Encrypted credentials in Maven with jasypt


Deprecated: Calling get_class() without arguments is deprecated in /var/www/wordpress/wp-includes/class-wp-http.php on line 329

When developing enterprise applications it is best practice check in the source code into a version control system. Additionally to the code also configuration settings and credentials are often checked in.

This is usually no problem  for test environments, but configurations for the production environments perhaps should not be readable for everyone having access to the version control system.

This can be solved using some type of access control on the version control system.

Or the credentials can be entered as parameters during the build or deployment for production. That is only a feasible solution for one or two credentials.

An other solution is to encrypt the confidential data and  decrypt it with a master password. This solution is supported by the java library jasypt.

Credits for the basic implementation with ant goes to my former colleague Mr. Wiedemann. I have adapted the solution for the use with Maven.

Jasypt doesn’t provide a Maven plugin. That’s why we need some type of glue code to use the jasypt library. We use the language groovy to write the glue code. For Maven there exists a plugin to execute groovy code in an easy way. The final solutions looks like this:

1 <plugin> 2 <groupId>org.codehaus.gmaven</groupId> 3 <artifactId>groovy-maven-plugin</artifactId> 4 <executions> 5 <execution> 6 <id>decrypt-passwords</id> 7 <phase>validate</phase> 8 <goals> 9 <goal>execute</goal> 10 </goals> 11 <configuration> 12 <source> 13 import org.jasypt.properties.EncryptableProperties 14 import org.jasypt.encryption.pbe.StandardPBEStringEncryptor 15 16 if(properties["jasypt.encryption.password"]==null){ 17 ant.echo "[INFO] jasypt.encryption.password not set, passwords will not be decrypted." 18 return 19 } 20 21 StandardPBEStringEncryptor encryptor = new StandardPBEStringEncryptor() 22 encryptor.setPassword(properties["jasypt.encryption.password"]) 23 24 Properties props = new EncryptableProperties((Properties)properties, encryptor); 25 26 props.propertyNames().each { 27 if(!it.startsWith("resolved")){ 28 project.properties[it] = props.getProperty(it) 29 } 30 } 31 </source> 32 </configuration> 33 </execution> 34 </executions> 35 <dependencies> 36 <dependency> 37 <groupId>org.jasypt</groupId> 38 <artifactId>jasypt</artifactId> 39 <version>1.9.2</version> 40 </dependency> 41 </dependencies> 42 </plugin>

If the property jasypt.encryption.password is not set the plugin prints an info message and does nothing. Otherwise the plugin decrypts every encrypted property and replaces the value with the decrypted value. The encryption of the value can be done  with the command line. The encrypted value has to be embedded into ENC(). Finally the property looks like this:

1 admin.password=ENC(RJJ37UPsM2CstIQPohskn7Yn05gtrIK0)

At the dependencies section we add the library of jasypt. The plugin should run during the validate phase.

Bernhard Mähr @ OPITZ-CONSULTING published at http://thecattlecrew.wordpress.com/

Leave a Reply