How to Securely Encrypt Nacos Config Passwords in Spring Cloud Applications
Learn how to replace plain‑text passwords in Spring Cloud’s Nacos configuration with encrypted values by extending NacosConfigProperties, overriding its initialization, and registering a custom bootstrap auto‑configuration, ensuring your application complies with corporate security policies.
Background
The company policy forbids plain‑text passwords in configuration files. The project uses Nacos as a configuration center via the
spring-cloud-starter-alibaba-nacos-configpackage. A basic
bootstrap.yamlmight look like:
<code>spring:
cloud:
nacos:
config:
server-addr: <host>:<port>
prefix: application
group: shared
namespace: xxx
file-extension: yaml
username: user
password: plain_text_password
......
</code>How can the
spring.cloud.nacos.config.passwordbe replaced with a password encrypted by the company’s internal algorithm?
Research
Inspecting the
spring-cloud-starter-alibaba-nacos-configJAR reveals a
META-INF/spring.factoriesentry:
<code>org.springframework.cloud.bootstrap.BootstrapConfiguration=\
com.alibaba.cloud.nacos.NacosConfigBootstrapConfiguration
......
</code>This registers
NacosConfigBootstrapConfigurationfor automatic configuration during Spring Cloud’s bootstrap phase. Inside that class, configuration is obtained via
NacosConfigProperties:
<code>@Configuration(proxyBeanMethods = false)
@ConditionalOnProperty(name = "spring.cloud.nacos.config.enabled", matchIfMissing = true)
public class NacosConfigBootstrapConfiguration {
@Bean
@ConditionalOnMissingBean
public NacosConfigProperties nacosConfigProperties() {
return new NacosConfigProperties();
}
......
}
</code>The
NacosConfigPropertiesclass reads properties from the environment, with a
@PostConstructmethod
initthat calls
overrideFromEnvto populate fields such as
serverAddr,
username, and
password. Because the bean is created with
@ConditionalOnMissingBean, we can replace it with a custom implementation.
Implementation
We create a subclass that overrides
initand applies the decryption logic after the original initialization:
<code>@ConfigurationProperties(NacosConfigProperties.PREFIX)
public class CustomNacosConfigProperties extends NacosConfigProperties {
@Override
@PostConstruct
public void init() {
super.init();
if (!StringUtils.isEmpty(this.getPassword())) {
// Call your password decryption logic
this.setPassword(yourDecryptAlgorithm(this.getPassword()));
}
}
}
</code>Next, we register this custom bean with highest precedence so it replaces the default:
<code>@Configuration
@ConditionalOnProperty(name = "spring.cloud.nacos.config.enabled", matchIfMissing = true)
@Order(Ordered.HIGHEST_PRECEDENCE)
public class CustomNacosBootstrapAutoConfig {
@Bean
@ConditionalOnMissingBean
public NacosConfigProperties nacosConfigProperties() {
return new CustomNacosConfigProperties();
}
}
</code>Finally, we add our auto‑configuration to
resources/META-INF/spring.factoriesso Spring Cloud picks it up during bootstrap:
<code>org.springframework.cloud.bootstrap.BootstrapConfiguration=\
your.package.CustomNacosBootstrapAutoConfig
</code>With this setup, the
spring.cloud.nacos.config.passwordentry in
bootstrap.yamlcan contain the encrypted password, and the custom bean will automatically decrypt it at startup, satisfying the company’s security requirements.
Java Captain
Focused on Java technologies: SSM, the Spring ecosystem, microservices, MySQL, MyCat, clustering, distributed systems, middleware, Linux, networking, multithreading; occasionally covers DevOps tools like Jenkins, Nexus, Docker, ELK; shares practical tech insights and is dedicated to full‑stack Java development.
How this landed with the community
Was this worth your time?
0 Comments
Thoughtful readers leave field notes, pushback, and hard-won operational detail here.