ulisesbocchio / jasypt-spring-boot Goto Github PK

I am not sure but seems to me that decrypt is expensive. So it would be great if jasypt-spring-boot can cache the already decrypted value in DefaultPropertyResolver.

https://github.com/ulisesbocchio/jasypt-spring-boot/blob/master/jasypt-spring-boot/src/main/java/com/ulisesbocchio/jasyptspringboot/resolver/DefaultPropertyResolver.java

com.ulisesbocchio.jasyptspringboot.resolver.DefaultPropertyResolver.resolvePropertyValue(String)

Hi Ulises, I created a very simple spring boot REST service (https://github.com/donstrong/spring-boot-jasypt) in attempts to decrypt an encrypted property in a different configuration file (one other than application.yml) and was able to get the value, but it's still encrypted. When the same encrypted property was added to application.yml, the decrypted value is returned and displayed on the browser. The config file, application.yml, remains solely within the service's resource folder, but a config. file (under a different name, of course) with encrypted values is stored remotely and accessed by a Spring Cloud Config server.

Decryption was working fine when @configuration and @value annotations were used in the config classes, but when source was changed to use Spring's @EnableConfigurationProperties and @ConfigurationProperties(prefix=... , locations=...), where getters and setters are used in lieu of @value, the problem arose. Including @propertysource and/or @EncryptablePropertySource (with reference to the config file in the classpath) didn't seem to resolve the problem. At this point, I can revert back to using @configuration for the class and @value for each property but thought maybe there was a simple solution when using Spring's @EnableConfigurationProperties and @ConfigurationProperties. The readme file provides other details.

Use case:

secret.password=ENC(sdfsdfds...)
secret.url=http://user:${secret.password}@domain.com

Now secret URL when accessed, looks like it is NOT decrypting.
But when i tested secret.url by inject property in java bean, it shows right values.

I am trying to build spring.cloud.config.uri in spring boot config client app, without exposing actual password.

It would be awesome if jasypt-spring-boot supported configuration metadata http://docs.spring.io/spring-boot/docs/current/reference/html/configuration-metadata.html so documentation and IDE assistance are available for the various properties (jasypt.encryptor.password, jasypt.encryptor.algorithm, etc) which this project supports.

I can imagine this improvement being implemented in 1 of 2 ways:

• Change to use @ConfigurationProperties which, combined with spring-boot-configuration-processor, will generate META-INF/spring-configuration-metadata.json
• Add a manually written META-INF/spring-configuration-metadata.json

It looks like there is an issue with using @ConditionalOnProperty in conjunction with @EncryptablePropertySource. I have a bean which is annotated with
@ConditionalOnProperty(name = "bean.enabled", matchIfMissing = false)
and I am importing the properties with
@EncryptablePropertySource(value = { "classpath:beans.properties" })
and beans.properties contains the property "bean.enabled=true"
The bean is not instantiated. Commenting out the @ConditionalOnProperty annotation allows the bean to be created, and all other properties are loaded correctly.

Your solution looks promising and I would like to use it (oasp/oasp4j#279)

Will there be a release available in maven central?
There are not even tags in your git where to build a reliable version from.
Your documentation states that maven will download from the specified dependency but there is no such release. Am I missing something?

Hi

I am looking to update jasypt-spring-boot to use Spring Boot 1.5.1.RELEASE but I am hitting an issue as per below

Error creating bean with name 'beanNamePlaceholderRegistryPostProcessor' defined in class path resource [com/ulisesbocchio/jasyptspringboot/configuration/EncryptablePropertyResolverConfiguration.class]: Unsatisfied dependency expressed through method 'beanNamePlaceholderRegistryPostProcessor' parameter 0; nested exception is org.springframework.beans.factory.BeanCreationException: Error creating bean with name 'transactionRepository': Could not resolve matching constructor (hint: specify index/type/name arguments for simple parameters to avoid type ambiguities)

If we provide an encrypted property and password within the war (for db password) and then override this in the deployment environment with another encrypted property and jasypt password then the /env endpoint will throw an exception as it's unable to decrypt the original property from the embedded property.

I understand why this is happening, but it would be nice if it just skipped the undecryptable property.

Cheers,
Daniel.

Hi,
In my spring boot application, I am loading some passwords(password of remote machines for doing scp) from database on startup. So in database if I store ENC(encryptedpassword), this is not getting decrypted when it is loaded. But if I store the same thing in my properties file and load it, it is properly decrypted.
Is it possible to store in database encrypted password like ENC(encryptedpassword) and get the encrypted password decrypted automatically when I load my application.

As an alternative now I am doing this
I store the encryptedpassword in DB(without ENC()) And in my application, before I use this password I do

 BasicTextEncryptor textDecryptor = new BasicTextEncryptor();
 textDecryptor.setPassword(encryptDecryptKey);
 textDecryptor.decrypt(encryptedpasswordfromDb)

Thanks
Panikiran

Hi,

I have encrypted user id and password both with different keys, How can I pass the both keys while running the jar.
Ex :
java -Djasypt.encryptor.password=pass1 -Djasypt.encryptor.password=pass2 -jar xxx.jar

I have tried with above command but it is not working.
Please help me to achieve this.

Hi,

I found an issue when using jasypt-spring-boot with a Spring configuration bean mapped from an application.yml file (see §23.7 at http://docs.spring.io/spring-boot/docs/current/reference/html/boot-features-external-config.html).

