Encrypted credentials in Maven with jasypt

When developing enterprise applications it is best practice check in the source code into a version control system. Additionally to the code also configuration settings and credentials are often checked in.

This is usually no problem  for test environments, but configurations for the production environments perhaps should not be readable for everyone having access to the version control system.

This can be solved using some type of access control on the version control system.

Or the credentials can be entered as parameters during the build or deployment for production. That is only a feasible solution for one or two credentials.

An other solution is to encrypt the confidential data and  decrypt it with a master password. This solution is supported by the java library jasypt.

Credits for the basic implementation with ant goes to my former colleague Mr. Wiedemann. I have adapted the solution for the use with Maven.

Jasypt doesn’t provide a Maven plugin. That’s why we need some type of glue code to use the jasypt library. We use the language groovy to write the glue code. For Maven there exists a plugin to execute groovy code in an easy way. The final solutions looks like this:

1 <plugin> 2 <groupId>org.codehaus.gmaven</groupId> 3 <artifactId>groovy-maven-plugin</artifactId> 4 <executions> 5 <execution> 6 <id>decrypt-passwords</id> 7 <phase>validate</phase> 8 <goals> 9 <goal>execute</goal> 10 </goals> 11 <configuration> 12 <source> 13 import org.jasypt.properties.EncryptableProperties 14 import org.jasypt.encryption.pbe.StandardPBEStringEncryptor 15 16 if(properties[„jasypt.encryption.password“]==null){ 17 ant.echo „[INFO] jasypt.encryption.password not set, passwords will not be decrypted.“ 18 return 19 } 20 21 StandardPBEStringEncryptor encryptor = new StandardPBEStringEncryptor() 22 encryptor.setPassword(properties[„jasypt.encryption.password“]) 23 24 Properties props = new EncryptableProperties((Properties)properties, encryptor); 25 26 props.propertyNames().each { 27 if(!it.startsWith(„resolved“)){ 28 project.properties[it] = props.getProperty(it) 29 } 30 } 31 </source> 32 </configuration> 33 </execution> 34 </executions> 35 <dependencies> 36 <dependency> 37 <groupId>org.jasypt</groupId> 38 <artifactId>jasypt</artifactId> 39 <version>1.9.2</version> 40 </dependency> 41 </dependencies> 42 </plugin>

If the property jasypt.encryption.password is not set the plugin prints an info message and does nothing. Otherwise the plugin decrypts every encrypted property and replaces the value with the decrypted value. The encryption of the value can be done  with the command line. The encrypted value has to be embedded into ENC(). Finally the property looks like this:

1 admin.password=ENC(RJJ37UPsM2CstIQPohskn7Yn05gtrIK0)

At the dependencies section we add the library of jasypt. The plugin should run during the validate phase.

Bernhard Mähr @ OPITZ-CONSULTING published at https://thecattlecrew.wordpress.com/

Über bmaehr

Ich bin ein Technik-Fan, der in der Informatik seinen Beruf und seine Berufung gefunden hat.
Dieser Beitrag wurde unter Software Engineering abgelegt und mit verschlagwortet. Setze ein Lesezeichen auf den Permalink.

Eine Antwort zu Encrypted credentials in Maven with jasypt

  1. matez (@matez) schreibt:

    good work Bernhard 🙂

Kommentar verfassen

Trage deine Daten unten ein oder klicke ein Icon um dich einzuloggen:

WordPress.com-Logo

Du kommentierst mit Deinem WordPress.com-Konto. Abmelden / Ändern )

Twitter-Bild

Du kommentierst mit Deinem Twitter-Konto. Abmelden / Ändern )

Facebook-Foto

Du kommentierst mit Deinem Facebook-Konto. Abmelden / Ändern )

Google+ Foto

Du kommentierst mit Deinem Google+-Konto. Abmelden / Ändern )

Verbinde mit %s