tessl/maven-org-apereo-cas--cas-server-core-configuration-api
Apereo CAS Core Configuration API providing configuration management and property source location capabilities for the Central Authentication Service
—
Pending
configuration-encryption.mddocs/
Configuration Encryption
Jasypt-based encryption and decryption support for sensitive configuration values. The encryption system provides configurable algorithms, providers, initialization vectors, and seamless integration with all configuration loading mechanisms.
Capabilities
Jasypt Cipher Executor
Primary encryption/decryption implementation using Jasypt library with full configurability for algorithms, providers, and security parameters.
public class CasConfigurationJasyptCipherExecutor implements CipherExecutor<String, String> {
/**
* Constructor with algorithm and password.
*
* @param algorithm the encryption algorithm
* @param password the encryption password
*/
public CasConfigurationJasyptCipherExecutor(String algorithm, String password);
/**
* Constructor using environment properties for configuration.
*
* @param environment the environment with Jasypt configuration properties
*/
public CasConfigurationJasyptCipherExecutor(Environment environment);
/**
* Encrypt value with parameters.
*
* @param value the value to encrypt
* @param parameters optional parameters
* @return encrypted value with prefix
*/
@Override
public String encode(String value, Object[] parameters);
/**
* Decrypt value with parameters.
*
* @param value the encrypted value
* @param parameters optional parameters
* @return decrypted value
*/
@Override
public String decode(String value, Object[] parameters);
/**
* Get cipher executor name.
*
* @return "CAS Configuration Jasypt Encryption"
*/
@Override
public String getName();
}Encryption Methods
public class CasConfigurationJasyptCipherExecutor {
/**
* Encrypt value with error handling.
*
* @param value the value to encrypt
* @return encrypted value with prefix, or null on error
*/
public String encryptValue(String value);
/**
* Encrypt value with custom error handler.
*
* @param value the value to encrypt
* @param handler error handling function
* @return encrypted value or handler result
*/
public String encryptValue(String value, Function<Exception, String> handler);
/**
* Decrypt value with error handling.
*
* @param value the encrypted value
* @return decrypted value, or original value on error
*/
public String decryptValue(String value);
}Configuration Methods
public class CasConfigurationJasyptCipherExecutor {
/**
* Set encryption algorithm.
*
* @param alg the algorithm (e.g., "PBEWithMD5AndTripleDES")
*/
public void setAlgorithm(String alg);
/**
* Set encryption password.
*
* @param psw the password
*/
public void setPassword(String psw);
/**
* Set encryption provider name.
*
* @param pName the provider name (null for default, "BC" for BouncyCastle)
*/
public void setProviderName(String pName);
/**
* Set key obtention iterations.
*
* @param iter the number of iterations as string
*/
public void setKeyObtentionIterations(String iter);
/**
* Set initialization vector generator.
*
* @param iv the IV generator
*/
public void setIvGenerator(IvGenerator iv);
}Static Utility Methods
public class CasConfigurationJasyptCipherExecutor {
/**
* Check if value is encrypted (starts with prefix).
*
* @param value the value to check
* @return true if encrypted
*/
public static boolean isValueEncrypted(String value);
/**
* Extract encrypted value without prefix.
*
* @param value the prefixed encrypted value
* @return encrypted value without prefix
*/
public static String extractEncryptedValue(String value);
}Usage Examples
Basic Encryption Setup
import org.apereo.cas.configuration.support.CasConfigurationJasyptCipherExecutor;
// Create cipher executor with algorithm and password
CasConfigurationJasyptCipherExecutor cipherExecutor =
new CasConfigurationJasyptCipherExecutor("PBEWithMD5AndTripleDES", "mySecretPassword");
// Encrypt a sensitive value
String sensitiveValue = "database_password_123";
String encrypted = cipherExecutor.encryptValue(sensitiveValue);
System.out.println(encrypted); // {cas-cipher}ENCRYPTED_CONTENT
// Decrypt the value
String decrypted = cipherExecutor.decryptValue(encrypted);
System.out.println(decrypted); // database_password_123Environment-Based Configuration
// Set environment properties for Jasypt configuration
System.setProperty("cas.standalone.configuration-security.alg", "PBEWITHHMACSHA256ANDAES_128");
System.setProperty("cas.standalone.configuration-security.psw", "myEncryptionPassword");
System.setProperty("cas.standalone.configuration-security.provider", "BC");
System.setProperty("cas.standalone.configuration-security.iterations", "1000");
// Create cipher executor from environment
CasConfigurationJasyptCipherExecutor cipherExecutor =
new CasConfigurationJasyptCipherExecutor(environment);
// Use for encryption/decryption
String encrypted = cipherExecutor.encryptValue("sensitive_data");Advanced Configuration
import org.jasypt.iv.RandomIvGenerator;
import org.jasypt.iv.NoIvGenerator;
// Create cipher executor
CasConfigurationJasyptCipherExecutor cipherExecutor =
new CasConfigurationJasyptCipherExecutor("PBEWITHHMACSHA256ANDAES_128", "password");
// Configure advanced settings
cipherExecutor.setProviderName("BC"); // Use BouncyCastle provider
cipherExecutor.setKeyObtentionIterations("10000");
cipherExecutor.setIvGenerator(new RandomIvGenerator()); // Use random IV
// Encrypt with advanced configuration
String encrypted = cipherExecutor.encryptValue("highly_sensitive_data");Integration with Configuration Loading
import org.apereo.cas.configuration.DefaultCasConfigurationPropertiesSourceLocator;
// Create cipher executor
CasConfigurationJasyptCipherExecutor cipherExecutor =
new CasConfigurationJasyptCipherExecutor(environment);
// Create property source locator with encryption support
DefaultCasConfigurationPropertiesSourceLocator locator =
new DefaultCasConfigurationPropertiesSourceLocator(cipherExecutor);
// All loaded properties will be automatically decrypted
Optional<PropertySource<?>> properties = locator.locate(environment, resourceLoader);Encryption Parameters
Jasypt Configuration Parameters
public enum JasyptEncryptionParameters {
/**
* Jasypt algorithm name to use.