When @EnableEncryptableProperties is set, the configuration bean is not properly created. Properties of this bean that map a collection from the YAML file are not set. On the other side, it is correctly populated if @EnableEncryptableProperties is not set.

I pushed an example at carguel/jasypt-spring-boot-sample. If you run the Main class, a NPE is raised when accessing the items collection from the ItemConfig class. This collection should be populated from the items nested node of the application.yml file.

I guess some initializations steps are missing in EnableEncryptablePropertySourcesPostProcessor.java.
But I could not find how to fix this.

Hi,
I am using jasypt spring boot starter plug in and added custom String Encryptor bean defination to the AppConfig file but still I get the String Encryptor custom Bean not found with name 'jasyptStringEncryptor' error in the logs and always it picking up default jasypt encryption config values.

Please help me why spring not picking up my custom encryption config values.

Spring boot version is -1.5.4.RELEASE
Jayspt version is -com.github.ulisesbocchio:jasypt-spring-boot-starter:1.12

My Bean definition looks like below.

@Bean(name="jasyptStringEncryptor")
	static public PooledPBEStringEncryptor stringEncryptor() {
		PooledPBEStringEncryptor encryptor = new PooledPBEStringEncryptor();
		SimpleStringPBEConfig config = new SimpleStringPBEConfig();
		config.setPassword("password");
		config.setAlgorithm("PBEWithMD5AndDES");
		  @@config.setKeyObtentionIterations("1000");
		config.setPoolSize("1");
		config.setProviderName("SunJCE");
		config.setSaltGeneratorClassName("org.jasypt.salt.RandomSaltGenerator");
		config.setStringOutputType("base64");
		encryptor.setConfig(config);
		return encryptor;
	}

log:
2017-06-20 21:53:29.921 INFO 16560 --- [ main] o.s.b.f.s.DefaultListableBeanFactory : Overriding bean definition for bean 'jasyptStringEncryptor' with a different defin
ition: replacing [Root bean: class [com....AppConfig]; scope=; abstract=false; lazyInit=false; autowireMode=3; dependencyCheck=0; autowireCandidate=true; primary=false; factor
yBeanName=null; factoryMethodName=stringEncryptor; initMethodName=null; destroyMethodName=(inferred); defined in class path resource [com////AppConfig.class]] with [Root bean:
class [null]; scope=; abstract=false; lazyInit=false; autowireMode=3; dependencyCheck=0; autowireCandidate=true; primary=false; factoryBeanName=com.ulisesbocchio.jasyptspringboot.con
figuration.EncryptablePropertyResolverConfiguration; factoryMethodName=stringEncryptor; initMethodName=null; destroyMethodName=(inferred); defined in class path resource [com/ulisesbo
cchio/jasyptspringboot/configuration/EncryptablePropertyResolverConfiguration.class]]
2017-06-20 21:53:29.925 WARN 16560 --- [ main] o.s.c.a.ConfigurationClassPostProcessor : Cannot enhance @configuration bean definition 'beanNamePlaceholderRegistryPostProc
essor' since its singleton instance has been created too early. The typical cause is a non-static @bean method with a BeanDefinitionRegistryPostProcessor return type: Consider declari
ng such methods as 'static'.

2017-06-20 21:53:31.406 INFO 16560 --- [ main] EncryptablePropertyResolverConfiguration : String Encryptor custom Bean not found with name 'jasyptStringEncryptor'. Initiali
zing String Encryptor based on properties with name 'jasyptStringEncryptor'
2017-06-20 21:53:31.425 INFO 16560 --- [ main] c.u.j.encryptor.DefaultLazyEncryptor : Encryptor config not found for property jasypt.encryptor.algorithm, using default
value: PBEWithMD5AndDES

Hi!
I used your library to encrypt some properties and it works and the application runs fine. But when I enable SSL in the application it won't work, the application start and all request works, but if i add the HTTPS doesn't return anything. If I remove the @EnableEncryptableProperties from the Application class the SSL works as expected, do you have any clue about whats could be happening? I really appreciate any help.

Greetings!

Hi,
I am using the approach No. 2 stated by you in your documentation. The issue I am facing is that I see this in the logs:
Overriding bean definition for bean 'customBean': replacing [Root bean: class [com.test.Config]; scope=; abstract=false; lazyInit=false; autowireMode=3; dependencyCheck=0; autowireCandidate=true; primary=false; factoryBeanName=null; factoryMethodName=stringEncryptor; initMethodName=null; destroyMethodName=(inferred); defined in class path resource [com/test/Config.class]] with [Root bean: class [null]; scope=; abstract=false; lazyInit=false; autowireMode=3; dependencyCheck=0; autowireCandidate=true; primary=false; factoryBeanName=com.ulisesbocchio.jasyptspringboot.configuration.StringEncryptorConfiguration; factoryMethodName=stringEncryptor; initMethodName=null; destroyMethodName=(inferred); defined in class path resource [com/ulisesbocchio/jasyptspringboot/configuration/StringEncryptorConfiguration.class]]

and then I see this,

String Encryptor custom Bean not found with name 'customBean'. Initializing String Encryptor based on properties with name 'customBean'

Why does it override the bean with a null class bean and then say that the customBean was not found?

