Is Jasypt secure enough to use? - jasypt

We are using Jasypt in one of our Spring based project to encrypt our database properties. As per Jasypt documentation we need to make algorith and password (secret) entry in our application context.
<bean id="environmentVariablesConfiguration"
class="org.jasypt.encryption.pbe.config.EnvironmentStringPBEConfig">
<property name="algorithm" value="PBEWithMD5AndDES" />
<property name="passwordEnvName" value="secret" />
</bean>
<bean id="configurationEncryptor"
class="org.jasypt.encryption.pbe.StandardPBEStringEncryptor">
<property name="config" ref="environmentVariablesConfiguration" />
</bean>
<bean id="propertyConfigurer"
class="org.jasypt.spring.properties.EncryptablePropertyPlaceholderConfigurer">
<constructor-arg ref="configurationEncryptor" />
<property name="location" value="classpath*:*.properties" />
</bean>
If we do that, any one can easily decrypt our properties by decrypt property provided by Jasypt only. For example
sh decrypt.sh input=pYmd0m1m2nEAGIeTtfdfdfdl/e3W49e password=sdsdfsf algorithm=PBEWithMD5AndDES
So how we can ensure the security of our property files.

Related

Jasypt encryption in spring dsl

I am trying to add encryption in properties file, The content is not getting decrypt
My Spring DSL looks like:
<bean id="jasypt" class="org.apache.camel.component.jasypt.JasyptPropertiesParser">
<property name="password" value="test"/>
<property name="algorithm" value="PBEWithMD5AndDES"/>
</bean>
<!-- define the camel properties component -->
<bean id="properties" class="org.apache.camel.component.properties.PropertiesComponent">
<!-- the properties file is in the classpath -->
<property name="location" value="classpath:my-properties.properties"/>
<!-- and let it leverage the jasypt parser -->
<property name="propertiesParser" ref="jasypt"/>
</bean>
<bean class="org.apache.activemq.ActiveMQConnectionFactory" id="jmsFactory">
<property name="brokerURL" value="tcp://localhost:61616"/>
<property name="userName" value="${jboss.fuse.username}"/>
<property name="password" value="${jboss.fuse.password}"/>
</bean>
my-properties.properties
jboss.fuse.username=ENC(D0hnlLDZfGPiC6DtU+NKog==)
jboss.fuse.password=ENC(D0hnlLDZfGPiC6DtU+NKog==)
Error message : java.lang.SecurityException: User name [ENC(D0hnlLDZfGPiC6DtU+NKog==)] or password is invalid.
PropertiesComponent doesn't work.It should be BridgePropertyPlaceholderConfigurer if you are using Spring DSL
<bean
class="org.apache.camel.spring.spi.BridgePropertyPlaceholderConfigurer" id="bridgePropertyPlaceholder">
<property name="location" value="classpath:my-properties.properties"/>
<property name="parser" ref="jasypt"/>
</bean>

