When in a web application, Jasypt allows developers to avoid storing encryption passwords for PBE encryptors in files inside the webapp, specifying instead these passwords to the application through a web interface each time it is deployed.
This is achieved thanks to an infrastructure consisting of:
For an encryptor to be assigned a password from the web, it only has to be assigned a WebPBEConfig object, which must be initialised with both a unique name an a validation word. The name will identify the config object (and thus the encryptor) and the validation word will make sure that only an authorised person (for example, the application deployer) sets the passwords.
This is a ContextListener which takes an org.jasypt.web.pbeconfig.WebPBEInitializer implementation class name as a parameter (context-param) and calls its initializeWebPBEConfigs() method to allow the webapp to create its PBE encryptors and declare their associated WebPBEConfig objects.
An example WebPBEInitializer implementation:
package myapp; ... public class MyWebPBEInitializer implements WebPBEInitializer { public void initializeWebPBEConfigs() { StandardPBEStringEncryptor encryptor = new StandardPBEStringEncryptor(); encryptor.setAlgorithm("PBEWithMD5AndDES"); WebPBEConfig webConfig = new WebPBEConfig(); webConfig.setValidationWord("jasypt"); webConfig.setName("Main Password"); encryptor.setConfig(webConfig); // Get some user-defined singleton or similar, and register // the encryptor with it so that it can be accessed from the // rest of the application. } }
An example web.xml fragment, registering the context listener:
<context-param> <param-name>webPBEInitializerClassName</param-name> <param-value>myapp.MyWebPBEInitializer</param-value> </context-param> <listener> <listener-class> org.jasypt.web.pbeconfig.WebPBEInitializationContextListener </listener-class> </listener>
Important: If the web application uses Spring Framework, WebPBEConfig objects are declared as beans in the Spring context and this Spring context is initialised at application deploy time (with Spring's ContextLoaderListener), the use of this context listener will become unnecessary.
This filter is intended to avoid access to the web application until an admin has set the encryption passwords. It will query the web PBE config system to know whether passwords have been set and, if not, it will show the user a plain Access Forbidden page.
An example web.xml fragment (being applied on a Struts servlet):
<filter> <filter-name>webPBEConfigFilter</filter-name> <filter-class>org.jasypt.web.pbeconfig.WebPBEConfigFilter</filter-class> </filter> <filter-mapping> <filter-name>webPBEConfigFilter</filter-name> <servlet-name>strutsActionServlet</servlet-name> </filter-mapping>
This servlet's URL should be called by the webapp administrator at deploy time, for setting the passwords of all the PBE encryptors which have been previously assigned a WebPBEConfig configuration object.
If web PBE configuration has not been done yet, it will show the user a form containing two inputs for each encryptor: the validation word and the password (retyped).
An example web.xml fragment:
<servlet> <servlet-name>webPBEConfigServlet</servlet-name> <servlet-class> org.jasypt.web.pbeconfig.WebPBEConfigServlet </servlet-class> <load-on-startup>1</load-on-startup> </servlet> <servlet-mapping> <servlet-name>webPBEConfigServlet</servlet-name> <url-pattern>/webPBEConfig.do</url-pattern> </servlet-mapping>
If this servlet's context is set a logger, it will output messages for both successful and failed attempts to set passwords, including date, time and originating IP address.