Jasypt offers support for encrypted application configuration in three different ways:
This way, jasypt supports the encryption of sensitive configuration data in multiple scenarios (Hibernate-, Spring-, both- or neither-based applications).
As a general rule, jasypt expects encrypted configuration parameters to appear surrounded by "ENC(...)". You can compute this values using the CLI tools.
Here you may think: "wait... I can encrypt values in my configuration files, ok, but... I still need a password (the encryption password) to decrypt them! Where can I store it safely?". That is correct, you still need one password, but this time it is the encryption one, under jasypt control, and thus, configurable in many other more secure ways (especially recommended would be environment variables or web PBE configuration...).
By using an org.jasypt.properties.EncryptableProperties object, an application would be able to correctly read and use a .properties file like this:
datasource.driver=com.mysql.jdbc.Driver datasource.url=jdbc:mysql://localhost/reportsdb datasource.username=reportsUser datasource.password=ENC(G6N718UuyPE5bHyWKyuLQSm02auQPUtm)
Note that the database password is encrypted (in fact, any other property could also be encrypted, be it related with database configuration or not).
How do we read this value? like this:
/*
* First, create (or ask some other component for) the adequate encryptor for
* decrypting the values in our .properties file.
*/
StandardPBEStringEncryptor encryptor = new StandardPBEStringEncryptor();
encryptor.setPassword("jasypt"); // could be got from web, env variable...
/*
* Create our EncryptableProperties object and load it the usual way.
*/
Properties props = new EncryptableProperties(encryptor);
props.load(new FileInputStream("/path/to/my/configuration.properties"));
/*
* To get a non-encrypted value, we just get it with getProperty...
*/
String datasourceUsername = props.getProperty("datasource.username");
/*
* ...and to get an encrypted value, we do exactly the same. Decryption will
* be transparently performed behind the scenes.
*/
String datasourcePassword = props.getProperty("datasource.password");
// From now on, datasourcePassword equals "reports_passwd"...
For decrypting the encrypted value, we just had to access it with getProperty, just as with any other non-encrypted value.
EncryptableProperties extends java.util.Properties, and as such it will be able to do all that can be usually done by a Properties object: loading from/storing to files, XML, etc... but note that transparent decryption is only performed by the getProperty(String) or getProperty(String,String) methods, and not by any other retrieval methods like get(Object).
EncryptableProperties objects can receive as a constructor argument both an org.jasypt.encryption.StringEncryptor implementation or an org.jasypt.util.TextEncryptor object.
Jasypt provides two Spring-specific configuration management classes:
Their use is analogue to the Spring equivalents, but this time we can use them to read encrypted property values from our configuration files and apply them to our beans.
If we have the properties file seen before (application.properties):
datasource.driver=com.mysql.jdbc.Driver datasource.url=jdbc:mysql://localhost/reportsdb datasource.username=reportsUser datasource.password=ENC(G6N718UuyPE5bHyWKyuLQSm02auQPUtm)
We can define in our Spring context configuration:
<!-- -->
<!-- Configuration for encryptor, based on environment variables. -->
<!-- -->
<!-- In this example, the encryption password will be read from an -->
<!-- environment variable called "APP_ENCRYPTION_PASSWORD" which, once -->
<!-- the application has been started, could be safely unset. -->
<!-- -->
<bean id="environmentVariablesConfiguration"
class="org.jasypt.encryption.pbe.config.EnvironmentStringPBEConfig">
<property name="algorithm" value="PBEWithMD5AndDES" />
<property name="passwordEnvName" value="APP_ENCRYPTION_PASSWORD" />
</bean>
<!-- -->
<!-- The will be the encryptor used for decrypting configuration values. -->
<!-- -->
<bean id="configurationEncryptor"
class="org.jasypt.encryption.pbe.StandardPBEStringEncryptor">
<property name="config" ref="environmentVariablesConfiguration" />
</bean>
<!-- -->
<!-- The EncryptablePropertyPlaceholderConfigurer will read the -->
<!-- .properties files and make their values accessible as ${var} -->
<!-- -->
<!-- Our "configurationEncryptor" bean (which implements -->
<!-- org.jasypt.encryption.StringEncryptor) is set as a constructor arg. -->
<!-- -->
<bean id="propertyConfigurer"
class="org.jasypt.spring.properties.EncryptablePropertyPlaceholderConfigurer">
<constructor-arg ref="configurationEncryptor" />
<property name="locations">
<list>
<value>/WEB-INF/classes/application.properties</value>
</list>
</property>
</bean>
<!-- -->
<!-- Our datasource is configured here, in the usual way. Jasypt's -->
<!-- EncryptedPropertyPlaceholderConfigurer will make sure that the -->
<!-- ${datasource.password} file gets decrypted and the DBCP DataSource -->
<!-- will be correctly initialized. -->
<!-- -->
<bean id="dataSource"
class="org.apache.commons.dbcp.BasicDataSource"
destroy-method="close">
<property name="driverClassName">
<value>${datasource.driver}</value>
</property>
<property name="url">
<value>${datasource.url}</value>
</property>
<property name="username">
<value>${datasource.username}</value>
</property>
<property name="password">
<value>${datasource.password}</value>
</property>
</bean>
EncryptablePropertyPlaceholderConfigurer and EncryptablePropertyOverrideConfigurer objects can receive as a constructor argument both an org.jasypt.encryption.StringEncryptor implementation or an org.jasypt.util.TextEncryptor object.
For those applications that define datasources in Hibernate's hibernate.cfg.xml file, Jasypt provides two Connection Provider (org.hibernate.connection.ConnectionProvider) implementations which let the user declare the datasource parameters (driver, url, username and password) in an encrypted manner:
They are used like this in hibernate.cfg.xml:
<?xml version="1.0" encoding="utf-8"?>
<!DOCTYPE hibernate-configuration PUBLIC
"-//Hibernate/Hibernate Configuration DTD//EN"
"http://hibernate.sourceforge.net/hibernate-configuration-3.0.dtd">
<hibernate-configuration>
<session-factory>
<property name="connection.provider_class">
org.jasypt.hibernate.connectionprovider.EncryptedPasswordDriverManagerConnectionProvider
</property>
<property name="connection.encryptor_registered_name">
configurationHibernateEncryptor
</property>
<property name="connection.url">jdbc:mysql://localhost/reportsdb</property>
<property name="connection.driver_class">com.mysql.jdbc.Driver</property>
<property name="connection.username">reportsUser</property>
<property name="connection.password">ENC(G6N718UuyPE5bHyWKyuLQSm02auQPUtm)</property>
<property name="connection.pool_size">12</property>
<property name="show_sql">true</property>
<property name="dialect">org.hibernate.dialect.MySQLDialect</property>
<!-- Mappings etc... -->
</session-factory>
</hibernate-configuration>
In this configuration, Hibernate is told to use Jasypt's DriverManager-based connection provider and is passed a set of configuration parameters which contain an encrypted value, the connection.password property. Then, Hibernate is also told about which is the encryptor object to be used for decrypting the encrypted parameters (connection.encryptor_registered_name).
This encryptor object should have been registered beforehand as a Hibernate Encryptor, as explained in the Jasypt + Hibernate 3 configuration guide.