Help using {cipher} encrypted parameters in a standalone CAS 5.2.3 configuration

[Mark Klinchin]

Hi there,

I run CAS 5.2.3 as a standalone WEB Application war in the Tomcat container. I am trying to configure {cipher} option to encrypt passwords in the configuration files.

First, I added the following properties to CAS configuration and no {cipher} for any of the fields:

cas.standalone.config.security.psw=SomePassword

cas.standalone.config.security.alg=PBEWithMD5AndTripleDES

CAS log produces the following result that looks like everything is fine, CAS works in the standalone mode and reads the password and the algorithm correctly.

2018-05-08 17:38:39,791 TRACE [org.springframework.cloud.bootstrap.encrypt.EncryptionBootstrapConfiguration$KeyCondition] - <Condition EncryptionBootstrapConfiguration.KeyCondition on org.springframework.cloud.bootstrap.encrypt.EncryptionBootstrapConfiguration$VanillaEncryptionConfiguration did not match due to Keystore nor key found in Environment>

2018-05-08 17:38:41,171 DEBUG [org.apereo.cas.configuration.support.CasConfigurationJasyptDecryptor] - <Configured jasyptInstance algorithm [PBEWithMD5AndTripleDES]>

2018-05-08 17:38:41,173 DEBUG [org.apereo.cas.configuration.support.CasConfigurationJasyptDecryptor] - <Configured jasyptInstance password>

2018-05-08 17:38:41,174 DEBUG [org.apereo.cas.configuration.support.CasConfigurationJasyptDecryptor] - <Configured jasyptInstance provider>

2018-05-08 17:38:41,406 DEBUG [org.apereo.cas.configuration.config.CasCoreBootstrapStandaloneConfiguration] - <No properties were located inside [class path resource [application.yml]]>

2018-05-08 17:38:41,407 DEBUG [org.apereo.cas.configuration.config.CasCoreBootstrapStandaloneConfiguration] - <Located CAS standalone configuration directory at [/Users/ik/Documents/xton/apps/apache-tomcat-8.5.15/conf]>

2018-05-08 17:38:41,415 DEBUG [org.apereo.cas.configuration.config.CasCoreBootstrapStandaloneConfiguration] - <Looking for configuration files at [/Users/ik/Documents/xton/apps/apache-tomcat-8.5.15/conf] that match the pattern [(cas|standalone|application-cas|application-standalone|application)\.(yml|properties)]>

2018-05-08 17:38:41,430 INFO [org.apereo.cas.configuration.config.CasCoreBootstrapStandaloneConfiguration] - <Configuration files found at [/Users/ik/Documents/xton/apps/apache-tomcat-8.5.15/conf] are [[/Users/ik/Documents/xton/apps/apache-tomcat-8.5.15/conf/cas.properties]]>

2018-05-08 17:38:41,438 DEBUG [org.apereo.cas.configuration.config.CasCoreBootstrapStandaloneConfiguration] - <Loading configuration file [/Users/ik/Documents/xton/apps/apache-tomcat-8.5.15/conf/cas.properties]>

2018-05-08 17:38:41,439 DEBUG [org.apereo.cas.configuration.config.CasCoreBootstrapStandaloneConfiguration] - <Found settings [[cas.standalone.config.security.alg, cas.standalone.config.security.psw]] in file [/Users/ik/Documents/xton/apps/apache-tomcat-8.5.15/conf/cas.properties]>

2018-05-08 17:38:41,442 DEBUG [org.apereo.cas.configuration.config.CasCoreBootstrapStandaloneConfiguration] - <Located setting(s) [[cas.standalone.config.security.alg, cas.standalone.config.security.psw]] from [/Users/ik/Documents/xton/apps/apache-tomcat-8.5.15/conf]>

2018-05-08 17:38:41,483 INFO [org.apereo.cas.web.CasWebApplicationServletInitializer] - <The following profiles are active: standalone>

However, as soon as I add an encrypted field to one of the fields like this one

cas.authn.ldap[1].bindCredential={cipher}EncryptedPassword

CAS produces the following exception immediately after startup without CasConfigurationJasyptDecryptor initialization as it did without mention of the {cipher} encrypted fields. 

It seems that CAS is trying to decrypt the ciphered field before initializing the decryptor. 

2018-05-08 17:47:02,231 TRACE [org.springframework.cloud.bootstrap.encrypt.EncryptionBootstrapConfiguration$KeyCondition] - <Condition EncryptionBootstrapConfiguration.KeyCondition on org.springframework.cloud.bootstrap.encrypt.EncryptionBootstrapConfiguration$VanillaEncryptionConfiguration did not match due to Keystore nor key found in Environment>

2018-05-08 17:47:03,565 ERROR [org.springframework.boot.SpringApplication] - <Application startup failed>

java.lang.IllegalStateException: Cannot decrypt: key=cas.authn.ldap[1].bindCredential

at org.springframework.cloud.bootstrap.encrypt.EnvironmentDecryptApplicationInitializer.decrypt(EnvironmentDecryptApplicationInitializer.java:201) ~[spring-cloud-context-1.2.4.RELEASE.jar:1.2.4.RELEASE]

at org.springframework.cloud.bootstrap.encrypt.EnvironmentDecryptApplicationInitializer.decrypt(EnvironmentDecryptApplicationInitializer.java:165) ~[spring-cloud-context-1.2.4.RELEASE.jar:1.2.4.RELEASE]

at org.springframework.cloud.bootstrap.encrypt.EnvironmentDecryptApplicationInitializer.initialize(EnvironmentDecryptApplicationInitializer.java:95) ~[spring-cloud-context-1.2.4.RELEASE.jar:1.2.4.RELEASE]

