Hi there,
I run CAS 5.2.3 as a standalone WEB Application war in the Tomcat
container. I am trying to configure {cipher} option to encrypt passwords in
the configuration files.
First, I added the following properties to CAS configuration and no
{cipher} for any of the fields:
cas.standalone.config.security.psw=SomePassword
cas.standalone.config.security.alg=PBEWithMD5AndTripleDES
CAS log produces the following result that looks like everything is fine,
CAS works in the standalone mode and reads the password and the algorithm
correctly.
2018-05-08 17:38:39,791 TRACE
[org.springframework.cloud.bootstrap.encrypt.EncryptionBootstrapConfiguration$KeyCondition]
- <Condition EncryptionBootstrapConfiguration.KeyCondition on
org.springframework.cloud.bootstrap.encrypt.EncryptionBootstrapConfiguration$VanillaEncryptionConfiguration
did not match due to Keystore nor key found in Environment>
2018-05-08 17:38:41,171 DEBUG
[org.apereo.cas.configuration.support.CasConfigurationJasyptDecryptor] -
<Configured jasyptInstance algorithm [PBEWithMD5AndTripleDES]>
2018-05-08 17:38:41,173 DEBUG
[org.apereo.cas.configuration.support.CasConfigurationJasyptDecryptor] -
<Configured jasyptInstance password>
2018-05-08 17:38:41,174 DEBUG
[org.apereo.cas.configuration.support.CasConfigurationJasyptDecryptor] -
<Configured jasyptInstance provider>
2018-05-08 17:38:41,406 DEBUG
[org.apereo.cas.configuration.config.CasCoreBootstrapStandaloneConfiguration]
- <No properties were located inside [class path resource
[application.yml]]>
2018-05-08 17:38:41,407 DEBUG
[org.apereo.cas.configuration.config.CasCoreBootstrapStandaloneConfiguration]
- <Located CAS standalone configuration directory at
[/Users/ik/Documents/xton/apps/apache-tomcat-8.5.15/conf]>
2018-05-08 17:38:41,415 DEBUG
[org.apereo.cas.configuration.config.CasCoreBootstrapStandaloneConfiguration]
- <Looking for configuration files at
[/Users/ik/Documents/xton/apps/apache-tomcat-8.5.15/conf] that match the
pattern
[(cas|standalone|application-cas|application-standalone|application)\.(yml|properties)]>
2018-05-08 17:38:41,430 INFO
[org.apereo.cas.configuration.config.CasCoreBootstrapStandaloneConfiguration]
- <Configuration files found at
[/Users/ik/Documents/xton/apps/apache-tomcat-8.5.15/conf] are
[[/Users/ik/Documents/xton/apps/apache-tomcat-8.5.15/conf/cas.properties]]>
2018-05-08 17:38:41,438 DEBUG
[org.apereo.cas.configuration.config.CasCoreBootstrapStandaloneConfiguration]
- <Loading configuration file
[/Users/ik/Documents/xton/apps/apache-tomcat-8.5.15/conf/cas.properties]>
2018-05-08 17:38:41,439 DEBUG
[org.apereo.cas.configuration.config.CasCoreBootstrapStandaloneConfiguration]
- <Found settings [[cas.standalone.config.security.alg,
cas.standalone.config.security.psw]] in file
[/Users/ik/Documents/xton/apps/apache-tomcat-8.5.15/conf/cas.properties]>
2018-05-08 17:38:41,442 DEBUG
[org.apereo.cas.configuration.config.CasCoreBootstrapStandaloneConfiguration]
- <Located setting(s) [[cas.standalone.config.security.alg,
cas.standalone.config.security.psw]] from
[/Users/ik/Documents/xton/apps/apache-tomcat-8.5.15/conf]>
2018-05-08 17:38:41,483 INFO
[org.apereo.cas.web.CasWebApplicationServletInitializer] - <The following
profiles are active: standalone>
However, as soon as I add an encrypted field to one of the fields like this
one
cas.authn.ldap[1].bindCredential={cipher}EncryptedPassword
CAS produces the following exception immediately after startup without
CasConfigurationJasyptDecryptor initialization as it did without mention of
the {cipher} encrypted fields.
It seems that CAS is trying to decrypt the ciphered field before
initializing the decryptor.
