Note that Jasypt is just a wrapper around Java's symmetric encryption algorithms.
Yeah, you've encrypted the passwords in the cas.properties file, but the Jasypt key to decrypt them has to exist in plaintext in the startup script (systemd service file, /etc/init.d script, etc.) for the server (unless you want to enter it by hand whenever the system reboots)... so all you've really accomplished is moving the plaintext from one file to another. Plus Jasypt seems to be kind of dead (it hasn't been updated since 2014 and doesn't work with some of Java's newer crypto algorithms). If you're really concerned about it, you probably want to look at storing your configuration info in a heavily-fortified Spring Cloud Configuration server somewhere. But unless you're already drinking the Spring Cloud Kool-Aid in your organization and have such a framework rolled out, that's a WHOLE LOT of work for very little gain. -- DAVID A. CURRY, CISSP *DIRECTOR OF INFORMATION SECURITY* INFORMATION TECHNOLOGY 71 FIFTH AVE., 9TH FL., NEW YORK, NY 10003 +1 212 229-5300 x4728 • david.cu...@newschool.edu [image: The New School] On Wed, Feb 28, 2018 at 4:35 PM, Man H <info.ings...@gmail.com> wrote: > How do you get to password > > 2018-02-28 18:34 GMT-03:00 Kevin Liu <annihil8...@gmail.com>: > >> I guess the easiest would be physical access. There are other various >> intrusion methods too. >> >> On Wednesday, February 28, 2018 at 3:29:40 PM UTC-6, Manfredo Hopp wrote: >>> >>> How should the server be compromised. >>> >>> 2018-02-28 18:12 GMT-03:00 Kevin Liu <annih...@gmail.com>: >>> >>>> Should the server be compromised, attackers can grab AD credentials and >>>> then verify all accounts with compromised credentials. >>>> >>>> My solution to this is to not have clear text (seems genius right? ;) >>>> ). According to one of CAS's blogs, https://apereo.github.i >>>> o/2017/03/24/cas51-ldapauthnjasypt-tutorial/, jasypt is the method to >>>> use. >>>> >>>> On Wednesday, February 28, 2018 at 3:02:15 PM UTC-6, Manfredo Hopp >>>> wrote: >>>>> >>>>> What would be the problem to have it cleartext in server. >>>>> >>>>> 2018-02-28 17:02 GMT-03:00 Kevin Liu <annih...@gmail.com>: >>>>> >>>>>> I'd like to do this because this ways, I won't have bindCredentials >>>>>> in cleartext. >>>>>> >>>>>> On Tuesday, February 27, 2018 at 11:29:22 AM UTC-6, Kevin Liu wrote: >>>>>>> >>>>>>> Does anyone know how to reference the login page password in >>>>>>> cas.properties? I know for username, you use %s but what about the >>>>>>> password? >>>>>>> >>>>>> -- >>>>>> - Website: https://apereo.github.io/cas >>>>>> - Gitter Chatroom: https://gitter.im/apereo/cas >>>>>> - List Guidelines: https://goo.gl/1VRrw7 >>>>>> - Contributions: https://goo.gl/mh7qDG >>>>>> --- >>>>>> You received this message because you are subscribed to the Google >>>>>> Groups "CAS Community" group. >>>>>> To unsubscribe from this group and stop receiving emails from it, >>>>>> send an email to cas-user+u...@apereo.org. >>>>>> To view this discussion on the web visit >>>>>> https://groups.google.com/a/apereo.org/d/msgid/cas-user/d18e >>>>>> 508b-f92f-4cf9-bc2f-9125f629b0a0%40apereo.org >>>>>> <https://groups.google.com/a/apereo.org/d/msgid/cas-user/d18e508b-f92f-4cf9-bc2f-9125f629b0a0%40apereo.org?utm_medium=email&utm_source=footer> >>>>>> . >>>>>> >>>>> >>>>> -- >>>> - Website: https://apereo.github.io/cas >>>> - Gitter Chatroom: https://gitter.im/apereo/cas >>>> - List Guidelines: https://goo.gl/1VRrw7 >>>> - Contributions: https://goo.gl/mh7qDG >>>> --- >>>> You received this message because you are subscribed to the Google >>>> Groups "CAS Community" group. >>>> To unsubscribe from this group and stop receiving emails from it, send >>>> an email to cas-user+u...@apereo.org. >>>> To view this discussion on the web visit https://groups.google.com/a/ap >>>> ereo.org/d/msgid/cas-user/96125d4a-859f-44b9-a8c9-028a625fcc >>>> c1%40apereo.org >>>> <https://groups.google.com/a/apereo.org/d/msgid/cas-user/96125d4a-859f-44b9-a8c9-028a625fccc1%40apereo.org?utm_medium=email&utm_source=footer> >>>> . >>>> >>> >>> -- >> - Website: https://apereo.github.io/cas >> - Gitter Chatroom: https://gitter.im/apereo/cas >> - List Guidelines: https://goo.gl/1VRrw7 >> - Contributions: https://goo.gl/mh7qDG >> --- >> You received this message because you are subscribed to the Google Groups >> "CAS Community" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to cas-user+unsubscr...@apereo.org. >> To view this discussion on the web visit https://groups.google.com/a/ap >> ereo.org/d/msgid/cas-user/c8eb47aa-de90-43ed-9361-26d47463d3 >> f3%40apereo.org >> <https://groups.google.com/a/apereo.org/d/msgid/cas-user/c8eb47aa-de90-43ed-9361-26d47463d3f3%40apereo.org?utm_medium=email&utm_source=footer> >> . >> > > -- > - Website: https://apereo.github.io/cas > - Gitter Chatroom: https://gitter.im/apereo/cas > - List Guidelines: https://goo.gl/1VRrw7 > - Contributions: https://goo.gl/mh7qDG > --- > You received this message because you are subscribed to the Google Groups > "CAS Community" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to cas-user+unsubscr...@apereo.org. > To view this discussion on the web visit https://groups.google.com/a/ > apereo.org/d/msgid/cas-user/CAMY5mid8NjDAemJtkDdaJzGF- > VLpf%2Bg806oVP_XXMV%2B5YdCy4w%40mail.gmail.com > <https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAMY5mid8NjDAemJtkDdaJzGF-VLpf%2Bg806oVP_XXMV%2B5YdCy4w%40mail.gmail.com?utm_medium=email&utm_source=footer> > . > -- - Website: https://apereo.github.io/cas - Gitter Chatroom: https://gitter.im/apereo/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+unsubscr...@apereo.org. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/CA%2Bd9XANC2RdJVJ9eTou1B-y_a4Nn9p-vXtg3mHrtXn0XBs2z7Q%40mail.gmail.com.
