How to Securely Encrypt Nacos Config Passwords in Spring Cloud Applications
Learn how to replace plain‑text passwords in Spring Cloud’s Nacos configuration with encrypted values by extending NacosConfigProperties, overriding its initialization, and registering a custom bootstrap auto‑configuration, ensuring your application complies with corporate security policies.
Background
The company policy forbids plain‑text passwords in configuration files. The project uses Nacos as a configuration center via the spring-cloud-starter-alibaba-nacos-config package. A basic bootstrap.yaml might look like:
spring:
cloud:
nacos:
config:
server-addr: <host>:<port>
prefix: application
group: shared
namespace: xxx
file-extension: yaml
username: user
password: plain_text_password
......How can the spring.cloud.nacos.config.password be replaced with a password encrypted by the company’s internal algorithm?
Research
Inspecting the spring-cloud-starter-alibaba-nacos-config JAR reveals a META-INF/spring.factories entry:
org.springframework.cloud.bootstrap.BootstrapConfiguration=\
com.alibaba.cloud.nacos.NacosConfigBootstrapConfiguration
......This registers NacosConfigBootstrapConfiguration for automatic configuration during Spring Cloud’s bootstrap phase. Inside that class, configuration is obtained via NacosConfigProperties:
@Configuration(proxyBeanMethods = false)
@ConditionalOnProperty(name = "spring.cloud.nacos.config.enabled", matchIfMissing = true)
public class NacosConfigBootstrapConfiguration {
@Bean
@ConditionalOnMissingBean
public NacosConfigProperties nacosConfigProperties() {
return new NacosConfigProperties();
}
......
}The NacosConfigProperties class reads properties from the environment, with a @PostConstruct method init that calls overrideFromEnv to populate fields such as serverAddr, username, and password. Because the bean is created with @ConditionalOnMissingBean, we can replace it with a custom implementation.
Implementation
We create a subclass that overrides init and applies the decryption logic after the original initialization:
@ConfigurationProperties(NacosConfigProperties.PREFIX)
public class CustomNacosConfigProperties extends NacosConfigProperties {
@Override
@PostConstruct
public void init() {
super.init();
if (!StringUtils.isEmpty(this.getPassword())) {
// Call your password decryption logic
this.setPassword(yourDecryptAlgorithm(this.getPassword()));
}
}
}Next, we register this custom bean with highest precedence so it replaces the default:
@Configuration
@ConditionalOnProperty(name = "spring.cloud.nacos.config.enabled", matchIfMissing = true)
@Order(Ordered.HIGHEST_PRECEDENCE)
public class CustomNacosBootstrapAutoConfig {
@Bean
@ConditionalOnMissingBean
public NacosConfigProperties nacosConfigProperties() {
return new CustomNacosConfigProperties();
}
}Finally, we add our auto‑configuration to resources/META-INF/spring.factories so Spring Cloud picks it up during bootstrap:
org.springframework.cloud.bootstrap.BootstrapConfiguration=\
your.package.CustomNacosBootstrapAutoConfigWith this setup, the spring.cloud.nacos.config.password entry in bootstrap.yaml can contain the encrypted password, and the custom bean will automatically decrypt it at startup, satisfying the company’s security requirements.
Signed-in readers can open the original source through BestHub's protected redirect.
This article has been distilled and summarized from source material, then republished for learning and reference. If you believe it infringes your rights, please contactand we will review it promptly.
Java Captain
Focused on Java technologies: SSM, the Spring ecosystem, microservices, MySQL, MyCat, clustering, distributed systems, middleware, Linux, networking, multithreading; occasionally covers DevOps tools like Jenkins, Nexus, Docker, ELK; shares practical tech insights and is dedicated to full‑stack Java development.
How this landed with the community
Was this worth your time?
0 Comments
Thoughtful readers leave field notes, pushback, and hard-won operational detail here.