Andrew, interations is used in apereo/cas/api/cas-server-core-api-configuration-model/src/main/java/org/apereo/cas/configuration/support/CasConfigurationJasyptCipherExecutor.java
iteration is used in apereo/cas/api/cas-server-core-api-configuration-model/src/main/java/org/apereo/cas/configuration/model/core/config/standalone/StandaloneConfigurationSecurityProperties.java So it looks like the property was changed in one location (the second path above) which generates the 'failed to bind' message, but not the first path above. Ray On Fri, 2023-10-13 at 09:05 -0700, Andrew Marker wrote: Notice: This message was sent from outside the University of Victoria email system. Please be cautious with links and sensitive information. Hi all, In 6.6 this still doesn't work as documented: 6.6x / Configuration / Securing Configuration Properties<https://apereo.github.io/cas/6.6.x/configuration/Configuration-Properties-Security-CAS.html#casstandaloneconfigurationsecurityiterationPropertyConfig>. * If you use iteration (as documented) OUTCOME: failure when the first encrypted property is accessed: CAS shuts down. * If you use iterations OUTCOMES: success * property is read and encrypted properties are decrypted during the initialization of CAS when they are accessed. * An error message is written to the log I have tested this passing it through at startup. export CAS_STANDALONE_CONFIGURATION_SECURITY_ITERATION=35 or --cas.standalone.configuration-security.iteration=35 When i use iterations it does, unless the iteration value is actually wrong. I have been told that the unit test for this passes: great. It doesn't actually mean at run time it functions as expected. On Wednesday, September 7, 2022 at 5:03:10 PM UTC-5 Ray Bon wrote: Andrew, CamelCase or kabob-case does not matter, spring handles both (kabob is newer). The options should have the same name regardless of where they are set. What differs is when they are processed during startup. Some other step is getting in the way for the property file, but it sounds like the developers know there is a problem with that 'other step'. Ray On Wed, 2022-09-07 at 13:02 -0700, Andrew Marker wrote: Notice: This message was sent from outside the University of Victoria email system. Please be cautious with links and sensitive information. Hi Ray, Thanks for the response. I initially found the Issue I have described and provided the messages for when I was running v6.3.7.4. it was not related to that version but it was at that point I was trying for the first time to encrypt properties. I reached out to Unicon (in March 2022) with whom my organization contracts with for open source support. I was looking for help to encrypt properties and I was trying to follow the guidance I could find in the CAS documentation. After beginning the conversation much the way you have by identifying the properties as they are documented, we finally got beyond the point were we just refer to the documentation or the code references and through testing re-affirmed the failure I am describing. I was told that it will be fixed in a future version an answer that satisfied my need as I could continue to leverage the camelCase as described in thequasi official CAS how-too blog<https://fawnoos.com/2019/05/08/cas61x-jasypt-encryption/> . Today, in v6.5.9 It still works with camelCase. I'm trying to surface the issue now because with the move to v6.5.9 during my review the error message appeared at startup. -- You cannot use the property as documented<https://apereo.github.io/cas/6.5.x/configuration/Configuration-Properties-Security.html#standalone> or referred to in the Class you sent. It just does not work when placed in the a commandLineArgs collection. If I use: --cas.standalone.configuration-security.iterations=999 --cas.standalone.configurationSecurity.iterations=999 2022-09-07 14:39:35,708 DEBUG [org.apereo.cas.util.crypto.CipherExecutor] - <Configured Jasypt algorithm [PBEWithMD5AndTripleDES]> 2022-09-07 14:39:35,710 DEBUG [org.apereo.cas.util.crypto.CipherExecutor] - <Configured Jasypt password> 2022-09-07 14:39:35,710 DEBUG [org.apereo.cas.util.crypto.CipherExecutor] - <Configured Jasypt provider> 2022-09-07 14:39:35,717 DEBUG [org.apereo.cas.util.crypto.CipherExecutor] - <Configured Jasypt iterations> ........ 2022-09-07 14:39:38,243 TRACE [org.apereo.cas.util.crypto.CipherExecutor] - <Attempting to decode key [cas.authn.ldap[0].bindCredential]> 2022-09-07 14:39:38,243 TRACE [org.apereo.cas.util.crypto.CipherExecutor] - <Initializing Jasypt...> 2022-09-07 14:39:38,303 TRACE [org.apereo.cas.util.crypto.CipherExecutor] - <Decrypting value [wLG8ti97SbbrP04JdOR4vW08qBOEd1c5yB9n4eMMNeNGQCVzoogUGA==]...> 2022-09-07 14:39:38,319 DEBUG [org.apereo.cas.util.crypto.CipherExecutor] - <Decrypted value [wLG8ti97SbbrP04JdOR4vW08qBOEd1c5yB9n4eMMNeNGQCVzoogUGA==] successfully.