Hi there,
I run CAS 5.2.3 as a standalone WEB Application war in the Tomcat
container. I am trying to configure {cipher} option to encrypt passwords in
the configuration files.
First, I added the following properties to CAS configuration and no
{cipher} for any of the fields:
cas.standalone.config.security.psw=SomePassword
cas.standalone.config.security.alg=PBEWithMD5AndTripleDES
CAS log produces the following result that looks like everything is fine,
CAS works in the standalone mode and reads the password and the algorithm
correctly.
2018-05-08 17:38:39,791 TRACE
[org.springframework.cloud.bootstrap.encrypt.EncryptionBootstrapConfiguration$KeyCondition]
- <Condition EncryptionBootstrapConfiguration.KeyCondition on
org.springframework.cloud.bootstrap.encrypt.EncryptionBootstrapConfiguration$VanillaEncryptionConfiguration
did not match due to Keystore nor key found in Environment>
2018-05-08 17:38:41,171 DEBUG
[org.apereo.cas.configuration.support.CasConfigurationJasyptDecryptor] -
<Configured jasyptInstance algorithm [PBEWithMD5AndTripleDES]>
2018-05-08 17:38:41,173 DEBUG
[org.apereo.cas.configuration.support.CasConfigurationJasyptDecryptor] -
<Configured jasyptInstance password>
2018-05-08 17:38:41,174 DEBUG
[org.apereo.cas.configuration.support.CasConfigurationJasyptDecryptor] -
<Configured jasyptInstance provider>
2018-05-08 17:38:41,406 DEBUG
[org.apereo.cas.configuration.config.CasCoreBootstrapStandaloneConfiguration]
- <No properties were located inside [class path resource
[application.yml]]>
2018-05-08 17:38:41,407 DEBUG
[org.apereo.cas.configuration.config.CasCoreBootstrapStandaloneConfiguration]
- <Located CAS standalone configuration directory at
[/Users/ik/Documents/xton/apps/apache-tomcat-8.5.15/conf]>
2018-05-08 17:38:41,415 DEBUG
[org.apereo.cas.configuration.config.CasCoreBootstrapStandaloneConfiguration]
- <Looking for configuration files at
[/Users/ik/Documents/xton/apps/apache-tomcat-8.5.15/conf] that match the
pattern
[(cas|standalone|application-cas|application-standalone|application)\.(yml|properties)]>
2018-05-08 17:38:41,430 INFO
[org.apereo.cas.configuration.config.CasCoreBootstrapStandaloneConfiguration]
- <Configuration files found at
[/Users/ik/Documents/xton/apps/apache-tomcat-8.5.15/conf] are
[[/Users/ik/Documents/xton/apps/apache-tomcat-8.5.15/conf/cas.properties]]>
2018-05-08 17:38:41,438 DEBUG
[org.apereo.cas.configuration.config.CasCoreBootstrapStandaloneConfiguration]
- <Loading configuration file
[/Users/ik/Documents/xton/apps/apache-tomcat-8.5.15/conf/cas.properties]>
2018-05-08 17:38:41,439 DEBUG
[org.apereo.cas.configuration.config.CasCoreBootstrapStandaloneConfiguration]
- <Found settings [[cas.standalone.config.security.alg,
cas.standalone.config.security.psw]] in file
[/Users/ik/Documents/xton/apps/apache-tomcat-8.5.15/conf/cas.properties]>
2018-05-08 17:38:41,442 DEBUG
[org.apereo.cas.configuration.config.CasCoreBootstrapStandaloneConfiguration]
- <Located setting(s) [[cas.standalone.config.security.alg,
cas.standalone.config.security.psw]] from
[/Users/ik/Documents/xton/apps/apache-tomcat-8.5.15/conf]>
2018-05-08 17:38:41,483 INFO
[org.apereo.cas.web.CasWebApplicationServletInitializer] - <The following
profiles are active: standalone>
However, as soon as I add an encrypted field to one of the fields like this
one
cas.authn.ldap[1].bindCredential={cipher}EncryptedPassword
CAS produces the following exception immediately after startup without
CasConfigurationJasyptDecryptor initialization as it did without mention of
the {cipher} encrypted fields.
It seems that CAS is trying to decrypt the ciphered field before
initializing the decryptor.