Would it support spring boot 2.0?

When an application is started in a way that is demonstrated below

java -jar target/jasypt-spring-boot-demo-0.0.1-SNAPSHOT.jar --jasypt.encryptor.password=password

java -Djasypt.encryptor.password=password -jar target/jasypt-spring-boot-demo-0.0.1-SNAPSHOT.jar

a linux user can see it by listing currently running processes. I belive that it could be solved with command:
export MY_PASSW=password

however currently required variable is 'jasypt.encryptor.password' that is not valid name for environment settings. Could that be replace with name like:
jasypt_encryptor_password

Hi, I tried to change the app to use jasypt-spring-boot instead of starter and added @EnableEncryptableProperties After this it does not pick up the customer encryptor anymore and keep asking for password.

Hi,

at first thanks very much for your project. It helps us very good. I have one improvement. In Jasypt specification there is possibility to use default security provider if config property provider and providerName is not specified. I think it is good feature because for most cases is that what is required. StandardPBEStringEncryptor during initialize phase creates SecretKeyFactory based upon algorithm with first supported registered security provider, see documentation.

Is it possible to change it? I can contribute it if you want. I think required change must be done in StringEncryptorConfiguration, where jasypt.encryptor.providerName will be resolved and applied only and only if is filled.

We need it for Java 1.7 stack.

Thanks,
Tomas

2015-07-01 17:09:53.382 WARN 82640 --- [ main] o.s.c.a.ConfigurationClassEnhancer : @bean method EnableEncryptablePropertySourcesConfiguration.enableEncryptablePropertySourcesPostProcessor is non-static and returns an object assignable to Spring's BeanFactoryPostProcessor interface. This will result in a failure to process annotations such as @Autowired, @resource and @PostConstruct within the method's declaring @configuration class. Add the 'static' modifier to this method to avoid these container lifecycle issues; see @bean javadoc for complete details.

Below is the error I get:
Caused by: java.lang.UnsupportedClassVersionError: com/ulisesbocchio/jasyptspringboot/EnableEncryptablePropertySourcesPostProcessor : Unsupported major.minor version 52.0 (unable to load class com.ulisesbocchio.jasyptspringboot.EnableEncryptablePropertySourcesPostProcessor)
at org.apache.catalina.loader.WebappClassLoaderBase.findClassInternal(WebappClassLoaderBase.java:2499)
at org.apache.catalina.loader.WebappClassLoaderBase.findClass(WebappClassLoaderBase.java:859)
at org.apache.catalina.loader.WebappClassLoaderBase.loadClass(WebappClassLoaderBase.java:1301)
at org.apache.catalina.loader.WebappClassLoaderBase.loadClass(WebappClassLoaderBase.java:1166)
at org.springframework.util.ClassUtils.forName(ClassUtils.java:250)
at org.springframework.boot.SpringApplication.createSpringFactoriesInstances(SpringApplication.java:407)

Execution environment:
openjdk version "1.8.0_91"
OpenJDK Runtime Environment (build 1.8.0_91-8u91-b14-0ubuntu4~15.10.1-b14)
OpenJDK 64-Bit Server VM (build 25.91-b14, mixed mode)

pom.xml contains:

com.github.ulisesbocchio
jasypt-spring-boot-starter
1.7

Thanks for creating this project. Quick observation.

Starting an application gives me this warning:

WARN org.springframework.context.annotation.ConfigurationClassEnhancer - 
  @Bean method EnableEncryptablePropertySourcesConfiguration
    .enableEncryptablePropertySourcesPostProcessor is non-static and returns
    an object assignable to Spring's BeanFactoryPostProcessor interface. This
    will result in a failure to process annotations such as @Autowired,
    @Resource and @PostConstruct within the method's declaring
    @Configuration class. Add the 'static' modifier to this method to avoid these
    container lifecycle issues; see @Bean javadoc for complete details

See @Bean Javadoc, section titled BeanFactoryPostProcessor-returning @Bean methods

After upgrading to Spring Boot 1.2.6.RELEASE, i have the following warn message in the logs :

@Bean method EnableEncryptablePropertySourcesConfiguration.enableEncryptablePropertySourcesPostProcessor is non-static and returns an object assignable to Spring's BeanFactoryPostProcessor interface. This will result in a failure to process annotations such as @Autowired, @Resource and @PostConstruct within the method's declaring @Configuration class. Add the 'static' modifier to this method to avoid these container lifecycle issues; see @Bean javadoc for complete details.

I'm using the 1.2 version of jasypt-spring-boot-starter.

Thanks in advance

I'm experiencing a very strange issue. When using encrypted password with an Oracle datasource

spring.datasource.url=jdbc:oracle:thin:@PCSRPWDSVIL:1521:dbrecpwd
spring.datasource.userId=otpuser
spring.datasource.password=ENC(0FiLiCHZdFUOnb938Gtfj9q3s23nmRyP)
spring.datasource.driver-class-name=oracle.jdbc.driver.OracleDriver

I always get an Invalid username/password error:

2016-01-27 17:49:09.686 ERROR 6411 --- [           main] o.a.tomcat.jdbc.pool.ConnectionPool      : Unable to create initial connections of pool.

java.sql.SQLException: ORA-01017: invalid username/password; logon denied

    at oracle.jdbc.driver.T4CTTIoer.processError(T4CTTIoer.java:447) ~[ojdbc6-11.2.0.4.jar!/:11.2.0.4.0]
...

