[cas-user] Help using {cipher} encrypted parameters in a standalone CAS 5.2.3 configuration

[Mark Klinchin]

Hi there,

I run CAS 5.2.3 as a standalone WEB Application war in the Tomcat 
container. I am trying to configure {cipher} option to encrypt passwords in 
the configuration files.

First, I added the following properties to CAS configuration and no 
{cipher} for any of the fields:

cas.standalone.config.security.psw=SomePassword
cas.standalone.config.security.alg=PBEWithMD5AndTripleDES

CAS log produces the following result that looks like everything is fine, 
CAS works in the standalone mode and reads the password and the algorithm 
correctly.

2018-05-08 17:38:39,791 TRACE 
[org.springframework.cloud.bootstrap.encrypt.EncryptionBootstrapConfiguration$KeyCondition]
 
- <Condition EncryptionBootstrapConfiguration.KeyCondition on 
org.springframework.cloud.bootstrap.encrypt.EncryptionBootstrapConfiguration$VanillaEncryptionConfiguration
 
did not match due to Keystore nor key found in Environment>
2018-05-08 17:38:41,171 DEBUG 
[org.apereo.cas.configuration.support.CasConfigurationJasyptDecryptor] - 
<Configured jasyptInstance algorithm [PBEWithMD5AndTripleDES]>
2018-05-08 17:38:41,173 DEBUG 
[org.apereo.cas.configuration.support.CasConfigurationJasyptDecryptor] - 
<Configured jasyptInstance password>
2018-05-08 17:38:41,174 DEBUG 
[org.apereo.cas.configuration.support.CasConfigurationJasyptDecryptor] - 
<Configured jasyptInstance provider>
2018-05-08 17:38:41,406 DEBUG 
[org.apereo.cas.configuration.config.CasCoreBootstrapStandaloneConfiguration] 
- <No properties were located inside [class path resource 
[application.yml]]>
2018-05-08 17:38:41,407 DEBUG 
[org.apereo.cas.configuration.config.CasCoreBootstrapStandaloneConfiguration] 
- <Located CAS standalone configuration directory at 
[/Users/ik/Documents/xton/apps/apache-tomcat-8.5.15/conf]>
2018-05-08 17:38:41,415 DEBUG 
[org.apereo.cas.configuration.config.CasCoreBootstrapStandaloneConfiguration] 
- <Looking for configuration files at 
[/Users/ik/Documents/xton/apps/apache-tomcat-8.5.15/conf] that match the 
pattern 
[(cas|standalone|application-cas|application-standalone|application)\.(yml|properties)]>
2018-05-08 17:38:41,430 INFO 
[org.apereo.cas.configuration.config.CasCoreBootstrapStandaloneConfiguration] 
- <Configuration files found at 
[/Users/ik/Documents/xton/apps/apache-tomcat-8.5.15/conf] are 
[[/Users/ik/Documents/xton/apps/apache-tomcat-8.5.15/conf/cas.properties]]>
2018-05-08 17:38:41,438 DEBUG 
[org.apereo.cas.configuration.config.CasCoreBootstrapStandaloneConfiguration] 
- <Loading configuration file 
[/Users/ik/Documents/xton/apps/apache-tomcat-8.5.15/conf/cas.properties]>
2018-05-08 17:38:41,439 DEBUG 
[org.apereo.cas.configuration.config.CasCoreBootstrapStandaloneConfiguration] 
- <Found settings [[cas.standalone.config.security.alg, 
cas.standalone.config.security.psw]] in file 
[/Users/ik/Documents/xton/apps/apache-tomcat-8.5.15/conf/cas.properties]>
2018-05-08 17:38:41,442 DEBUG 
[org.apereo.cas.configuration.config.CasCoreBootstrapStandaloneConfiguration] 
- <Located setting(s) [[cas.standalone.config.security.alg, 
cas.standalone.config.security.psw]] from 
[/Users/ik/Documents/xton/apps/apache-tomcat-8.5.15/conf]>
2018-05-08 17:38:41,483 INFO 
[org.apereo.cas.web.CasWebApplicationServletInitializer] - <The following 
profiles are active: standalone>

However, as soon as I add an encrypted field to one of the fields like this 
one

cas.authn.ldap[1].bindCredential={cipher}EncryptedPassword

CAS produces the following exception immediately after startup without 
CasConfigurationJasyptDecryptor initialization as it did without mention of 
the {cipher} encrypted fields. 

It seems that CAS is trying to decrypt the ciphered field before 
initializing the decryptor. 