at org.springframework.cloud.bootstrap.BootstrapApplicationListener$DelegatingEnvironmentDecryptApplicationInitializer.initialize(BootstrapApplicationListener.java:370) ~[spring-cloud-context-1.2.4.RELEASE.jar:1.2.4.RELEASE]

at org.springframework.boot.SpringApplication.applyInitializers(SpringApplication.java:567) ~[spring-boot-1.5.8.RELEASE.jar:1.5.8.RELEASE]

at org.springframework.boot.SpringApplication.prepareContext(SpringApplication.java:338) ~[spring-boot-1.5.8.RELEASE.jar:1.5.8.RELEASE]

at org.springframework.boot.SpringApplication.run(SpringApplication.java:301) ~[spring-boot-1.5.8.RELEASE.jar:1.5.8.RELEASE]

at org.springframework.boot.web.support.SpringBootServletInitializer.run(SpringBootServletInitializer.java:154) ~[spring-boot-1.5.8.RELEASE.jar:1.5.8.RELEASE]

at org.springframework.boot.web.support.SpringBootServletInitializer.createRootApplicationContext(SpringBootServletInitializer.java:134) ~[spring-boot-1.5.8.RELEASE.jar:1.5.8.RELEASE]

at org.springframework.boot.web.support.SpringBootServletInitializer.onStartup(SpringBootServletInitializer.java:87) ~[spring-boot-1.5.8.RELEASE.jar:1.5.8.RELEASE]

at org.springframework.web.SpringServletContainerInitializer.onStartup(SpringServletContainerInitializer.java:169) ~[spring-web-4.3.14.RELEASE.jar:4.3.14.RELEASE]

at org.apache.catalina.core.StandardContext.startInternal(StandardContext.java:5196) ~[catalina.jar:8.5.15]

at org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:150) ~[catalina.jar:8.5.15]

at org.apache.catalina.core.ContainerBase.addChildInternal(ContainerBase.java:752) ~[catalina.jar:8.5.15]

at org.apache.catalina.core.ContainerBase.addChild(ContainerBase.java:728) ~[catalina.jar:8.5.15]

at org.apache.catalina.core.StandardHost.addChild(StandardHost.java:734) ~[catalina.jar:8.5.15]

at org.apache.catalina.startup.HostConfig.deployWAR(HostConfig.java:952) ~[catalina.jar:8.5.15]

at org.apache.catalina.startup.HostConfig$DeployWar.run(HostConfig.java:1823) ~[catalina.jar:8.5.15]

at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:511) ~[?:1.8.0_131]

at java.util.concurrent.FutureTask.run(FutureTask.java:266) ~[?:1.8.0_131]

at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142) ~[?:1.8.0_131]

at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617) ~[?:1.8.0_131]

at java.lang.Thread.run(Thread.java:748) [?:1.8.0_131]

Caused by: java.lang.UnsupportedOperationException: No decryption for FailsafeTextEncryptor. Did you configure the keystore correctly?

at org.springframework.cloud.bootstrap.encrypt.EncryptionBootstrapConfiguration$FailsafeTextEncryptor.decrypt(EncryptionBootstrapConfiguration.java:154) ~[spring-cloud-context-1.2.4.RELEASE.jar:1.2.4.RELEASE]

at org.springframework.cloud.bootstrap.encrypt.EnvironmentDecryptApplicationInitializer.decrypt(EnvironmentDecryptApplicationInitializer.java:193) ~[spring-cloud-context-1.2.4.RELEASE.jar:1.2.4.RELEASE]

... 22 more

I would appreciate any help about how to make ciphered fields work. I followed CAS/LDAP/Jasypt tutorial about how to make cipher fields in the standalone CAS configuration (at least I think so): https://apereo.github.io/2017/03/24/cas51-ldapauthnjasypt-tutorial/.

Thank you,

Mark

[Curtis Ruck]

Mark,

Did you get this working?  I'm stuck with this error when trying to configure it in 5.3.2:

2018-07-30 23:23:38,222 WARN [org.apereo.cas.web.CasWebApplicationContext] - <Exception encountered during context initialization - cancelling refresh attempt: org.springframework.beans.factory.BeanCreationException: Error creating bean with name 'casBeanValidationPostProcessor' defined in class path resource [org/apereo/cas/config/CasCoreUtilConfiguration.class]: BeanPostProcessor before instantiation of bean failed; nested exception is org.springframework.beans.factory.UnsatisfiedDependencyException: Error creating bean with name 'org.springframework.transaction.annotation.ProxyTransactionManagementConfiguration': Unsatisfied dependency expressed through method 'setConfigurers' parameter 0; nested exception is org.springframework.beans.factory.UnsatisfiedDependencyException: Error creating bean with name 'casCoreTicketsConfiguration': Unsatisfied dependency expressed through field 'casProperties'; nested exception is org.springframework.beans.factory.BeanCreationException: Error creating bean with name 'cas-org.apereo.cas.configuration.CasConfigurationProperties': Could not bind properties to CasConfigurationProperties (prefix=cas, ignoreInvalidFields=false, ignoreUnknownFields=false, ignoreNestedProperties=false); nested exception is org.springframework.beans.NotWritablePropertyException: Invalid property 'standalone.config[security][alg]' of bean class [org.apereo.cas.configuration.CasConfigurationProperties]: Cannot access indexed value in property referenced in indexed property path 'config[security][alg]'; nested exception is org.springframework.beans.NotReadablePropertyException: Invalid property 'standalone.config[security][alg]' of bean class [org.apereo.cas.configuration.CasConfigurationProperties]: Bean property 'standalone.config[security][alg]' is not readable or has an invalid getter method: Does the return type of the getter match the parameter type of the setter?>