It works in plaintext. So I've wrote a very simple controller just for testing purposes, this is the controller code

@Controller
@RequestMapping("/encrypt")
public class JasyptController {

    private Logger logger = Logger.getLogger(JasyptController.class);

    @Autowired
    private StringEncryptor stringEncryptor;

    @RequestMapping(method = RequestMethod.POST)
    public
    @ResponseBody
    String encrypt(
            @RequestBody String text) {
        String encrypted = stringEncryptor.encrypt(text.trim());
        logger.info("ENCRYPTED: " + encrypted);
        logger.info("DECRYPTED: " + stringEncryptor.decrypt(encrypted));
        return String.format("ENC(%s)", encrypted);
    }
}

while this is the custom configuration made in Application class (1to1 copy from the project readme)

    @Bean
    static public StringEncryptor stringEncryptor() {
        PooledPBEStringEncryptor encryptor = new PooledPBEStringEncryptor();
        SimpleStringPBEConfig config = new SimpleStringPBEConfig();
        //TODO: replace with real secret... Read somewhere, e.g. a system property
        String secret = "password";
        config.setPassword(secret);
        config.setAlgorithm("PBEWithMD5AndDES");
        config.setKeyObtentionIterations("1000");
        config.setPoolSize("1");
        config.setProviderName("SunJCE");
        config.setSaltGeneratorClassName("org.jasypt.salt.RandomSaltGenerator");
        config.setStringOutputType("base64");
        encryptor.setConfig(config);
        return encryptor;
    }

This is how I invoke it

$ curl localhost:8080/encrypt --data mytext
ENC(kdOzCGcWc1ypiGmr2MIG8A==)

And this is the log:

2016-01-27 17:39:20.663  INFO 6368 --- [nio-8080-exec-1] c.n.m.controllers.JasyptController       : ENCRYPTED: kdOzCGcWc1ypiGmr2MIG8A==
2016-01-27 17:39:20.665  INFO 6368 --- [nio-8080-exec-1] c.n.m.controllers.JasyptController       : DECRYPTED: mytext=

So I think the problem resides in an additional base64 padding performed somewhere on the decrypted value... Really strange. Any advice? Or maybe am I missing something?

Thanks in advance, and best regards,
Fabio

Can you please make it compatible with Java 1.6

ERROR:

com.ulisesbocchio.jasyptspringboot.annotation.EnableEncryptableProperties
[ERROR] bad class file: com/ulisesbocchio/jasyptspringboot/annotation/EnableEncryptableProperties.class(com/ulisesbocchio/jasyptspringboot/annotation:EnableEncryptableProperties.class)
[ERROR] class file has wrong version 52.0, should be 50.0

Hello!

I reached out to Chus Picos from the Jasypt project to ask if they had plans to officially support Spring Boot integration. Has anyone from that project reached out to you in the past or recently?

Jan Choike

I am using jasypt-spring-boot and it works great for encypting properties in property files by passing --jasypt.encryptor.password=mysecretpassword.

Is it also possible to use that property in the Hibernate annotation?

I currently have this:

@TypeDef(
        name = "encryptedInteger",
        typeClass = EncryptedIntegerAsStringType.class,
        parameters= {
                @Parameter(name="password", value="mysecretpassword")
        }
)

But that is obviously not very convenient as it hardcodes the password in the code.

My application is using netflix.archaius component to listen to dynamic changes to properties file. The properties file contains few jasypt encrypted properties. The application uses @EnableEncryptableProperties and required dependencies.

But encrypted properties are not being decrypted when below class i.e. PropertyResourceConfig is present in the application. Decryption works fine if I remove this class from the application. I am not sure how to make jasypt decryption working properly along with this class. I think the bean PropertySourcesPlaceholderConfigurer is causing the problem.
Please help me to resolve this issue.

package com.company.control.config;

import java.io.File;
import java.io.IOException;

import org.apache.commons.configuration.Configuration;
import org.apache.commons.lang.StringUtils;
import org.apache.commons.lang.math.NumberUtils;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Profile;
import org.springframework.context.support.PropertySourcesPlaceholderConfigurer;
import org.springframework.core.env.ConfigurableEnvironment;
import org.springframework.core.env.MutablePropertySources;

import com.company.control.dynamicproperties.ApacheCommonsConfigPropertySource;
import com.company.control.dynamicproperties.ConfigurationWatcher;
import com.netflix.config.ConfigurationManager;
import com.netflix.config.DynamicConfiguration;
import com.netflix.config.DynamicURLConfiguration;

@org.springframework.context.annotation.Configuration
@Profile("common")
public class PropertyResourceConfig {
@bean
public ConfigurationWatcher configurationWatcher() {
return new ConfigurationWatcher();
}

@Bean
public DynamicConfiguration configuration(ConfigurationWatcher configurationWatcher) throws IOException {
    int pollInterval = NumberUtils.toInt(System.getProperty("config.pollInterval"), 15000);
    String basePath = StringUtils.defaultIfBlank(System.getProperty("config.directory"), "config");
    String appConfigPath = basePath + File.separatorChar + "authorization-control";
    String globalConfig = getFileUrl(appConfigPath, "global.properties");
    String instanceConfig = getFileUrl(appConfigPath, "instance.properties");