2018-05-08 17:47:02,231 TRACE 
[org.springframework.cloud.bootstrap.encrypt.EncryptionBootstrapConfiguration$KeyCondition]
 
- <Condition EncryptionBootstrapConfiguration.KeyCondition on 
org.springframework.cloud.bootstrap.encrypt.EncryptionBootstrapConfiguration$VanillaEncryptionConfiguration
 
did not match due to Keystore nor key found in Environment>
2018-05-08 17:47:03,565 ERROR [org.springframework.boot.SpringApplication] 
- <Application startup failed>
java.lang.IllegalStateException: Cannot decrypt: 
key=cas.authn.ldap[1].bindCredential
at 
org.springframework.cloud.bootstrap.encrypt.EnvironmentDecryptApplicationInitializer.decrypt(EnvironmentDecryptApplicationInitializer.java:201)
 
~[spring-cloud-context-1.2.4.RELEASE.jar:1.2.4.RELEASE]
at 
org.springframework.cloud.bootstrap.encrypt.EnvironmentDecryptApplicationInitializer.decrypt(EnvironmentDecryptApplicationInitializer.java:165)
 
~[spring-cloud-context-1.2.4.RELEASE.jar:1.2.4.RELEASE]
at 
org.springframework.cloud.bootstrap.encrypt.EnvironmentDecryptApplicationInitializer.initialize(EnvironmentDecryptApplicationInitializer.java:95)
 
~[spring-cloud-context-1.2.4.RELEASE.jar:1.2.4.RELEASE]
at 
org.springframework.cloud.bootstrap.BootstrapApplicationListener$DelegatingEnvironmentDecryptApplicationInitializer.initialize(BootstrapApplicationListener.java:370)
 
~[spring-cloud-context-1.2.4.RELEASE.jar:1.2.4.RELEASE]
at 
org.springframework.boot.SpringApplication.applyInitializers(SpringApplication.java:567)
 
~[spring-boot-1.5.8.RELEASE.jar:1.5.8.RELEASE]
at 
org.springframework.boot.SpringApplication.prepareContext(SpringApplication.java:338)
 
~[spring-boot-1.5.8.RELEASE.jar:1.5.8.RELEASE]
at 
org.springframework.boot.SpringApplication.run(SpringApplication.java:301) 
~[spring-boot-1.5.8.RELEASE.jar:1.5.8.RELEASE]
at 
org.springframework.boot.web.support.SpringBootServletInitializer.run(SpringBootServletInitializer.java:154)
 
~[spring-boot-1.5.8.RELEASE.jar:1.5.8.RELEASE]
at 
org.springframework.boot.web.support.SpringBootServletInitializer.createRootApplicationContext(SpringBootServletInitializer.java:134)
 
~[spring-boot-1.5.8.RELEASE.jar:1.5.8.RELEASE]
at 
org.springframework.boot.web.support.SpringBootServletInitializer.onStartup(SpringBootServletInitializer.java:87)
 
~[spring-boot-1.5.8.RELEASE.jar:1.5.8.RELEASE]
at 
org.springframework.web.SpringServletContainerInitializer.onStartup(SpringServletContainerInitializer.java:169)
 
~[spring-web-4.3.14.RELEASE.jar:4.3.14.RELEASE]
at 
org.apache.catalina.core.StandardContext.startInternal(StandardContext.java:5196)
 
~[catalina.jar:8.5.15]
at org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:150) 
~[catalina.jar:8.5.15]
at 
org.apache.catalina.core.ContainerBase.addChildInternal(ContainerBase.java:752) 
~[catalina.jar:8.5.15]
at org.apache.catalina.core.ContainerBase.addChild(ContainerBase.java:728) 
~[catalina.jar:8.5.15]
at org.apache.catalina.core.StandardHost.addChild(StandardHost.java:734) 
~[catalina.jar:8.5.15]
at org.apache.catalina.startup.HostConfig.deployWAR(HostConfig.java:952) 
~[catalina.jar:8.5.15]
at 
org.apache.catalina.startup.HostConfig$DeployWar.run(HostConfig.java:1823) 
~[catalina.jar:8.5.15]
at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:511) 
~[?:1.8.0_131]
at java.util.concurrent.FutureTask.run(FutureTask.java:266) ~[?:1.8.0_131]
at 
java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142) 
~[?:1.8.0_131]
at 
java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617) 
~[?:1.8.0_131]
at java.lang.Thread.run(Thread.java:748) [?:1.8.0_131]
Caused by: java.lang.UnsupportedOperationException: No decryption for 
FailsafeTextEncryptor. Did you configure the keystore correctly?
at 
org.springframework.cloud.bootstrap.encrypt.EncryptionBootstrapConfiguration$FailsafeTextEncryptor.decrypt(EncryptionBootstrapConfiguration.java:154)
 
~[spring-cloud-context-1.2.4.RELEASE.jar:1.2.4.RELEASE]
at 
org.springframework.cloud.bootstrap.encrypt.EnvironmentDecryptApplicationInitializer.decrypt(EnvironmentDecryptApplicationInitializer.java:193)
 
~[spring-cloud-context-1.2.4.RELEASE.jar:1.2.4.RELEASE]
... 22 more


I would appreciate any help about how to make ciphered fields work. I 
followed CAS/LDAP/Jasypt tutorial about how to make cipher fields in the 
standalone CAS configuration (at least I think so): 
https://apereo.github.io/2017/03/24/cas51-ldapauthnjasypt-tutorial/.

Thank you,
Mark

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/494ed223-b23c-411b-a4b8-7641936f8d10%40apereo.org.