spacer

 

Sunday, May 15, 2016

Encrypting Properties File Values with Jasypt


Encrypting Properties File Values with Jasypt


What's the fuzz all about?

Property files are text resources in your standard web application that contains key-value information. There may come a time when information should not be stored in plain sight. This article will demonstrate how to encrypt properties file values using Jasypt encryption module. Jasypt is freely available and comes with Spring Framework integration.

Prerequisites

Library Versions:
  • Spring 3.1+
  • Jasypt 1.9.0+

A standard java web-based application may consist numerous properties file. An example of those files would be:
  • application.properties
  • jdbc.properties
  • mail.properties
  • amazon.properties

As an example for a file like mail.properties it would contain key-value pairs used by the application to configure a web-application at different stages of the running web application.


Plain Text Values In Properties Files

The following code snippet below is a typical example of a property configuration for an SMTP service. Note that the username and password entries are provided in clear text.

Code Snippet 1. Property file values
1
2
3
4
5
local.mail.smtps.host=smtp.gmail.com
local.mail.smtps.port=465
local.mail.smtps.debug=true
local.mail.smtps.username=morpheus@gmail.com
local.mail.smtps.password=Take the blue pill

As you can see sensitive information like the username and password is stored in plain text. To make it even worst, we check this in to a source repository like github. Wouldn't it be nice if we could encrypt username and password values?

Encrypted Values in Properties File


With Jasypt you can enter encrypted values by enclosing them with ENC('value'). The values are decrypted in-memory (i.e. during load-time) using a Jasypt-based extension of Spring Framework's org.springframework.context.support.PropertySourcesPlaceholderConfigurer.

Code Snippet 2. Jasypt TextEncryptor solution for encrypting property file values.
1
2
3
4
5
6
mail.smtps.username=ENC(iXm7KjIoubkQVmbJdTJxGJPPIHkZ6H9fq7ZJsfsGpIk=)
mail.smtps.password=ENC(zcV8BmkkZchyHzEmNyM70seLHUFwFz4va8w5wpvYXYE=)

mail.smtps.host=smtp.gmail.com
mail.smtps.port=465
mail.smtps.debug=true

Source: mail.properties

Encrypting the property value using Jasypt


Standard Property Placeholder Configuration


The following configuration is a spring framework's standard property placeholder configuration.

Code Snippet 3. Standard Property Placeholder Configuration
<context:property-placeholder location="classpath*:*.properties"/>

Jasypt Text Encryptor Configuration


The code snippet shown below enables the jasypt BasicTextEncryptor implementation with an override to the standard spring property placeholder configuration.

Code Snippet 4. Jasypt TextEncryptor Configuration
1
2
3
4
5
6
<bean id="textEncryptor" class="org.jasypt.util.text.BasicTextEncryptor"
  p:password="go-big-or-go-home"/>

<bean id="propertyPlaceholder" class="org.jasypt.spring31.properties.EncryptablePropertySourcesPlaceholderConfigurer"
        p:locations="classpath*:*.properties"
        c:textEncryptor-ref="textEncryptor"/>

You may want to vary your configuration for each environment. For instance dev would be just the default Spring PropertySourcesPlaceholderConfigurer and stage, prod would use Jasypt's EncryptablePropertySourcesPlaceholderConfigurer. One would use Spring Framework Profile Feature (or equivalent) to vary configurations between deployment but this type of discussion is beyond the scope of this blog.

Code Snippet 5. Mail Sender Bean Configuration
1
2
3
4
5
<bean id="mailSender" class="org.springframework.mail.javamail.JavaMailSenderImpl"
  p:protocol="smtps"p:host="${mail.smtps.host}"
  p:port="${mail.smtps.port}"
  p:username="${mail.smtps.username}"
  p:password="${mail.smtps.password}"/>


Code Snippet 6. Spring Annotation-based Configuration
1
 2
 3
 4
 5
 6
 7
 8
 9
10
@Controller
public class MailController {

 @Value("${mail.smtps.username}")
 private String email;

 @Value("${mail.smtps.password}")
 private String password;

}

Source: app-ctx.xml

Generating Salted Encrypted Values


I created an example of how you would produce an encrypted value using a JUnit test class.
The JUnit test shown on the code snippet below is an example code for generating the encrypted value.
Update the secret password as needed but make sure not to check-in the real one.

Note that each time you run the test it will produce a different encrypted text value because the encryption is salted. SEE TextEncryptorTest.java

Code Snippet 7. Unit example for generating an encrypted value
1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
package com.lagnada.xmx1024.integration;

import org.jasypt.util.text.BasicTextEncryptor;
import org.junit.Before;
import org.junit.Test;

import static org.fest.assertions.Assertions.assertThat;

/**
 * Test Utility for generating encrypted passwords for {@link org.jasypt.spring31.properties.EncryptablePropertySourcesPlaceholderConfigurer}
 */
public class TextEncryptorTest
{

    BasicTextEncryptor encryptor;

    @Before
    public void setUp() throws Exception
    {
        encryptor = new BasicTextEncryptor();
        encryptor.setPassword("go-big-or-go-home");
    }

    @Test
    public void generateEncryptedText()
    {
        String plainText = "Take the blue pill";
        String encrypted = encryptor.encrypt(plainText);
        System.out.printf("encrypted: %s%n", encrypted);
        assertThat(encrypted).isNotNull();
        assertThat(encrypted).isNotEqualTo(plainText);
    }
}

After running the JUnit code on Code Snippet 7, use the encrypted text value and enclose it with ENC() in any of your sourced properties file.

Code Snippet 8. Encrypted property value example
mail.smtps.password=ENC(eVrfrMcWl9J7fiC+9q4w8bNR+MSeTT5yfh1JL0/mUtk=)


Summary

Please note that the caveat here is that this solution is not entirely secure at runtime. One can certainly debug an application and see the clear-text value of the encrypted property.

The entire source code can be pulled at github xmx1024. Please feel free to fork it.


Reference:

What is Jasypt?


No comments:

Popular Posts

Featured Post

Encrypting Properties File Values with Jasypt

Encrypting Properties File Values with Jasypt What's the fuzz all about? Property files are text resources in your standard web applic...