    DynamicConfiguration config = new DynamicURLConfiguration( //
            pollInterval, pollInterval, false, //
            globalConfig, instanceConfig);
    config.addConfigurationListener(configurationWatcher);
    ConfigurationManager.install(config);

    return config;
}

@Bean
public PropertySourcesPlaceholderConfigurer propertySourcesPlaceholderConfigurer(ConfigurableEnvironment env,
        Configuration configuration) {
    PropertySourcesPlaceholderConfigurer configurer = new PropertySourcesPlaceholderConfigurer();

    MutablePropertySources sources = new MutablePropertySources();
    sources.addLast(new ApacheCommonsConfigPropertySource("archaius", configuration));
    configurer.setPropertySources(sources);
    configurer.setEnvironment(env);

    return configurer;
}

private static String getFileUrl(String basePath, String filename) {
    String filePath = basePath + File.separatorChar + filename;
    File file = new File(filePath);
    return file.toURI().toString();
}

}

I havent been successful at integrating jasypt with ibmjcefips provider. I can use the provider directly in my code so yes it is successfully set up in the jdk (e.g. strong encryption enabled, provider registered). But attempt to encrypt with it using jasypt I get a FipsRuntimeException. I have googled this exception repeatedly without luck. Is there a way to get more debug from jasypt? Has anyone successfully integrated jasypt with a truly FIPS compliant provider (Bouncy Castle is not certified compliant). Thanks.

Some projects, including ones based on Spring Integration Framework and Spring Batch require XML Files for configuration. Custom encryption beans are sometimes also required which may need to be defined in XML. While various XSD Namespaces can be used during loading, the jasypt encryption xsds can not be used by Spring Boot with the Starter plugin. A Demo project illustrating this has been setup at https://github.com/gorky/jasyptDemo.
This can be run either from command line using ./gradlew run, or in an IDE.

Hi,
I'm using spring properties (from application.yml file) inside my logback-spring.xml (see logback extensions inside the spring-boot doco)
That works fine but not for encrypted properties (I would like to make use of a DBAppender with an encrypted password coming from the spring config file).
Would you have any suggestion on how to make it work ?
Regards
kbjp

• I am using jasypt-spring-boot to protect the secrets that are stored in application-*properties file in my spring boot app
• Our spring boot app running from AWS and we supply the jasypt.encryptor.password via --jasypt.encryptor.password =value
  -This password can be visible to anyone who can see the history command on that host
• Is there a better way to protect jasypt.encryptor.password

Hi,

I want to custom spring @propertysource annotation for jasypt.

but it's hard for me, and I find this project.

The project so cool, but I use spring 4, not use spring boot,

can this project use for spring?

if can, give me a point or some hint, I want use this.

I set a breakpoint into EncryptablePropertySource and figured out that it is called many times for the same property. So I added this line inside the inner if block (Line 17):

System.out.println("Decrypting value of property " + name);

When I startup my simple spring boot application with only a single datasource I get this output:

Decrypting value of property spring.datasource.password
Decrypting value of property spring.datasource.password
Decrypting value of property spring.datasource.password
Decrypting value of property spring.datasource.password
Decrypting value of property spring.datasource.password
Decrypting value of property spring.datasource.password
Decrypting value of property spring.datasource.password
Decrypting value of property spring.datasource.password
Decrypting value of property spring.datasource.password
Decrypting value of property spring.datasource.password
Decrypting value of property spring.datasource.password
Decrypting value of property spring.datasource.password
Decrypting value of property spring.datasource.password
Decrypting value of property spring.datasource.password
Decrypting value of property spring.datasource.password
Decrypting value of property spring.datasource.password
Decrypting value of property spring.datasource.password
Decrypting value of property spring.datasource.password
Decrypting value of property spring.datasource.password
Decrypting value of property spring.datasource.password
Decrypting value of property spring.datasource.password
Decrypting value of property spring.datasource.password
Decrypting value of property spring.datasource.password
Decrypting value of property spring.datasource.password
Decrypting value of property spring.datasource.password
Decrypting value of property spring.datasource.password
Decrypting value of property spring.datasource.password
Decrypting value of property spring.datasource.password
Decrypting value of property spring.datasource.password
Decrypting value of property spring.datasource.password
Decrypting value of property spring.datasource.password
Decrypting value of property spring.datasource.password
Decrypting value of property spring.datasource.password
Decrypting value of property spring.datasource.password

This means the same (and single) encrypted secret is decrypted 34 times.

IMHO this is rather a design flaw of spring that your code but I want to point this out and will also connect with the spring boot team on github.

I have tried to apply the similar setup for the other app, but I have encountered this issue.

Jun 27, 2016 12:33:50 PM org.apache.catalina.startup.VersionLoggerListener log WARNING: Cannot enhance @Configuration bean definition 'beanNamePlaceholderRegistryPostProcessor' since its singleton instance has been created too early. The typical cause is a non-static @Bean method with a BeanDefinitionRegistryPostProcessor return type: Consider declaring such methods as 'static'.
Jun 27, 2016 12:34:25 PM org.apache.catalina.startup.TldConfig execute SEVERE: Context [] startup failed due to previous errors
Jun 27, 2016 12:34:32 PM org.springframework.web.context.support.XmlWebApplicationContext doClose

Can anyone takes a look at this?

