Jasypt and JCE are two encryption protocols that we can use in our Spring config to secure passwords. For example, if you wanted to encrypt the API token of your Github repository. Or encrypting the Spring config server's security.user.password value.
Jasypt Example
Instruction on how we can use Jasypt in our Spring Boot application security.
Create a new Spring project, we will use it to encrypt our password.
Include jasypt dependency.
<dependency>
<groupId>com.github.ulisesbocchio</groupId>
<artifactId>jasypt-spring-boot-starter</artifactId>
<version>3.0.3</version>
</dependency>
- Use this code block to encrypt a string.
private static void encryptString() {
StandardPBEStringEncryptor encryptor = new StandardPBEStringEncryptor();
encryptor.setPassword("password");
encryptor.setAlgorithm("PBEWITHSHA1ANDDESEDE");
encryptor.setIvGenerator(new RandomIvGenerator());
String result = encryptor.encrypt("Hello World!");
System.out.println("encrypted=" + result); // prints differently on each run
result = encryptor.decrypt(result);
System.out.println("decrypted=" + result);
}
- To use it in Spring security, we must set add these security lines in Spring config's bootstrap.xml file
security:
user:
name: czetsuya
password: ENC(3E31QZ4Ih8kbEYl141+Hd8zG1N/Pt9c60nHkGX9lnG4=)
- And on the service side Spring application, we need to configure the Spring cloud config location and jasypt encryptor password.
spring:
cloud:
config:
uri: http://localhost:8888
username: czetsuya
password: ENC(T9aWpcoGGXGV6x+D/oiJGWkvJSBjwEmpLaBy7utknQo=)
jasypt:
encryptor:
password: password # or you can replace this with an environment variable ${JASYPT_ENCRYPTOR_PASSWORD}
JCE Example
Instruction on how we can use JCE in our Spring Boot application security.
To make this exercise easier on Windows, I'll be using WSL2 to run Ubuntu and install sdkman.
You must also take note of the latest spring-boot-cli version from https://mvnrepository.com/artifact/org.springframework.cloud/spring-cloud-cli
Follow this guide https://sdkman.io/install. Check if it succeeded by running the command sdkman version in a terminal.
Execute the following commands:
# install spring
sdk install springboot
# install spring-cloud-cli
spring install org.springframework.cloud:spring-cloud-cli:3.0.2
# encrypt your text
spring encrypt 'Hello World!' --key 'password'
# results in 5f8aaa3be65f159b439008faf1d4efb5eb6c6d3d8ccd9ddfe5028decb5c3b2c1
# should be different on each run
# decrypt the text
spring decrypt 5f8aaa3be65f159b439008faf1d4efb5eb6c6d3d8ccd9ddfe5028decb5c3b2c1 --key 'password'
As before we need to set the encrypted password both in the Spring cloud config server and client. This time instead of using 'ENC', we will use 'cipher'.
Server
security:
user:
name: czetsuya
password: 'cipher{5f8aaa3be65f159b439008faf1d4efb5eb6c6d3d8ccd9ddfe5028decb5c3b2c1}'
Client
spring:
cloud:
config:
uri: http://localhost:8888
username: czetsuya
password: 'cipher{3079cb49646bf1a11dc15e3563c16cb3fb614aebdb5fe389f75d48d3ac43ae6f}'
encrypt:
key: password # or you can replace this with an environment variable ${ENCRYPT_KEY}
And there you go folks, stop committing your password in plaintext on public repositories :-)
Top comments (0)