*/
ALGORITHM("cas.standalone.configuration-security.alg", "PBEWithMD5AndTripleDES"),
/**
* Jasypt provider name to use. None for Java, "BC" for BouncyCastle.
*/
PROVIDER("cas.standalone.configuration-security.provider", null),
/**
* Jasypt number of iterations to use.
*/
ITERATIONS("cas.standalone.configuration-security.iterations", null),
/**
* Jasypt password to use for encryption and decryption.
*/
PASSWORD("cas.standalone.configuration-security.psw", null),
/**
* Use (or not) a Jasypt Initialization Vector.
*/
INITIALIZATION_VECTOR("cas.standalone.configuration-security.initialization-vector", null);
/**
* Get the property name for this parameter.
*
* @return property name
*/
String getPropertyName();
/**
* Get the default value for this parameter.
*
* @return default value
*/
String getDefaultValue();
}Supported Algorithms
Standard Java Algorithms
PBEWithMD5AndTripleDES(default)PBEWithMD5AndDESPBEWithSHA1AndRC2_40PBEWithSHA1AndDESede
BouncyCastle Algorithms (with provider "BC")
PBEWITHHMACSHA256ANDAES_128PBEWITHHMACSHA256ANDAES_256PBEWITHHMACSHA1ANDAES_128PBEWITHHMACSHA1ANDAES_256
Initialization Vector Requirements
Algorithms matching pattern PBEWITHHMACSHA\d+ANDAES_.*(?<!-BC)$ require initialization vectors and automatically use RandomIvGenerator.
Configuration File Usage
YAML Configuration with Encrypted Values
# application.yml
database:
url: "jdbc:mysql://localhost:3306/cas"
username: "cas_user"
password: "{cas-cipher}DroW8Pj4z6WkEbCJy4NqGxCqY8fhOKGOtDbWlHGUgOZ2vtK1Boo="
ldap:
bindCredential: "{cas-cipher}Ak8fKzKp9Z4bWqRxYJ8Ts3+P8sXyO9C1NqO4DpL2MkGf3=="
# Non-encrypted values work normally
server:
port: 8443
ssl:
enabled: trueProperties Configuration with Encrypted Values
# application.properties
database.url=jdbc:mysql://localhost:3306/cas
database.username=cas_user
database.password={cas-cipher}DroW8Pj4z6WkEbCJy4NqGxCqY8fhOKGOtDbWlHGUgOZ2vtK1Boo=
ldap.bindCredential={cas-cipher}Ak8fKzKp9Z4bWqRxYJ8Ts3+P8sXyO9C1NqO4DpL2MkGf3==
# Non-encrypted values
server.port=8443
server.ssl.enabled=trueEncryption Constants
/**
* Prefix inserted at the beginning of a value to indicate it's encrypted.
*/
String ENCRYPTED_VALUE_PREFIX = "{cas-cipher}";
/**
* Pattern for algorithms that require an initialization vector.
*/
Pattern ALGS_THAT_REQUIRE_IV_PATTERN = Pattern.compile("PBEWITHHMACSHA\\d+ANDAES_.*(?<!-BC)$");Security Considerations
Password Management
- Never hardcode encryption passwords in source code
- Use environment variables or external configuration for passwords
- Consider key rotation strategies for production environments
Algorithm Selection
- Use stronger algorithms like
PBEWITHHMACSHA256ANDAES_128for production - BouncyCastle provider offers additional algorithm options
- Consider initialization vector requirements for enhanced security
Property Protection
- Only encrypt truly sensitive values (passwords, tokens, keys)
- Encrypted values are Base64-encoded and can be lengthy
- Decryption errors will log warnings but preserve original values
Install with Tessl CLI
npx tessl i tessl/maven-org-apereo-cas--cas-server-core-configuration-api