I'm trying to implement a custom EncryptablePropertyResolver, but I'm receiving this error on start:

I have @EnableWebSecurity and @configuration in my WebSecurityConfig.

2017-06-26 15:54:24.882  INFO 13408 --- [  restartedMain] j.LocalContainerEntityManagerFactoryBean : Closing JPA EntityManagerFactory for persistence unit 'default'
2017-06-26 15:54:25.410  INFO 13408 --- [  restartedMain] o.apache.catalina.core.StandardService   : Stopping service Tomcat
2017-06-26 15:54:25.437  INFO 13408 --- [  restartedMain] utoConfigurationReportLoggingInitializer : 

Error starting ApplicationContext. To display the auto-configuration report re-run your application with 'debug' enabled.
2017-06-26 15:54:25.448 ERROR 13408 --- [  restartedMain] o.s.boot.SpringApplication               : Application startup failed

org.springframework.beans.factory.BeanCreationException: Error creating bean with name 'springSecurityFilterChain' defined in class path resource [org/springframework/security/config/annotation/web/configuration/WebSecurityConfiguration.class]: Bean instantiation via factory method failed; nested exception is org.springframework.beans.BeanInstantiationException: Failed to instantiate [javax.servlet.Filter]: Factory method 'springSecurityFilterChain' threw exception; nested exception is java.lang.IllegalStateException: org.springframework.security.config.annotation.ObjectPostProcessor is a required bean. Ensure you have used @EnableWebSecurity and @Configuration
	at org.springframework.beans.factory.support.ConstructorResolver.instantiateUsingFactoryMethod(ConstructorResolver.java:599) ~[spring-beans-4.3.4.RELEASE.jar:4.3.4.RELEASE]
	at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.instantiateUsingFactoryMethod(AbstractAutowireCapableBeanFactory.java:1128) ~[spring-beans-4.3.4.RELEASE.jar:4.3.4.RELEASE]
	at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.createBeanInstance(AbstractAutowireCapableBeanFactory.java:1022) ~[spring-beans-4.3.4.RELEASE.jar:4.3.4.RELEASE]
	at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.doCreateBean(AbstractAutowireCapableBeanFactory.java:512) ~[spring-beans-4.3.4.RELEASE.jar:4.3.4.RELEASE]
	at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.createBean(AbstractAutowireCapableBeanFactory.java:482) ~[spring-beans-4.3.4.RELEASE.jar:4.3.4.RELEASE]
	at org.springframework.beans.factory.support.AbstractBeanFactory$1.getObject(AbstractBeanFactory.java:306) ~[spring-beans-4.3.4.RELEASE.jar:4.3.4.RELEASE]
	at org.springframework.beans.factory.support.DefaultSingletonBeanRegistry.getSingleton(DefaultSingletonBeanRegistry.java:230) ~[spring-beans-4.3.4.RELEASE.jar:4.3.4.RELEASE]
	at org.springframework.beans.factory.support.AbstractBeanFactory.doGetBean(AbstractBeanFactory.java:302) ~[spring-beans-4.3.4.RELEASE.jar:4.3.4.RELEASE]
	at org.springframework.beans.factory.support.AbstractBeanFactory.getBean(AbstractBeanFactory.java:197) ~[spring-beans-4.3.4.RELEASE.jar:4.3.4.RELEASE]
	at org.springframework.beans.factory.support.AbstractBeanFactory.doGetBean(AbstractBeanFactory.java:296) ~[spring-beans-4.3.4.RELEASE.jar:4.3.4.RELEASE]
	at org.springframework.beans.factory.support.AbstractBeanFactory.getBean(AbstractBeanFactory.java:197) ~[spring-beans-4.3.4.RELEASE.jar:4.3.4.RELEASE]
	at org.springframework.beans.factory.support.DefaultListableBeanFactory.preInstantiateSingletons(DefaultListableBeanFactory.java:754) ~[spring-beans-4.3.4.RELEASE.jar:4.3.4.RELEASE]
	at org.springframework.context.support.AbstractApplicationContext.finishBeanFactoryInitialization(AbstractApplicationContext.java:866) ~[spring-context-4.3.4.RELEASE.jar:4.3.4.RELEASE]
	at org.springframework.context.support.AbstractApplicationContext.refresh(AbstractApplicationContext.java:542) ~[spring-context-4.3.4.RELEASE.jar:4.3.4.RELEASE]
	at org.springframework.boot.context.embedded.EmbeddedWebApplicationContext.refresh(EmbeddedWebApplicationContext.java:122) ~[spring-boot-1.4.2.RELEASE.jar:1.4.2.RELEASE]
	at org.springframework.boot.SpringApplication.refresh(SpringApplication.java:761) [spring-boot-1.4.2.RELEASE.jar:1.4.2.RELEASE]
	at org.springframework.boot.SpringApplication.refreshContext(SpringApplication.java:371) [spring-boot-1.4.2.RELEASE.jar:1.4.2.RELEASE]
	at org.springframework.boot.SpringApplication.run(SpringApplication.java:315) [spring-boot-1.4.2.RELEASE.jar:1.4.2.RELEASE]
	at org.springframework.boot.SpringApplication.run(SpringApplication.java:1186) [spring-boot-1.4.2.RELEASE.jar:1.4.2.RELEASE]
	at org.springframework.boot.SpringApplication.run(SpringApplication.java:1175) [spring-boot-1.4.2.RELEASE.jar:1.4.2.RELEASE]
