我们正在向Jgroups引入SASL安全性,但我们不想直接在jgroups配置 xml 中公开密码。保护密码的最佳方法是什么client_password="password123">?
<TCP bind_addr="172.25.90.xxx" bind_port="7750"
enable_diagnostics="false" thread_naming_pattern="pl"
send_buf_size="640k" sock_conn_timeout="300"
bundler_type="sender-sends-with-timer"
oob_thread_pool.queue_enabled="false" />
<MPING bind_addr="172.25.90.xxx"
mcast_addr="${jgroups.mping.mcast_addr:228.2.4.6}"
mcast_port="${jgroups.mping.mcast_port:43366}"
ip_ttl="${jgroups.udp.ip_ttl:2}" />
<MERGE3 min_interval="10000" max_interval="30000" />
<FD_SOCK />
<FD_ALL timeout="60000" interval="15000"
timeout_check_interval="5000" />
<VERIFY_SUSPECT timeout="5000" />
<pbcast.NAKACK2 use_mcast_xmit="false"
max_msg_batch_size="100" resend_last_seqno="true" />
<UNICAST3 xmit_interval="500" xmit_table_num_rows="50"
max_msg_batch_size="100" conn_expiry_timeout="0" />
<pbcast.STABLE stability_delay="500"
desired_avg_gossip="5000" max_bytes="1M" />
<SASL mech="DIGEST-MD5" client_name="SANADMA"
client_password="password123" server_callback_handler_class="org.jgroups.auth.sasl.SimpleAuthorizingCallbackHandler"client_callback_handler_class="org.jgroups.auth.sasl.SimpleAuthorizingCallbackHandler"sasl_props="com.sun.security.sasl.digest.realm=test_realm" /><pbcast.GMS print_local_addr="false" join_timeout="${jgroups.join_timeout:5000}" /><MFC max_credits="2m" min_threshold="0.40" /><FRAG2 /></config>
将配置更改为指向属性:
<SASL client_password="${jgroups.sasl.password}" .../>
然后,在运行 JGroups 时,使用-Djgroups.sasl.password=password123在命令行中设置属性的值。 如果计算机中有带有密码的环境变量,则还可以使用-Djgroups.sasl.password=${MY_SECRET}。