2018-05-08 17:47:02,231 TRACE
[org.springframework.cloud.bootstrap.encrypt.EncryptionBootstrapConfiguration$KeyCondition]
- <Condition EncryptionBootstrapConfiguration.KeyCondition on
org.springframework.cloud.bootstrap.encrypt.EncryptionBootstrapConfiguration$VanillaEncryptionConfiguration
did not match due to Keystore nor key found in Environment>
2018-05-08 17:47:03,565 ERROR [org.springframework.boot.SpringApplication]
- <Application startup failed>
java.lang.IllegalStateException: Cannot decrypt:
key=cas.authn.ldap[1].bindCredential
at
org.springframework.cloud.bootstrap.encrypt.EnvironmentDecryptApplicationInitializer.decrypt(EnvironmentDecryptApplicationInitializer.java:201)
~[spring-cloud-context-1.2.4.RELEASE.jar:1.2.4.RELEASE]
at
org.springframework.cloud.bootstrap.encrypt.EnvironmentDecryptApplicationInitializer.decrypt(EnvironmentDecryptApplicationInitializer.java:165)
~[spring-cloud-context-1.2.4.RELEASE.jar:1.2.4.RELEASE]
at
org.springframework.cloud.bootstrap.encrypt.EnvironmentDecryptApplicationInitializer.initialize(EnvironmentDecryptApplicationInitializer.java:95)
~[spring-cloud-context-1.2.4.RELEASE.jar:1.2.4.RELEASE]
at
org.springframework.cloud.bootstrap.BootstrapApplicationListener$DelegatingEnvironmentDecryptApplicationInitializer.initialize(BootstrapApplicationListener.java:370)
~[spring-cloud-context-1.2.4.RELEASE.jar:1.2.4.RELEASE]
at
org.springframework.boot.SpringApplication.applyInitializers(SpringApplication.java:567)
~[spring-boot-1.5.8.RELEASE.jar:1.5.8.RELEASE]
at
org.springframework.boot.SpringApplication.prepareContext(SpringApplication.java:338)
~[spring-boot-1.5.8.RELEASE.jar:1.5.8.RELEASE]
at
org.springframework.boot.SpringApplication.run(SpringApplication.java:301)
~[spring-boot-1.5.8.RELEASE.jar:1.5.8.RELEASE]
at
org.springframework.boot.web.support.SpringBootServletInitializer.run(SpringBootServletInitializer.java:154)
~[spring-boot-1.5.8.RELEASE.jar:1.5.8.RELEASE]
at
org.springframework.boot.web.support.SpringBootServletInitializer.createRootApplicationContext(SpringBootServletInitializer.java:134)
~[spring-boot-1.5.8.RELEASE.jar:1.5.8.RELEASE]
at
org.springframework.boot.web.support.SpringBootServletInitializer.onStartup(SpringBootServletInitializer.java:87)
~[spring-boot-1.5.8.RELEASE.jar:1.5.8.RELEASE]
at
org.springframework.web.SpringServletContainerInitializer.onStartup(SpringServletContainerInitializer.java:169)
~[spring-web-4.3.14.RELEASE.jar:4.3.14.RELEASE]
at
org.apache.catalina.core.StandardContext.startInternal(StandardContext.java:5196)
~[catalina.jar:8.5.15]
at org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:150)
~[catalina.jar:8.5.15]
at
org.apache.catalina.core.ContainerBase.addChildInternal(ContainerBase.java:752)
~[catalina.jar:8.5.15]
at org.apache.catalina.core.ContainerBase.addChild(ContainerBase.java:728)
~[catalina.jar:8.5.15]
at org.apache.catalina.core.StandardHost.addChild(StandardHost.java:734)
~[catalina.jar:8.5.15]
at org.apache.catalina.startup.HostConfig.deployWAR(HostConfig.java:952)
~[catalina.jar:8.5.15]
at
org.apache.catalina.startup.HostConfig$DeployWar.run(HostConfig.java:1823)
~[catalina.jar:8.5.15]
at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:511)
~[?:1.8.0_131]
at java.util.concurrent.FutureTask.run(FutureTask.java:266) ~[?:1.8.0_131]
at
java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
~[?:1.8.0_131]
at
java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
~[?:1.8.0_131]
at java.lang.Thread.run(Thread.java:748) [?:1.8.0_131]
Caused by: java.lang.UnsupportedOperationException: No decryption for
FailsafeTextEncryptor. Did you configure the keystore correctly?
at
org.springframework.cloud.bootstrap.encrypt.EncryptionBootstrapConfiguration$FailsafeTextEncryptor.decrypt(EncryptionBootstrapConfiguration.java:154)
~[spring-cloud-context-1.2.4.RELEASE.jar:1.2.4.RELEASE]
at
org.springframework.cloud.bootstrap.encrypt.EnvironmentDecryptApplicationInitializer.decrypt(EnvironmentDecryptApplicationInitializer.java:193)
~[spring-cloud-context-1.2.4.RELEASE.jar:1.2.4.RELEASE]
... 22 more
I would appreciate any help about how to make ciphered fields work. I
followed CAS/LDAP/Jasypt tutorial about how to make cipher fields in the
standalone CAS configuration (at least I think so):
https://apereo.github.io/2017/03/24/cas51-ldapauthnjasypt-tutorial/.
Thank you,
Mark
--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To view this discussion on the web visit
https://groups.google.com/a/apereo.org/d/msgid/cas-user/494ed223-b23c-411b-a4b8-7641936f8d10%40apereo.org.