	at com.dtec.cop.Application.main(Application.java:17) [bin/:na]
	at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) ~[na:1.8.0_131]
	at sun.reflect.NativeMethodAccessorImpl.invoke(Unknown Source) ~[na:1.8.0_131]
	at sun.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source) ~[na:1.8.0_131]
	at java.lang.reflect.Method.invoke(Unknown Source) ~[na:1.8.0_131]
	at org.springframework.boot.devtools.restart.RestartLauncher.run(RestartLauncher.java:49) [spring-boot-devtools-1.4.2.RELEASE.jar:1.4.2.RELEASE]
Caused by: org.springframework.beans.BeanInstantiationException: Failed to instantiate [javax.servlet.Filter]: Factory method 'springSecurityFilterChain' threw exception; nested exception is java.lang.IllegalStateException: org.springframework.security.config.annotation.ObjectPostProcessor is a required bean. Ensure you have used @EnableWebSecurity and @Configuration
	at org.springframework.beans.factory.support.SimpleInstantiationStrategy.instantiate(SimpleInstantiationStrategy.java:189) ~[spring-beans-4.3.4.RELEASE.jar:4.3.4.RELEASE]
	at org.springframework.beans.factory.support.ConstructorResolver.instantiateUsingFactoryMethod(ConstructorResolver.java:588) ~[spring-beans-4.3.4.RELEASE.jar:4.3.4.RELEASE]
	... 25 common frames omitted
Caused by: java.lang.IllegalStateException: org.springframework.security.config.annotation.ObjectPostProcessor is a required bean. Ensure you have used @EnableWebSecurity and @Configuration
	at org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter$1.postProcess(WebSecurityConfigurerAdapter.java:81) ~[spring-security-config-4.1.3.RELEASE.jar:4.1.3.RELEASE]
	at org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter.getHttp(WebSecurityConfigurerAdapter.java:174) ~[spring-security-config-4.1.3.RELEASE.jar:4.1.3.RELEASE]
	at org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter.init(WebSecurityConfigurerAdapter.java:290) ~[spring-security-config-4.1.3.RELEASE.jar:4.1.3.RELEASE]
	at org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter.init(WebSecurityConfigurerAdapter.java:69) ~[spring-security-config-4.1.3.RELEASE.jar:4.1.3.RELEASE]
	at com.dtec.cop.config.WebSecurityConfig$$EnhancerBySpringCGLIB$$fca24708.init(<generated>) ~[bin/:na]
	at org.springframework.security.config.annotation.AbstractConfiguredSecurityBuilder.init(AbstractConfiguredSecurityBuilder.java:371) ~[spring-security-config-4.1.3.RELEASE.jar:4.1.3.RELEASE]
	at org.springframework.security.config.annotation.AbstractConfiguredSecurityBuilder.doBuild(AbstractConfiguredSecurityBuilder.java:325) ~[spring-security-config-4.1.3.RELEASE.jar:4.1.3.RELEASE]
	at org.springframework.security.config.annotation.AbstractSecurityBuilder.build(AbstractSecurityBuilder.java:41) ~[spring-security-config-4.1.3.RELEASE.jar:4.1.3.RELEASE]
	at org.springframework.security.config.annotation.web.configuration.WebSecurityConfiguration.springSecurityFilterChain(WebSecurityConfiguration.java:104) ~[spring-security-config-4.1.3.RELEASE.jar:4.1.3.RELEASE]
	at org.springframework.security.config.annotation.web.configuration.WebSecurityConfiguration$$EnhancerBySpringCGLIB$$44e8aaaf.CGLIB$springSecurityFilterChain$6(<generated>) ~[spring-security-config-4.1.3.RELEASE.jar:4.1.3.RELEASE]
	at org.springframework.security.config.annotation.web.configuration.WebSecurityConfiguration$$EnhancerBySpringCGLIB$$44e8aaaf$$FastClassBySpringCGLIB$$56c519e3.invoke(<generated>) ~[spring-security-config-4.1.3.RELEASE.jar:4.1.3.RELEASE]
	at org.springframework.cglib.proxy.MethodProxy.invokeSuper(MethodProxy.java:228) ~[spring-core-4.3.4.RELEASE.jar:4.3.4.RELEASE]
	at org.springframework.context.annotation.ConfigurationClassEnhancer$BeanMethodInterceptor.intercept(ConfigurationClassEnhancer.java:356) ~[spring-context-4.3.4.RELEASE.jar:4.3.4.RELEASE]
	at org.springframework.security.config.annotation.web.configuration.WebSecurityConfiguration$$EnhancerBySpringCGLIB$$44e8aaaf.springSecurityFilterChain(<generated>) ~[spring-security-config-4.1.3.RELEASE.jar:4.1.3.RELEASE]
	at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) ~[na:1.8.0_131]
	at sun.reflect.NativeMethodAccessorImpl.invoke(Unknown Source) ~[na:1.8.0_131]
	at sun.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source) ~[na:1.8.0_131]
	at java.lang.reflect.Method.invoke(Unknown Source) ~[na:1.8.0_131]
	at org.springframework.beans.factory.support.SimpleInstantiationStrategy.instantiate(SimpleInstantiationStrategy.java:162) ~[spring-beans-4.3.4.RELEASE.jar:4.3.4.RELEASE]
	... 26 common frames omitted```

