new StrongTextEncryptor();
+        textEncryptor.setPassword(encryptorPassword);
+        return textEncryptor.decrypt(value.substring(4, value.length() - 1));
+    }
+
 }

src/main/resources/application-dev.properties

@@ -5,7 +5,7 @@ server.port=9090
 demo.datasource.driver-class-name=org.postgresql.Driver
 demo.datasource.url=jdbc:postgresql://localhost:5432/myapp
 demo.datasource.username=postgres
-demo.datasource.password=postgres
+demo.datasource.password="ENC(vlB3w8KRSweC2PdYoVHpjYW+GQxeTSCv)"
 
 ################### Hibernate Configuration ##########################
 demo.jpa.hibernate.ddl-auto=update
@@ -18,7 +18,7 @@ spring.cache.jcache.config=classpath:ehcache.xml
 ################### Hikari DataSource Configuration ##########################
 hikari.dataSourceClassName=org.postgresql.ds.PGSimpleDataSource
 hikari.dataSource.user=postgres
-hikari.dataSource.password=postgres
+hikari.dataSource.password="ENC(vlB3w8KRSweC2PdYoVHpjYW+GQxeTSCv)"
 hikari.dataSource.databaseName=myapp
 hikari.dataSource.portNumber=5432
 hikari.dataSource.serverName=localhost

src/main/resources/application-docker.properties

@@ -12,7 +12,7 @@ demo.datasource.password=postgres
 ################### Hibernate Configuration ##########################
 
 demo.jpa.hibernate.ddl-auto=create-drop
-demo.jpa.show-sql=true
+demo.jpa.show-sql=false
 
 ################### cache Configuration ##########################
 

src/main/resources/application.properties.sample

@@ -0,0 +1,40 @@
+################### Server Configuration ##########################
+server.port=9090
+
+################### Simple DataSource Configuration ##########################
+demo.datasource.driver-class-name=org.postgresql.Driver
+demo.datasource.url=jdbc:postgresql://localhost:5432/myapp
+demo.datasource.username=postgres
+demo.datasource.password=postgres
+
+################### Hibernate Configuration ##########################
+demo.jpa.hibernate.ddl-auto=update
+demo.jpa.show-sql=true
+demo.enity.packageScan=ir.bigz.springbootreal.dto
+
+################### cache Configuration ##########################
+spring.cache.jcache.config=classpath:ehcache.xml
+
+################### Hikari DataSource Configuration ##########################
+hikari.dataSourceClassName=org.postgresql.ds.PGSimpleDataSource
+hikari.dataSource.user=postgres
+# when connecting to database and using encrypted password in config
+# hikari.dataSource.password="ENC(vlB3w8KRSweC2PdYoVHpjYW+GQxeTSCv)"
+# else use below properties
+# hikari.dataSource.password=postgres
+hikari.dataSource.databaseName=myapp
+hikari.dataSource.portNumber=5432
+hikari.dataSource.serverName=localhost
+hikari.connectionTimeout=30000
+hikari.idleTimeout=600000
+hikari.maxLifetime=1800000
+
+################### condition Configuration ##########################
+app.generator.enabled=false
+
+################### Application MetaData ##########################
+[email protected]@
+[email protected]@
+springdoc.swagger-ui.path=/swagger-ui.html
+springdoc.api-docs.path=/api-docs
+springdoc.use-fqn=true