Spring Security multiple authentication provider not getting to the second one

I have an app that uses Spring Security, was using a custom authentication provider just fine. I need to add a SAML IDP into the mix now. So I got the sample SAML application up and running and I use that security context as a base. I have my manager defined like this:
<security:authentication-manager alias="authenticationManager">
<security:authentication-provider ref="myAuthenticationProvider" />
<security:authentication-provider ref="samlAuthenticationProvider"/>
</security:authentication-manager>
Now when I submit my login form with a username/passeord that is only in the SAML IDP, I can see from the logs that it calls myAuthenticationProvider, which then throws a BadCredentialsException, then nothing. I don't see any other exception, and not a peep out of the SAMLAuthenticationProvider.
I have read the documentation a few times, and it seems to indicate this can be done, but I don't see an example. Does anyone have an example of using SAML and BasicAuthentication?
I don't think you need to add an extra authentication provider for a new IDP. You just need to add a new ?? in your CachingMetadataManager Bean. In the securityContext.xml provided in the sample app:
<!-- IDP Metadata configuration - paths to metadata of IDPs in circle of trust is here -->
<bean id="metadata" class="org.springframework.security.saml.metadata.CachingMetadataManager">
<constructor-arg>
<list>
<!-- Example of classpath metadata with Extended Metadata -->
<bean class="org.springframework.security.saml.metadata.ExtendedMetadataDelegate">
<constructor-arg>
<bean class="org.opensaml.saml2.metadata.provider.ResourceBackedMetadataProvider">
<constructor-arg>
<bean class="java.util.Timer"/>
</constructor-arg>
<constructor-arg>
<bean class="org.opensaml.util.resource.ClasspathResource">
<constructor-arg value="/metadata/idp.xml"/>
</bean>
</constructor-arg>
<property name="parserPool" ref="parserPool"/>
</bean>
</constructor-arg>
<constructor-arg>
<bean class="org.springframework.security.saml.metadata.ExtendedMetadata">
</bean>
</constructor-arg>
</bean>
<!-- Example of HTTP metadata without Extended Metadata -->
<bean class="org.opensaml.saml2.metadata.provider.HTTPMetadataProvider">
<!-- URL containing the metadata -->
<constructor-arg>
<value type="java.lang.String">http://idp.ssocircle.com/idp-meta.xml</value>
</constructor-arg>
<!-- Timeout for metadata loading in ms -->
<constructor-arg>
<value type="int">15000</value>
</constructor-arg>
<property name="parserPool" ref="parserPool"/>
</bean>
<!-- Example of file system metadata without Extended Metadata -->
<bean class="org.opensaml.saml2.metadata.provider.FilesystemMetadataProvider">
<constructor-arg>
<value type="java.io.File">/usr/local/metadata/idp.xml</value>
</constructor-arg>
<property name="parserPool" ref="parserPool"/>
</bean>
</list>
</constructor-arg>
</bean>
If you un-comment the second bean in the list, it will enable another IDP specified in the xml file provided at /usr/local/metadata/idp.xml. If you want to add the metadata of another IDP over http, just copy the one for ssocircle and make adjustments.

Signing Spring SAML SLO Response

I've configured the included sample application and am able successfully perform both IdP and SP initiated SSO, and SP initiated SLO (using POST)
However, when sending an IdP initiated logout using Ping Federate, it fails saying that the logout response must be signed (however it succeeds in OpenAM). Looking through the SAML messages, the logout response isn't signed (it seems that Ping Federate is more strict than OpenAM), from what I understand, the response should always be signed.
4.4.3.4 Session Participant/Authority Issues to Identity
Provider
...
It is RECOMMENDED that the HTTP exchanges in this step be made over either SSL 3.0 [SSL3] or
TLS 1.0 [RFC2246] to maintain confidentiality and message integrity. The
message MUST be signed if the HTTP POST or Redirect binding is used. The HTTP Artifact binding,
if used, also provides for an alternate means of authenticating the response issuer when the artifact is
dereferenced.
The relevant part of my securityContext.xml is here..
<bean class="org.springframework.security.saml.metadata.ExtendedMetadataDelegate">
<constructor-arg>
<bean class="org.opensaml.saml2.metadata.provider.ResourceBackedMetadataProvider">
<constructor-arg>
<bean class="java.util.Timer"/>
</constructor-arg>
<constructor-arg>
<bean class="org.opensaml.util.resource.ClasspathResource">
<constructor-arg value="/metadata/moocow.xml"/>
</bean>
</constructor-arg>
<property name="parserPool" ref="parserPool"/>
</bean>
</constructor-arg>
<constructor-arg>
<bean class="org.springframework.security.saml.metadata.ExtendedMetadata">
<property name="local" value="true"/>
<property name="securityProfile" value="metaiop"/>
<property name="sslSecurityProfile" value="pkix"/>
<property name="sslHostnameVerification" value="default"/>
<property name="signMetadata" value="false"/>
<property name="signingKey" value="apollo"/>
<property name="encryptionKey" value="apollo"/>
<property name="requireArtifactResolveSigned" value="false"/>
<property name="requireLogoutRequestSigned" value="true"/>
<property name="requireLogoutResponseSigned" value="true"/>
<property name="idpDiscoveryEnabled" value="false"/>
</bean>
</constructor-arg>
</bean>
However, I don't believe any of this applies to the signing of the response to the IdP.
Associated metadata file...
<?xml version="1.0" encoding="UTF-8"?>
<md:EntityDescriptor xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" ID="http___localhost_8080_spring-security-saml2-sample" entityID="http://localhost:8080/spring-security-saml2-sample">
<md:SPSSODescriptor AuthnRequestsSigned="true" WantAssertionsSigned="true" protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
<md:KeyDescriptor use="signing">
<ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:X509Data>
<ds:X509Certificate>Stripped out for legibility
</ds:X509Certificate>
</ds:X509Data>
</ds:KeyInfo>
</md:KeyDescriptor>
<md:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="http://localhost:8080/spring-security-saml2-sample/saml/SingleLogout"/>
<md:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="http://localhost:8080/spring-security-saml2-sample/saml/SingleLogout"/>
<md:NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:transient</md:NameIDFormat>
<md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="http://localhost:8080/spring-security-saml2-sample/saml/SSO" index="0" isDefault="true"/>
</md:SPSSODescriptor>
</md:EntityDescriptor>
Am I missing something blindingly obvious here? Thanks.
John

