springcloud-config配置中心的安全配置

1.配置中心提供HTTP rest 服务

/{application}/{profile}[/{label}]   /{application}-{profile}.yml   /{label}/{application}-{profile}.yml   /{application}-{profile}.properties   /{label}/{application}-{profile}.properties   {application} maps to "spring.application.name" on the client side;   {profile} maps to "spring.profiles.active" on the client (comma separated list); and{label} which is a server side feature labelling a "versioned" set of config files.

客户端配置举例：
bootstrap.yml 优先于application.yml加载；

spring:  application:    name: foo  profiles:    active: dev,mysql

2. spring-cloud-config 使用GIT服务时，为GIT服务添加用户名密码

application.yml配置文件中添加

spring:  cloud:    config:      server:        git:          uri: https://github.com/spring-cloud-samples/config-repo          username: trolley          password: strongpassword

3.spring-cloud-config 的REST 要求进行用户名密码鉴权

• 服务端

application.yml配置文件中添加

security.user.password: mysecret

pom.xml 中添加

                <dependency>            <groupId>org.springframework.boot</groupId>            <artifactId>spring-boot-starter-security</artifactId>        </dependency> 

• 客户端
  bootstrap.yml

spring:  cloud:    config:     uri: https://user:mysecret@myconfig.mycompany.com   

4.spring-cloud-config 中的配置信息以密文存储方式存储在GIT中

有对称加密和非对称加密两种方式，本文主要讲对称加密的配置
1. application.yml在配置文件中添加encrypt.key参数，生产环境可以放到JVM启动参数中或者系统变量里
To configure a symmetric key you just need to set encrypt.key to a secret String (or use an enviroment variable ENCRYPT_KEY to keep it out of plain text configuration files).

如：application.yml

encrypt.key: foo

to use the encryption and decryption features you need the full-strength JCE installed in your JVM (it’s not there by default).

http://projects.spring.io/spring-cloud/spring-cloud.html#_encryption_and_decryption

2.使用 /encrypt rest服务进行加密 （REST工具 https://www.getpostman.com/）

$ curl localhost:8888/encrypt -d mysecret682bc583f4641835fa2db009355293665d2647dade3375c0ee201de2a49f7bda

3.git中的配置文件的配置项可以使用{cipher}开头，表示客户端调用时，配置服务会使用encrypt.key进行解密操作，使客户端得到最终信息

spring.datasource.password: {cipher}682bc583f4641835fa2db009355293665d2647dade3375c0ee201de2a49f7bda

以上步骤解决了GIT仓库配置信息明文存储的问题.

4.当配置服务的客户端访问URL时，可以得到解密后的信息，

$curl localhost:8888/decrypt -d 682bc583f4641835fa2db009355293665d2647dade3375c0ee201de2a49f7bdamysecret

参考资料

http://cloud.spring.io/spring-cloud-config/spring-cloud-config.html

https://github.com/spring-cloud-samples/configserver

http://blog.didispace.com/springcloud4/

http://www.tuicool.com/articles/eeyQFrz