Please note that jasypt is already in version 1.9
Hibernate 3.6.0.Final introduced some changes to its custom type API which made jasypt transparent encryption types produce exceptions during initialization.
This issue has been fixed while keeping backwards compatibility with older 3.x versions of Hibernate.
Dependencies on both the Apache Commons-Lang and Apache Commons-Codec libraries have been removed. All you need now to run jasypt is:
Jasypt 1.7 includes pool-based versions of Standard(Byte|String)Digester and StandardPBE(Byte|String|BigDecimal|BigInteger)Encryptor which can vastly improve performance in multi-processor/multi-core systems.
These pooled digesters and encryptors have exactly the same API as their non-pooled "Standard" relatives --so they can be used interchangeably-- but add a new configuration parameter called "poolSize" which establishes the amount of Standard* digesters/encryptors they will internally hold.
PooledPBEStringEncryptor encryptor = new PooledPBEStringEncryptor(); encryptor.setPoolSize(4); encryptor.setAlgorithm(algorithm); encryptor.setPassword(encPassword); ... final String result = encryptor.encrypt(message); ...
These pooled objects will use their internal Standard* digesters/encryptors to serve the requests in round-robin, so the amount of thread blocking caused by the synchronised code in the Standard* artifacts is reduced to a minimum.
These implementations do not create new threads, so they can be safely used in container-controlled environments which do not allow the creation of new threads.
The pool size recommended for a specific application and machine depends on many factors, but will be approximately equal to the number of processors/cores in the machine.
Jasypt 1.7 includes a lite version of the standard jasypt .jar file, in order to reduce the total size in bytes needed in your application to use jasypt. This is especially helpful when using jasypt in mobile platforms.
Jasypt "lite" includes both Standard and Pooled, Byte and String digesters and encryptors. And it specifically excludes:
If you are using Maven, you can easily include the "lite" jar in your application by specifying a classifier:
<dependency> <groupId>org.jasypt</groupId> <artifactId>jasypt</artifactId> <version>1.7</version> <classifier>lite</classifier> <scope>compile</scope> </dependency>
Jasypt 1.7 adds a class called org.jasypt.registry.AlgorithmRegistry aimed at easily listing the digest and PBE encryption algorithms currently present in your system (and usable by jasypt).
It is very simple to use:
// digestAlgos is a Set<String> containing the names of the algorithms Set digestAlgos = AlgorithmRegistry.getAllDigestAlgorithms(); ...
Also, a new command line utility script has been added to the /bin folder of the jasypt distribution that will list your jasypt-ready algorithms from the command line:
$ cd jasypt-1.7/bin $ ./listAlgorithms.sh DIGEST ALGORITHMS: [MD2, MD5, SHA, SHA-256, SHA-384, SHA-512] PBE ALGORITHMS: [PBEWITHMD5ANDDES, PBEWITHMD5ANDTRIPLEDES, PBEWITHSHA1ANDDESEDE, PBEWITHSHA1ANDRC2_40]
New "prefix" and "suffix" configuration parameters have been added to String digesters that allow the specification of a prefix and/or a suffix that will be added to the digest results, and also expected when matching existing digests.
A new configuration parameter has been added to digesters in order to enable a lenient behaviour towards salt size in digests when checking them.
This allows a digester to check as valid a digest created with a different amount of salt bytes than the value currently configured for it with setSaltSizeBytes.
New configuration parameters have been added to digesters in order to invert the position of the salt bytes in relation to the message being digested before and after the digest operation.
The "invertPositionOfSaltInMessageBeforeDigesting" configuration parameter allows salt to be positioned after the message being digested (instead of the default, which is before) before applying the digest function to the whole.
The "invertPositionOfPlainSaltInEncryptionResults" configuration parameter allows plain (non-digested) salt to be positioned after the results of the digest operation (instead of the default, which is before) after the digest function has been applied.
Both these configuration parameters allow compatibility with some encryption schemes which require the salt bytes to be positioned after the message, like for example most implementations of the SSHA password encyption scheme defined in RFC2307:
final StandardStringDigester ssha = new StandardStringDigester(); ssha.setAlgorithm("SHA-1"); ssha.setIterations(1); ssha.setSaltSizeBytes(8); ssha.setPrefix("{SSHA}"); ssha.setInvertPositionOfSaltInMessageBeforeDigesting(true); ssha.setInvertPositionOfPlainSaltInEncryptionResults(true); ssha.setUseLenientSaltSizeCheck(true); ... // This result will change each time it is executed due to random salt: // result == "{SSHA}agbpAYBa95UqQml810zUv0c8aNUUcWdtH5u8Yw==" final String result = ssha.digest
Thanks to the new configuration parameters added to jasypt, a new "util" package has been created in org.jasypt.util.password.rfc2307 containing utility classes for password checking following the schemes defined in RFC2307 (especially common in LDAP systems):
The command-line scripts included in the /bin folder of the jasypt distribution package have been rewritten in order to add the new configuration parameters and also fix problems that didn't allow these scripts to be correctly executed from outside the folder that contained them.
The jasypt zip distribution package has been reconfigured and rebuilt in order to remove the now-unnecessary "cli-bundle" jar file and to add icu4j to the /lib folder so that users with Java version 6 do not have to add it themselves to the <<<JASYPT_CLASSPATH>> environment variable to use the command line utils.
Jasypt 1.7 includes org.jasypt.spring.properties.EncryptableServletContextPropertyPlaceholderConfigurer, a subclass of org.springframework.web.context.support.ServletContextPropertyPlaceholderConfigurer which allows the transparent decryption of servlet context parameters in web applications (for example, parameters in WEB-INF/web.xml).
These encrypted parameters can be specified in a way equivalent to that of encrypted parameters in .properties files:
... <context-param> <param-name>someParameter</param-name> <param-value>ENC(...)</param-value> </context-param> ...
Jasypt 1.7 includes org.jasypt.spring.properties.EncryptablePreferencesPlaceholderConfigurer, a subclass of org.springframework.beans.factory.config.PreferencesPlaceholderConfigurer which allows the transparent decryption preferences set with JDK 1.4's Preferences API.
Jasypt 1.7 includes org.jasypt.spring.security3.TokenBasedRememberMeServices for Spring Security 3, which works in the same way as org.springframework.security.web.authentication.rememberme.TokenBasedRememberMeServices but creating a jasypt-digested data signature for inclusion in rememeber-me cookies.