2018-05-08 17:47:02,231 TRACE
[org.springframework.cloud.bootstrap.encrypt.EncryptionBootstrapConfiguration$KeyCondition]
- <Condition EncryptionBootstrapConfiguration.KeyCondition on
org.springframework.cloud.bootstrap.encrypt.EncryptionBootstrapConfiguration$VanillaEncryptionConfiguration
did not match due to Keystore nor key found in Environment>
2018-05-08 17:47:03,565 ERROR [org.springframework.boot.SpringApplication]
- <Application startup failed>
java.lang.IllegalStateException: Cannot decrypt:
key=cas.authn.ldap[1].bindCredential
at
org.springframework.cloud.bootstrap.encrypt.EnvironmentDecryptApplicationInitializer.decrypt(EnvironmentDecryptApplicationInitializer.java:201)
~[spring-cloud-context-1.2.4.RELEASE.jar:1.2.4.RELEASE]
at
org.springframework.cloud.bootstrap.encrypt.EnvironmentDecryptApplicationInitializer.decrypt(EnvironmentDecryptApplicationInitializer.java:165)
~[spring-cloud-context-1.2.4.RELEASE.jar:1.2.4.RELEASE]
at
org.springframework.cloud.bootstrap.encrypt.EnvironmentDecryptApplicationInitializer.initialize(EnvironmentDecryptApplicationInitializer.java:95)
~[spring-cloud-context-1.2.4.RELEASE.jar:1.2.4.RELEASE]
at
org.springframework.cloud.bootstrap.BootstrapApplicationListener$DelegatingEnvironmentDecryptApplicationInitializer.initialize(BootstrapApplicationListener.java:370)
~[spring-cloud-context-1.2.4.RELEASE.jar:1.2.4.RELEASE]
at
org.springframework.boot.SpringApplication.applyInitializers(SpringApplication.java:567)
~[spring-boot-1.5.8.RELEASE.jar:1.5.8.RELEASE]
at
org.springframework.boot.SpringApplication.prepareContext(SpringApplication.java:338)
~[spring-boot-1.5.8.RELEASE.jar:1.5.8.RELEASE]
at
org.springframework.boot.SpringApplication.run(SpringApplication.java:301)
~[spring-boot-1.5.8.RELEASE.jar:1.5.8.RELEASE]
at
org.springframework.boot.web.support.SpringBootServletInitializer.run(SpringBootServletInitializer.java:154)
~[spring-boot-1.5.8.RELEASE.jar:1.5.8.RELEASE]
at
org.springframework.boot.web.support.SpringBootServletInitializer.createRootApplicationContext(SpringBootServletInitializer.java:134)
~[spring-boot-1.5.8.RELEASE.jar:1.5.8.RELEASE]
at
org.springframework.boot.web.support.SpringBootServletInitializer.onStartup(SpringBootServletInitializer.java:87)
~[spring-boot-1.5.8.RELEASE.jar:1.5.8.RELEASE]
at
org.springframework.web.SpringServletContainerInitializer.onStartup(SpringServletContainerInitializer.java:169)
~[spring-web-4.3.14.RELEASE.jar:4.3.14.RELEASE]
at
org.apache.catalina.core.StandardContext.startInternal(StandardContext.java:5196)
~[catalina.jar:8.5.15]
at org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:150)
~[catalina.jar:8.5.15]
at
org.apache.catalina.core.ContainerBase.addChildInternal(ContainerBase.java:752)
~[catalina.jar:8.5.15]
at org.apache.catalina.core.ContainerBase.addChild(ContainerBase.java:728)
~[catalina.jar:8.5.15]
at org.apache.catalina.core.StandardHost.addChild(StandardHost.java:734)
~[catalina.jar:8.5.15]
at org.apache.catalina.startup.HostConfig.deployWAR(HostConfig.java:952)
~[catalina.jar:8.5.15]
at
org.apache.catalina.startup.HostConfig$DeployWar.run(HostConfig.java:1823)
~[catalina.jar:8.5.15]
at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:511)
~[?:1.8.0_131]
at java.util.concurrent.FutureTask.run(FutureTask.java:266) ~[?:1.8.0_131]
at
java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
~[?:1.8.0_131]
at
java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
~[?:1.8.0_131]
at java.lang.Thread.run(Thread.java:748) [?:1.8.0_131]
Caused by: java.lang.UnsupportedOperationException: No decryption for
FailsafeTextEncryptor. Did you configure the keystore correctly?
at
org.springframework.cloud.bootstrap.encrypt.EncryptionBootstrapConfiguration$FailsafeTextEncryptor.decrypt(EncryptionBootstrapConfiguration.java:154)
~[spring-cloud-context-1.2.4.RELEASE.jar:1.2.4.RELEASE]
at
org.springframework.cloud.bootstrap.encrypt.EnvironmentDecryptApplicationInitializer.decrypt(EnvironmentDecryptApplicationInitializer.java:193)
~[spring-cloud-context-1.2.4.RELEASE.jar:1.2.4.RELEASE]
... 22 more
I would appreciate any help about how to make ciphered fields work. I
followed CAS/LDAP/Jasypt tutorial about how to make cipher fields in the
standalone CAS configuration (at least I think so):
https://apereo.github.io/2017/03/24/cas51-ldapauthnjasypt-tutorial/.
Thank you,
Mark
--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit
https://groups.google.com/a/apereo.org/d/msgid/cas-user/494ed223-b23c-411b-a4b8-7641936f8d10%40apereo.org.
