I want to do encryption for some sensitive data in application.properties file of spring boot application.
for that I have used jasypt-spring-boot-starter plugin .
also used #EnableEncryptableProperties tag on spring application.
I have encrypted access key for my database and written its encrypted value in the property file.
com.test.SharedAccessKey=ENC(vfQQ9veC1G+RV8BC0VA==)
also provided in property file
jasypt.encryptor.password=secretpassword
jasypt.encryptor.algorithm=PBEWithMD5AndDES
I am accessing this property in spring boot application as followes
#Value("${com.test.SharedAccessKey}")
public String shareAcessKey;
But logger.info(shareAcessKey) print as it is ENC(vfQQ9veC1G+RV8BC0VA==)
what I am missing in above , can anyone help.
Issue was resolved . I have done some configuration in my spring Configuration class #Configuration related to property file.
as set property place holder configure to setIgnoreUnresolvablePlaceholders
after removing above code . Jasypt password is got picked up.
Related
Trying to use encrypted database password to connect to database using spring auto configuration
I am using Spring auto configuration to connect to database. For that i added below properties in properties file:
spring.datasource.url=jdbc:oracle:thin:#ABCDE2D.com:1888:ABCDE2D1
spring.datasource.username=user
spring.datasource.password=password
spring.datasource.driver-class-oracle.jdbc.driver.OracleDriver
In my dao class, i have #Autowired NamedParameterJdbcTemplate and using it directly to get data from database.
Till here it is working fine.
Now i need to encrypt the password in properties file.
For that i did the below:
Added jasypt-spring-boot-starter in pom
Added spring.datasource.password=ENC(NoIv2c+WQYF3LenN0tDYPA==) in properties file
Added jasypt.encryptor.password=key in properties file
Now i am getting the below error:
Failed to bind properties under 'spring.datasource.password' to
java.lang.String:
Reason: Failed to bind properties under 'spring.datasource.password' to
java.lang.String
I'm providing some basic guide as follows.
You need to add following two parameters in to property file in order application to work properly. This is assuming you are encrypting using default encryption algorithm. If you are useing some other, then make sure to change it accordingly.
jasypt.encryptor.iv-generator-classname=org.jasypt.iv.NoIvGenerator
jasypt.encryptor.algorithm=PBEWithMD5AndDES
You can refer to more details
https://nirmalbalasooriya.blogspot.com/2020/02/spring-boot-property-encryption-using.html
In my case I was giving wrong jasypt.encryptor.password.
For Example given below is properties I have set in my application.properties:
jasypt.encryptor.password=abc
instead abc I gave jasypt as my secret key while encrypting the password so the encripted password is wrong. Then it throwing this error.
Later I realised and found that the key is not correct.
Then gave the right key i.e., abc.Then it worked for me.
Silly mistake but it cost me 4 hours. Hope it will be useful for others.
If you are using jasypt dependency, make sure that:
spring.datasource.password = Enc
and
jasypt.encryptor.password = key
where Enc is encrypted password and key is the key which you used to generate the encrypted password.
I see following in Spring Boot application.properties file. What is it doing here:
spring.datasource.password = ${DB_PASSWD:password}
It means try resolving DB_PASSWD property. If found, use it's value. If not, use the default provided value password. In short:
${property:defaultValue}
The property value is looked up from property sources registered in Spring context, see Environment.getProperty() and #PropertySource.
Whenever the question of hiding the fields like passwords in application properties file arises,the straight-forward answer is encrypt those details using jasypt or other encryption.
If you keep encrypted passwords and jasypt details in same file, how does that make sense? or may be keep them in different file..
Any other smarter way for this?
You're not supposed to save the encryption key in application.properties, after all you don't want it going to your repository. You have to provide the key to your application when you run it, either by typing it or by storing it somewhere on your server. Check this thread for examples.
Let's assume that you have gotten your passwords in a typical application.properties file. Using Jaspyt, you may encrypt as follows:
Maven setup.... Grab the latest spring boot starter Jasypt POM, use
com.github.ulisesbocchio as the group ID.
Create a tiny utility class (preferably outside your spring boot app) to encrypt your passwords; it's easy to use Jasypt's BasicTextEncryptor class ex:
BasicTextEncryptor pwdEncrypt = new BasicTextEncryptor();
pwdEncrypt.setPassword(your_secret_sauce)//whatever you use here will be needed in the properties file (more on that later)
String encoded = pwdEncrypt.encrypt(password_you_want_to_encrpyt);
The String encoded is PBE-encoded by default; grab that
In your properties file, make the following entries:
jasypt.encryptor.password=your_secret_sauce //used in your utility
password_entry_you_want_to_encrypt=ENC(encoded) //encoded grabbed from your utility class
I'll assume that you're annotating your main class with
#SpringBootApplication. Add the following annotations as well:
#EnableEncryptableProperties
#PropertySource(name="EncryptedProperties", value = "classpath:application.properties")
Use jasypt to encrypt properties in application.properties file.
it's usesPBEWithMD5AndDES for the encryption.
See:
https://github.com/ulisesbocchio/jasypt-spring-boot
Camel Spring Boot application version 2.20.1
How to load the application.properties values to spring config xml parameter on start up ?
For eg: few parameters are defined as follows :-
eas.ssl.key-store-type = JKS
eas.ssl.key-store-password = *****
eas.ssl.key-store = filelocation
Now the same need to be configured in Spring Config XML on startup as follows :
<sec:keyStore type="${eas.ssl.key-store-type}" password="${eas.ssl.key-store-password}" file="${eas.ssl.key-store}" />
In logs,I could see the properties from application properties are detected as expected
PropertySourcesPropertyResolver : Found key 'eas.ssl.key-store-password'
However it looks like on the keys are not applied to config xml as values.
The errors log states:-
org.apache.cxf.transport.https.SSLUtils : The key store password has not
been set via a system property or through configuration, reading data from
the keystore will fail.
As mentioned in my latest comment my primary issue was related to SSL HandshakeException (No appropraite protocol found). And I was working with JDK 1.8.
Later I realized it was cipher filter "SSL_ECDHE_RSA_WITH_AES_128_CBC_SHA256" was not supported with jdk 8. Once I changed to "TSL_ECDHE_RSA_WITH_AES_128_CBC_SHA256" all started working as expected.
A hint to solution got from this site :
http://www.ateam-oracle.com/tls-and-java/
I have a springboot application which connects to database, currently the database password is in plain text inside the application properties.
What is the standard for securely protecting password in PROD environment?
How to change the database password if the application password is inside the application properties which is built in as part of the JAR and especially when the application is live?
You could use jasypt to handle the encryption and then use Jasypt's Spring integration or this Jasypt Spring Boot Starter to wire it into Spring.
This will allow you to define an encrypted database password property, for example in application.properties e.g.
db.password=ENC(.....)
The other part of your question is:
How to change the database password if the application password is inside the application properties
You can do this by overring properties defined in your properties file with system properties. For example: -Ddb.password='....'. You could also define an additional properties source which is external to your JAR and can be edited at runtime. For example:
#PropertySources({
#PropertySource(value = "classpath:/**.properties"),
#PropertySource(value = "file:/some/external/directory/override.properties", ignoreResourceNotFound = true)
})
public class Application {
// ...
}
Creating the file /some/external/directory/override.properties and populating it with db.password=... would cause your application - on next restart - to use that property value.