The whole story about spring-boot application properties is its flexibility. See here:
http://docs.spring.io/spring-boot/docs/current/reference/html/boot-features-external-config.html

Now, when I add your jasypt-spring-boot-starter as a dependency I can not start the application without having jasypt.encryptor.password set even if I have no encrypted password configured anywhere. This makes my unit tests fail, etc. So what I did is adding

jasypt.encryptor.password=dummy

To my application.properties that I deliver within the WAR file (in default package).
Now I have an external application.properties in tomcat/lib/config/application.properties that defines encrypted passwords for DB, etc.
Of course I want to provide the master password somewhere different as having it in the same file would be quite pointless (my plan is that I have a secret master password per environment that is available in one place on the involved machines while I then can have the configs with encrypted passwords stored in VCS but regular developers can not decrypt them without knowing the master password but they can build release packages including the correct configs).

Now, I set the master password on the commandline as a system property. I verified that the system property is actually set and available in tomcat. However, it is not honored and jasypt will use the dummy password instead.

This is totally unexpected as it works for any other spring boot property like this. There might be a technical reason as you need early on bootstrapping and interception.
However, a solution is required to externalize the master password from the actual properties file.
Any solution or workaround is welcome.
Thanks for your great work!

I did not see Jasypt have official support for Spring 4/5, but when I tried to include @EnableEncryptableProperties and @EncryptablePropertySource, it does not work as expected.

application.yml:

jasypt:
encryptor:
passwordEnvName: ${passwordEnvName}

or

jasypt:
encryptor:
password: systemEnvironment[${passwordEnvName}]

I Hope support system Environment password to jasypt-spring-boot.

Instantiating a bean by a type in a spring BeanFactoryPostProcessor is quite dangerous because of an instantiate order. This order could be difference for each spring configuration. So stringEncryptor in EnableEncryptablePropertySourcesPostProcessor should be create by a name to avoid bean creation dependency.

`
private PropertySource makeEncryptable(PropertySource propertySource, ConfigurableListableBeanFactory registry) {
** String beanName = environment.getProperty("jasypt.encryptor.beanName", "stringEncryptor");
StringEncryptor encryptor = registry.getBean(beanName, StringEncryptor.class);
**
PropertySource encryptablePropertySource = interceptionMode == InterceptionMode.PROXY
? proxyPropertySource(propertySource, encryptor) : instantiatePropertySource(propertySource, encryptor);
LOG.info("Converting PropertySource {}[{}] to {}", propertySource.getName(), propertySource.getClass().getName(),
encryptablePropertySource.getClass().getSimpleName());
return encryptablePropertySource;
}

`

Is there a Java7 version for jasypt-spring boot?

The "jasypt-spring-boot-demo" link is broken in the other-demo-apps section of README.md.

Not sure if it is allowed to work. but this config does not work

<bean id="simpleBean" class="com.example.SimpleBean">
    <property name="value" value="${my.simple.value}" />
</bean>

I see the value property is not decrypted.

Spring Boot version: 1.5.1.RELEASE
jasypt-spring-boot-starter version: 1.11

We see this warning every-time we run the application, although it does not affect the functionality. May be you can investigate the cause and fix it.

WARN o.s.c.a.ConfigurationClassPostProcessor - Cannot enhance @Configuration bean definition 'beanNamePlaceholderRegistryPostProcessor' since its singleton instance has been created too early. The typical cause is a non-static @Bean method with a BeanDefinitionRegistryPostProcessor return type: Consider declaring such methods as 'static'.

Throws java.lang.UnsuppotedClassVersionError

Hello,

Can I use it to decrpyt value from Environment Variable?

I tried something like this:
spring.datasource.password=ENC(${DB_PASSWORD})

and I got an error : org.jasypt.exceptions.EncryptionOperationNotPossibleException: null

Thank you.

if i want to encrypt the datasource password, now the two configuration below is needed:

spring.datasource.password=ENC(+Nrx10OneKdA9VvXGXkyaxWzNHt+sQ46)
spring.datasource.password.property=

Stand on the common user side, i just feel a little strange, it is possible to use the format
spring.datasource.password.property=+Nrx10OneKdA9VvXGXkyaxWzNHt+sQ46

or
spring.datasource.password=ENC(+Nrx10OneKdA9VvXGXkyaxWzNHt+sQ46)

if they could be work, it's awesome :)

Hi,

I've just been debugging why I get this warning in the logs. It happens as soon as I add Jasypt to my POM file in a SpringBoot 1.5.2 app. I tried changing to Spring Boot 1.5.1 too as I noticed it was mentioned as fixed in another ticket (#16), but it still appears. Actually that was slightly different but could ignore the warning in a similar fashion.

WARN [main] ConfigurationClassPostProcessor: Cannot enhance @Configuration bean definition 'beanNamePlaceholderRegistryPostProcessor' since its singleton instance has been created too early. The typical cause is a non-static @Bean method with a BeanDefinitionRegistryPostProcessor return type: Consider declaring such methods as 'static'.

I can get logback to ignore it, as is also mentioned in the other ticket, but as it was marked as fixed I thought I would raise it again.