Closed mkmpnataraj closed 1 year ago
/cc @sberyozkin (security)
@radcortez Hey Roberto, you've added a Jasypt secret encryption with Smallrye config crypto, right ?
Correct, it is possible to use Jasypt with Quarkus via SmallRye Config: https://smallrye.io/smallrye-config/3.3.0/config/secret-keys/#jasypt
The only issue is that is not yet supported in native mode.
As a dev advocate, I feel this ENC() is top important thing that can un/popularize Quarkus, and rapidly send developers to competing-frameworks. The world is security conscious, developers do not like frameworks that COMPLICATE securing passwords.
If you feel the same, please prioritize this. Just to give an example -- I put in 2 months in developing an app in quarkus (one year back!), I was hoping that ENC() may make its way in that 1 year, but it did not. It is scary to have naked passwords in property file whether local dev or not. I may need to explore rewrite in springboot.
# quite easy in springboot, as jasypt is integrated well set DB_URL=ENC(ATBD2N+G1GjGZ3rhpdDgSzmMvtJMpyKaqHVGIJgt10iHsZcRilfpPKPDJ25gr+jRwxlD3VIUzCX3kjFkFs/5/bNbDIpyld=)
@mkmpnataraj I've just pasted a link allowing you to use Jasypt with Quarkus: https://smallrye.io/smallrye-config/3.3.0/config/secret-keys/#jasypt
I think it's a feature we should document in the Quarkus doc. Maybe by adding a link to the SmallRye doc.
That being said, I'm not sure I fully understand how I would set that up, just by reading the SmallRye doc.
Also, should we add smallrye-config-jasypt
to our BOM? I see -crypto
is there.
That being said, I'm not sure I fully understand how I would set that up, just by reading the SmallRye doc.
I guess I can improve that :)
Anyway, it requires the SR Config dependency, and to set up the configuration detailed in the docs. I'll add an example in the docs.
Also, should we add
smallrye-config-jasypt
to our BOM? I see-crypto
is there.
Unfortunately, no, because Jasypt does not work in native mode... I still need to provide proper support for it.
Simplify, failsafe, secure by default, less work, less document to read, less 3rd party things to refer to for a core-feature like security.
Suggestion moved to "Implementation idea" section of the issue.
@mkmpnataraj Word of advice: you can state your opinion politely and avoid antagonizing people. You'll see that it usually works better.
Thanks for the advice. Please feel free to revise/change/implement as you find good for developer community. I moved my suggestion to "Implementation idea" section of initial request.
I've improved the documentation in SmallRye Config about using the Jasypt SecretKeyHandler: https://smallrye.io/smallrye-config/Main/config/secret-keys/#jasypt
This does work with the latest Quarkus version (in JVM mode only) and SmallRye Config 3.3.0
, so it requires the following dependency in your Quarkus project:
<dependency>
<groupId>io.smallrye.config</groupId>
<artifactId>smallrye-config-jasypt</artifactId>
<version>3.3.0</version>
</dependency>
While I agree this is not ideal, we cannot document this in Quarkus until we have full native support with Jasypt. I'll see if I can find time to look into it and add it.
@radcortez what could help is if you were able to create a draft PR with a native IT testing the Jasypt support: we might be able to find someone else to work on the native support and make the test pass.
If I remember correctly, it failed at build image time with some initialization code and classloading. I believe this will require some substitutions. I would say that it would be better to have the wrapping extension in https://github.com/quarkiverse/quarkus-config-extensions, instead of Quarkus core.
This should add the native image support for Jasypt: https://github.com/quarkiverse/quarkus-config-extensions/pull/147
This is now available in Quarkiverse Config Extensions:
Should we add a note in the Quarkus doc pointing to the new extension?
Sure. Do you mean the migration guide?
Description
It is a breeze to add some secuity to passwords in springboot. Please provide an easy way to use jasypt. If not, how is Quarkus integrating bcrypt or some other system, so users can EASILY encrypt the passwords. Do not suggest external systems like Vault.
https://github.com/quarkusio/quarkus/issues/10855
Implementation ideas
A suggested developer workflow [work in progress, please revise]: