Skip to main content

Encrypting stored passwords in spring web application

We take security very seriously and have taken steps to harden our services so if some one has ssh access to the box he wont be able to read the files but the webapp has to be able to read the spring config which has passwords to database so we need to protect it from any file download vulnerability.

So the plan was to encrypt passwords stored in spring files and decrypt it at runtime. As we had to decrypt the passwords back this has to be a symmetric encryption but with salt.  After doing some research I found jasypt library that would be able to do this. The steps I followed were:

1) move all passwords to a separate  file called as XXX_passwords.properties
2)changed spring xml to use property placeholders like ${mysql.user.password}.
3) added spring beans to load the password and decrypt them using the ENV variable ENCRYPTION_PASSWORD and added two jars to class path jasypt-1.9.1.jar and jasypt-spring31-1.9.1.jar

    <bean id="encryptablePropertyPlaceholderConfigurer" class="org.jasypt.spring31.properties.EncryptablePropertyPlaceholderConfigurer">
       <constructor-arg ref="configurationEncryptor" />
       <property name="location" value="classpath:xxx_passwords.properties" />
    </bean>
    <bean id="configurationEncryptor" class="org.jasypt.encryption.pbe.StandardPBEStringEncryptor">
       <property name="config" ref="environmentVariablesConfiguration" />
    </bean>
    <bean id="environmentVariablesConfiguration"
          class="org.jasypt.encryption.pbe.config.EnvironmentStringPBEConfig">
       <property name="algorithm" value="PBEWithMD5AndDES" />
       <property name="passwordEnvName" value="ENCRYPTION_PASSWORD" />
    </bean>
4)Wrote a sample property file encoder that will take a normal file and encode the passwords.
public class PPFileEncoder {
    public static void main(String[] args) throws Exception {
        String filePath = args[0];
        File file = new File(filePath);
        if (!file.exists()) {
            System.out.println("File " + filePath + " doesnt exits");
        }
        Properties inputProps = new Properties();
        FileReader reader = new FileReader(filePath);
        inputProps.load(reader);
        reader.close();
        EnvironmentStringPBEConfig config = new EnvironmentStringPBEConfig();
        config.setAlgorithm("PBEWithMD5AndDES");
        config.setPasswordEnvName("ENCRYPTION_PASSWORD");
        StandardPBEStringEncryptor encryptor = new StandardPBEStringEncryptor();
        encryptor.setConfig(config);

        Properties outputProps = new Properties();
        for (Entry entry : inputProps.entrySet()) {
            String key = (String) entry.getKey();
            String value = (String) entry.getValue();
            outputProps.setProperty(key, getEncryptedProperty(encryptor, value));
        }
        FileWriter writer = new FileWriter(file);
        outputProps.store(writer, "Encrypted file");
        writer.close();
    }

    private static String getEncryptedProperty(StandardPBEStringEncryptor encryptor, String value) {
        if (value == null || value.trim().startsWith("ENC(")) {
            return value;
        } else {
            return "ENC(" + encryptor.encrypt(value) + ")";
        }
    }
}

5)Changed install process to encrypt passwords as the last step of install and overwrite the original property file.
6)Now ops will unset the env variable once app is up.

with jasypt if your original file was

mysql.user.password=KalpeshPatel
it would become
mysql.user.password=ENC(B4UEFvcfdIJqavADLRTZqw\=\=)






Good thing about this solution is that devops  can choose a completely random value for ENCRYPTION_PASSWORD variable everytime they install the installer and different value for different machines.

Comments

Post a Comment

Popular posts from this blog

RabbitMQ java clients for beginners

Here is a sample of a consumer and producer example for RabbitMQ. The steps are
Download ErlangDownload Rabbit MQ ServerDownload Rabbit MQ Java client jarsCompile and run the below two class and you are done.
This sample create a Durable Exchange, Queue and a Message. You will have to start the consumer first before you start the for the first time.

For more information on AMQP, Exchanges, Queues, read this excellent tutorial
http://blogs.digitar.com/jjww/2009/01/rabbits-and-warrens/

+++++++++++++++++RabbitMQProducer.java+++++++++++++++++++++++++++
import com.rabbitmq.client.Connection; import com.rabbitmq.client.Channel; import com.rabbitmq.client.*; public class RabbitMQProducer { public static void main(String []args) throws Exception { ConnectionFactory factory = new ConnectionFactory(); factory.setUsername("guest"); factory.setPassword("guest"); factory.setVirtualHost("/"); factory.setHost("127.0.0.1"); factory.setPort(5672); Conne…

What a rocky start to labor day weekend

Woke up by earthquake at 7:00 AM in morning and then couldn't get to sleep. I took a bath, made my tea and started checking emails and saw that after last night deployment three storage node out of 100s of nodes were running into Full GC. What was special about the 3 nodes was that each one was in a different Data centre but it was named same app02.  This got me curious I asked the node to be taken out of rotation and take a heap dump.  Yesterday night a new release has happened and I had upgraded spymemcached library version as new relic now natively supports instrumentation on it so it was a suspect. And the hunch was a bullseye, the heap dump clearly showed it taking 1.3G and full GCs were taking 6 sec but not claiming anything.



I have a quartz job in each jvm that takes a thread dump every 5 minutes and saves last 300 of them, checking few of them quickly showed a common thread among all 3 data centres. It seems there was a long running job that was trying to replicate pending…

Spring query timeout or transaction timeout

If you are using spring to manage transactions then you can specify default transaction timeout using

    <bean id="transactionManager"
        class="org.springframework.jdbc.datasource.DataSourceTransactionManager">
        <property name="dataSource" ref="dataSource" />
        <property name="defaultTimeout" value="30" /> <!--30 sec--->             
    </bean>

or you can override the timeout in the annotation

    @Transactional(readOnly = false, timeout=30)


or if you are doing it programatic transactions then you can do


DataSourceTransactionManager transactionManager = new DataSourceTransactionManager(dataSource);
transactionManager.setDefaultTimeout(30);

 or you can override the timeout for one particular transaction

TransactionTemplate transactionTemplate = new TransactionTemplate();
transactionTemplate.setTimeout(30);