> When I use what is documented: --cas.standalone.configuration-security.iteration=999 2022-09-07 14:32:13,852 DEBUG [org.apereo.cas.util.crypto.CipherExecutor] - <Configured Jasypt algorithm [PBEWithMD5AndTripleDES]> 2022-09-07 14:32:13,853 DEBUG [org.apereo.cas.util.crypto.CipherExecutor] - <Configured Jasypt password> 2022-09-07 14:32:13,853 DEBUG [org.apereo.cas.util.crypto.CipherExecutor] - <Configured Jasypt provider> NO ITERATOR Picked up ....... 2022-09-07 14:32:16,279 TRACE [org.apereo.cas.util.crypto.CipherExecutor] - <Attempting to decode key [cas.authn.ldap[0].bindCredential]> 2022-09-07 14:32:16,279 TRACE [org.apereo.cas.util.crypto.CipherExecutor] - <Initializing Jasypt...> 2022-09-07 14:32:16,363 TRACE [org.apereo.cas.util.crypto.CipherExecutor] - <Decrypting value [wLG8ti97SbbrP04JdOR4vW08qBOEd1c5yB9n4eMMNeNGQCVzoogUGA==]...> 2022-09-07 14:32:16,416 ERROR [org.apereo.cas.util.crypto.CipherExecutor] - <Could not decrypt value [{cas-cipher}wLG8ti97SbbrP04JdOR4vW08qBOEd1c5yB9n4eMMNeNGQCVzoogUGA==]> ------------------------------------------------------- If the fact is: The documentation and class say: iteration but the command line usesiterations and that is intentional, it is confusing. If this is good grammar and the tech document requires you to know the difference to make a jump from the literally represented value to the contextual place to use one vs the other. Man it would be great if that was explained in the documentation. I've always been able to just use the property as documented. On Tuesday, September 6, 2022 at 3:58:40 PM UTC-5 Ray Bon wrote: Andrew, The current property is 'iteration'; https://github.com/apereo/cas/blob/6.5.x/api/cas-server-core-api-configuration-model/src/main/java/org/apereo/cas/configuration/model/core/config/standalone/StandaloneConfigurationSecurityProperties.java 'iterations' "worked" because the real default was used; since 'Failed to bind properties' message was printed. Maybe setting debug/trace logging for org.apereo.cas.util will provide some more insight. Ray On Tue, 2022-09-06 at 11:40 -0700, Andrew Marker wrote: Notice: This message was sent from outside the University of Victoria email system. Please be cautious with links and sensitive information. In my CAS instance: These are working with error message: * cas.standalone.configuration-security.iterations * cas.standalone.configurationsecurity.iterations This is what is documented and it fails: * cas.standalone.configuration-security.iteration On Tuesday, September 6, 2022 at 1:34:03 PM UTC-5 Andrew Marker wrote: The warning message about the property seems to be incorrect, and using the documented property seems to lead to failure. Today, I was testing a move from v6.5.7 to v6.5.9 and I saw a warning that I did not see in the previous version at runtime. I'm not having a functional problem, but there seems to be a disconnect between the code and the documentation. When I start CAS, I am seeing the following ERROR. Failed to bind properties under 'cas' to org.apereo.cas.configuration.CasConfigurationProperties cas.standalone.configurationsecurity.iterations = 999 (Origin: "cas.standalone.configurationSecurity.iterations" from property source "commandLineArgs") ---------------------------- The documented property is: cas.standalone.configuration-security.iteration=999 2022-09-06 12:58:30,001 ERROR [org.apereo.cas.util.crypto.CipherExecutor] - <Could not decrypt value [{cas-cipher}someawesometext] > It appears the documented property does not work ---------------------- To try to understand the scope I tried the following: 2022-09-06 13:13:22,629 ERROR [org.apereo.cas.configuration.CasConfigurationPropertiesValidator] - < Failed to bind properties under 'cas' to org.apereo.cas.configuration.CasConfigurationProperties cas.standalone.configuration-security.iterations = 999 This however seemed still to function. ---------------------- In the event my original was incorrect and being ignored giving way to the default, I tried what is posted. cas.standalone.configuration-security.iteration=0 This too led to a fail to decrypt message. ---------------------- Using the old naming convention, I pass * iterations * password * provider (SunJCE). I've never needed to pass: * Algorithm * Initialization vector Is there some additional requirement necessary to move to the new property names? -- Ray Bon Programmer Analyst Development Services, University Systems 2507218831<tel:(250)%20721-8831> | CLE 019 |rb...@uvic.ca I acknowledge and respect the lək̓ʷəŋən peoples on whose traditional territory the university stands, and the Songhees, Esquimalt and WSÁNEĆ peoples whose historical relationships with the land continue to this day. -- - Website: https://apereo.github.io/cas - Gitter Chatroom: https://gitter.im/apereo/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+unsubscr...@apereo.org. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/731948bc47792828f66de52508852e5be44c78df.camel%40uvic.ca.
