search

ulisesbocchio / jasypt-spring-boot

Jasypt integration for Spring boot
MIT License
2.88k stars 514 forks source link

jasypt.encryptor.property.filter.include-sources prevent decryption! #100

Closed membersound closed 5 years ago

membersound commented 5 years ago

As soon as I set one of the following properties, the encrypted ENC fields are not decrypted anymore.

application.properties:

spring.datasource.url=jdbc:mysql://localhost/mymtable
spring.datasource.username=root
spring.datasource.password=ENC(8hkx77wTXZNmYZpwDYswVg==)

#remove the following line and everything will work as expected
jasypt.encryptor.property.filter.include-sources=application.properties
@SpringBootApplication
public class JasyptApp {
    public static void main(String[] args) {
        SpringApplication.run(JasyptApp.class, args);
    }
}

@Service
public class DatabaseService {
    @Value("${spring.datasource.username}")
    private String username;

    @PostConstruct
    public void init() {
        System.out.println("username=" + username);
        Assert.isTrue(!username.startsWith("ENC"));
    }
}

pom.xml:

<parent>
        <groupId>org.springframework.boot</groupId>
        <artifactId>spring-boot-starter-parent</artifactId>
        <version>2.0.5.RELEASE</version>
        <relativePath/>
    </parent>

    <dependencies>
        <dependency>
            <groupId>org.springframework.boot</groupId>
            <artifactId>spring-boot-starter-jdbc</artifactId>
        </dependency>

        <dependency>
            <groupId>mysql</groupId>
            <artifactId>mysql-connector-java</artifactId>
        </dependency>

        <dependency>
                <groupId>com.github.ulisesbocchio</groupId>
                <artifactId>jasypt-spring-boot-starter</artifactId>
                <version>2.1.0</version>
            </dependency>
        </dependencies>

What is strange: the logs show that the application.properties have been converted to encrytable map even when using the include-sources filter:

2018-09-26 10:32:25.059  INFO 15585 --- [           main] c.u.j.EncryptablePropertySourceConverter : Converting PropertySource applicationConfig: [classpath:/application.properties] [org.springframework.boot.env.OriginTrackedMapPropertySource] to EncryptableMapPropertySourceWrapper

What I noticed is that the DefaultLazyEncryptor constructors content is skipped when using the include-sources property. the singleton inside the constructor is not created, thus the createDefault() methods never gets called.

I don't know why, but maybe you could use that as a starting point?

ulisesbocchio commented 5 years ago

Yes, so defining that property will void the catch all config by default. So you defining include-sources will just include what you selected. In this case nothing... since the application.properties file property source name is applicationConfig and the filter is based on the name of the property source, not the file name, since property sources are not necessarily backed by files.