Apereo CAS - Configuration Security w/ Jasypt


Collaborate
This blog is managed and hosted on GitHub. If you wish to update the contents of this post or if you have found an inaccuracy and wish to make corrections, we recommend that you please submit a pull request to this repository.

Overview

If you are running CAS in standalone mode without the presence of the Spring Cloud configuration server, you can take advantage of built-in Jasypt functionality to decrypt sensitive CAS settings.

Jasypt is a java library which allows the deployer to add basic encryption capabilities to CAS. Jasypt supplies command-line tools useful for performing encryption, decryption, etc. In order to use the tools, you may download the Jasypt distribution. Once unzipped, you will find a jasypt-$VERSION/bin directory a number of bat|sh scripts that you can use for encryption/decryption operations (encrypt|decrypt).(bat|sh).

However, an easier approach might be to use the native CAS command-line shell. The CAS command-line shell provides the ability to query the CAS server for help on available settings/modules and various other utility functions one of which is the ability to encrypt and/or decrypt settings via Jasypt. We’ll use the shell to encrypt a few settings and place them in your CAS configuration file, expecting the server to decrypt and use them as needed.

Our starting position is based on:

Configuration

The CAS WAR Overlay presents a few instructions on how to download and run the shell. Once you’re in, you can take advantage of the following Jasypt-related commands:

help encrypt-value
...
help decrypt-value

So let’s encrypt a setting:

cas>encrypt-value value casuser::Misagh alg PBEWithMD5AndTripleDES \
    provider SunJCE password ThisIsMyEncryptionKey iterations 1000

==== Encrypted Value ====
{cas-cipher}mMcg02NysblAcwYI+bFRpEcHBQaVQ51J

Nice. Let’s verify that it can be decrypted back:

cas>decrypt-value value {cas-cipher}mMcg02NysblAcwYI+bFRpEcHBQaVQ51J \
    alg PBEWithMD5AndTripleDES provider SunJCE \
    password ThisIsMyEncryptionKey iterations 1000

==== Decrypted Value ====
casuser::Misagh

Next, let’s use our typical cas.properties file with the encrypted value:

cas.authn.accept.users={cas-cipher}mMcg02NysblAcwYI+bFRpEcHBQaVQ51J

Almost there…the last task is to instruct CAS to use the proper algorithm, decryption key, and other relevant parameters when attempting to decrypt settings.

# cas.standalone.configurationSecurity.alg=PBEWithMD5AndTripleDES
# cas.standalone.configurationSecurity.provider=SunJCE
# cas.standalone.configurationSecurity.iterations=1000
# cas.standalone.configurationSecurity.psw=ThisIsMyEncryptionKey

The above settings may be passed to CAS at runtime using either OS environment variables, system properties or normal command-line arguments.

More…

The shell also presents a few more Jasypt-related commands to list out algorithms, providers, etc. If you use the help command, you’d be presented with a list of available commands some of which are the following:

cas>help jasypt-list-algorithms
...
cas>help jasypt-list-providers
...
cas>help jasypt-test-algorithms
...

So…

I hope this review was of some help to you and I am sure that both this post as well as the functionality it attempts to explain can be improved in any number of ways. Please know that all other use cases, scenarios, features, and theories certainly are possible as well. Feel free to engage and contribute as best as you can.

Happy Coding,

Misagh Moayyed

Related Posts

CAS 6.1.0 RC5 Feature Release

...in which I present an overview of CAS 6.1.0 RC5 release.

Apereo CAS - Passwordless Authentication

Learn how to modify Apereo CAS to allow users to login without the need to remember a password.

Apereo CAS - Handling Authentication Webflow Errors with Grace

Learn how to modify Apereo CAS to customize exception handling and produce localized error messages for your deployment.

Apereo CAS - Are We Logged In Yet?

Learn how to modify and extend a CAS deployment to determine whether an SSO session is still valid and tied to a user authentication session.

Apereo CAS - REST API Integrations

Learn how to integrate with CAS using its REST API to authenticate, exchange tickets and get access to user profiles and attributes.

CAS 6.1.0 RC4 Feature Release

...in which I present an overview of CAS 6.1.0 RC4 release.

Apereo CAS - Multifactor Provider Selection

Learn how to configure CAS to integrate with and use multiple multifactor providers at the same time. This post also reveals a few super secret and yet open-source strategies one may use to select appropriate providers for authentication attempts, whether automatically or based on a menu.

Apereo CAS - Dockerized Hazelcast Deployments

Learn how to run CAS backed by a Hazelcast cluster in Docker containers and take advantage of the Hazelcast management center to monitor and observer cluster members.

CAS 6.1.0 RC3 Feature Release

...in which I present an overview of CAS 6.1.0 RC3 release.

Apereo CAS - Webflow Decorations

Learn how you may decorate the Apereo CAS login webflow to inject data pieces and objects into the processing engine for display purposes, peace on earth and prosperity of all mankind, etc. Mainly, etc.