Spring SAML quick start: Bean property 'signMetadata' is not writable or has an invalid setter method

I am attempting to go through the Spring Security SAML Quick Start at:
http://docs.spring.io/spring-security-saml/docs/1.0.0.RELEASE/reference/html/chapter-quick-start.html
I've gone through the four steps listed, done the two simple edits to sample/src/main/webapp/WEB-INF/securityContext.xml, and attempt to start the app as described in step 5.
I receive this error:
Bean property 'signMetadata' is not writable or has an invalid setter method.
Does the parameter type of the setter match the return type of the getter?
I have only changed the few lines of XML as described in the QuickStart.
That section of the relevant file looks like this:
<bean id="metadataGeneratorFilter" class="org.springframework.security.saml.metadata.MetadataGeneratorFilter">
<constructor-arg>
<bean class="org.springframework.security.saml.metadata.MetadataGenerator">
<property name="entityId" value="urn:test:chazlarson:waconia" />
<property name="signMetadata" value="false" />
</bean>
</constructor-arg>
</bean>
compared to the QuickStart's suggestion of:
<bean id="metadataGeneratorFilter" class="org.springframework.security.saml.metadata.MetadataGeneratorFilter">
<constructor-arg>
<bean class="org.springframework.security.saml.metadata.MetadataGenerator">
<property name="entityId" value="replaceWithUniqueIdentifier"/>
<property name="signMetadata" value="false"/>
</bean>
</constructor-arg>
</bean>
What have I missed? I am sure this is simple, but I've gone through this simple process on two different machines with the same result.
Did you try this example?
<bean id="metadataGeneratorFilter" class="org.springframework.security.saml.metadata.MetadataGeneratorFilter">
<constructor-arg>
<bean class="org.springframework.security.saml.metadata.MetadataGenerator">
<property name="entityId" value="replaceWithUniqueIdentifier"/>
<property name="extendedMetadata">
<bean class="org.springframework.security.saml.metadata.ExtendedMetadata">
<property name="signMetadata" value="false"/>
<property name="idpDiscoveryEnabled" value="true"/>
</bean>
</property>
</bean>
</constructor-arg></bean>
I looked into MetadataGenerator class and there is no property signMetadata.
I would recommend you to follow this doc

Spring Security and LDAP MD5 authentication

I need to do spring security authentication where users whose passwords are stored in LDAP MD5 Hex encoding format using password comparison. For LDAP SHA encoding I can use LDAPShaPasswordEncoder. Which encoder should I use for LDAP MD5 encoding ?
<bean id="ldapAuthenticationProvider"
class="org.springframework.security.ldap.authentication.LdapAuthenticationProvider">
<constructor-arg>
<bean class="org.springframework.security.ldap.authentication.PasswordComparisonAuthenticator">
<constructor-arg ref="contextSource" />
<property name="passwordEncoder">
<bean class="org.springframework.security.authentication.encoding.Md5PasswordEncoder" />
</property>
<property name="userDnPatterns">
<list>
<value>uid={0},ou=people</value>
</list>
</property>
</bean>
</constructor-arg>
<constructor-arg>
<bean
class="org.springframework.security.ldap.userdetails.DefaultLdapAuthoritiesPopulator">
<constructor-arg ref="contextSource" />
<constructor-arg value="ou=groups" />
<property name="groupSearchFilter" value="(member={0})" />
<property name="rolePrefix" value="ROLE_" />
<property name="searchSubtree" value="true" />
<property name="convertToUpperCase" value="true" />
</bean>
</constructor-arg>
</bean>
There isn't one that supports MD5. You'd have to implement PasswordEncoder yourself. You can use LdapShaPasswordEncoder as a guide. It should be pretty straightforward, especially without salt involved.
You should probably start looking at migrating to a more secure system which includes salt in the hashes. For example, perhaps your directory can support multiple formats and you can use SSHA for new users or password changes.

Resources