I see that many using jasypt to encrypt the application.properties file in spring boot. Can I use my own algorithm for that? If yes then can you show me how, thanks.
From the Jasypt FAQ:
Jasypt by itself does not implement nor distribute in any of its forms any cryptographic algorithms. It simply uses the algorithms already present in the users' Java installations via the Java Cryptography Extension.
Here is a link to the official Java 9 documentation about How to Implement a Provider in the Java Cryptography Architecture and another link to an example of Building a custom Java Crypto Provider.
Related
I'm trying to improve the security of my Gradle project by making use of its dependency verification feature.
Out of the box, Gradle can generate hashes for each of my declared dependencies, but the docs suggest that I explicitly specify hashes provided by the developer if at all possible.
I've been looking around the Springboot website, docs, and GitHub repository, but I can't find a place where these hashes are documented. Are they available?
The Spring Boot team doesn't appear to publish SHA-256 nor SHA-512 currently. For example, here are the contents for various projects:
https://repo1.maven.org/maven2/org/springframework/boot/spring-boot-starter-web/2.4.3/
https://repo1.maven.org/maven2/org/springframework/boot/spring-boot/2.4.3/
https://repo1.maven.org/maven2/org/springframework/boot/spring-boot-actuator/2.4.3/
Only SHA-1 can be found.
I have been using the Spring Framework for about 4 years now, and now Spring Boot for the last couple of months. My Spring MVC applications are usually deployed on a Java EE container such as JBoss/WildFly or WebLogic. Doing so allows me to use JNDI for things like datasources or any other sensitive data that involve secrets/passwords. That makes my app "consume" that JNDI resource based on its name.
Now with Spring Boot and especially for self-contained microservices (embedded tomcat), that information is now stored within the application (application.properties and/or in Spring Java Config classes), so versioned in Git.
That makes that information a lot more exposed to other developers, which I'm not very comfortable with. I also don't like having those details show up in SonarQube and Jenkins (through workspaces).
Question is: Are there any best practices for this specific requirement?
* UPDATE *
I see some articles here and there about the use of Jasypt, but I wonder if it's still a valid library to use since the last stable release is dated from 2014.
Thank you
You could consider using a vault. Spring supports a few of them out of the box. You can find more information here http://projects.spring.io/spring-vault/.
If you have spring cloud in your stack, then it's very easy. Use encrypt the value and put it in the application properties. Follow the instruction mentioned here.
Other way is, set the values as environmental variables and using the environmental variables in the application properties. Instructions here
How can I provide an authentication for my Apache ignite cluster. Basically I'm looking for setting username and password. Otherwise allowing list of trusted(white listed) clients is also fine.
This can be implemented by your own: https://apacheignite.readme.io/docs/advanced-security
or you can use 3rd party-ready solutions:
https://docs.gridgain.com/docs/security-and-audit
Apache Ignite does not provide these kinds of security capabilities with its open-source version. As mentioned by #Michel, you can either implement it on your own or use commercial Gridgain distribution.
Here, you can find steps to implement a custom plugin.
You would need to implement GridSecurityProcessor which would be used to authenticate joining node.
This blog has detailed steps that can be followed to write a custom security plugin.
https://www.bugdbug.com/post/how-to-secure-apache-ignite-cluster
I'm trying to find any open-source or commercial implementation of Attribute-Based Access Control(ABAC) paradigm that will work together with Spring Security or Apache Shiro frameworks. Right now I can't find any of them.
I don't think I'm a first one who needs such kind of functionality - so could you please recommend frameworks that will support this ?
Also, can Permissions in Apache Shiro be considered as a particular case of ABAC paradigm implementation ?
jCasbin is a powerful and efficient open-source access control library for Java projects. It provides support for enforcing authorization based on various access control models. ABAC is one of the models that is supported by jCasbin.
ABAC: syntax sugar like a resource. The owner can be used to get the attribute for the resource.
In jCasbin, an access control model is abstracted into a CONF file based on the PERM metamodel (Policy, Effect, Request, Matches). So switching or upgrading the authorization mechanism for a project is just as simple as modifying a configuration. You can customize your own access control model by combining the available models. For example, you can get RBAC roles and ABAC attributes together inside one model and share one set of policy rules.
It supports Spring boot via plugin: jcasbinspring-boott-plugin
Also, there is another opensource project called EasyAback. (The original project documents are written in Russian and I translated them and moreover added some other documents and diagram link)
This github sample shows how ABAC can be implemented on top of spring-security framework using Spring Expression Language (SPEL). An excellent blog describes the sample code using a simple web app. Having come from an XACML background I found this project to be very familiar to XACML. It essentially maps XACML concepts to define policy's in JSON (instead of XACML / XML) and using a familiar spring-security API and framework.
Disclaimer: I work for Axiomatics
Axiomatics provides an Attribute Based Access Control (ABAC) implementation that integrates with different environments:
Native Spring Security integration
integration with other Java apps via our SDK and API
integration with API gateways e.g. Apigee
database security
We have had customers integrate with Apache Shiro . Apache Shiro are a simplified form of ABAC. They can be integrated with ABAC.
Axiomatics' implementation relies on XACML.
For an open source Java alternative, you can find several on the XACML Wikipedia page: AuthzForce, Apache OpenAZ, WSO2 Balana. For AuthzForce, you can find Java code samples of ABAC/XACML authorization filters using either an embedded Java PDP or a (remote) RESTful PDP.
I want to use bcrypt hashing algorithm in my grails project instead of its defaultSHA-256 message digest algorithm. To enable bcrypt, you just use the grails install-plugin spring-security-bcrypt command.
You can customize keying rounds by adding this to BuildConfig.groovy:
grails.plugins.springsecurity.password.bcrypt.logrounds = 15
My question is, is that all I need to do to set bcrypt as my password algorithm? Does it automatically use the bcrypt algorithm when I use this method from the domain class generated by spring-security-core:
springSecurityService.encodePassword(params.password)
How do I check if bcrypt is working on my project?
You also need to add
grails.plugins.springsecurity.password.algorithm='bcrypt'