search

ulisesbocchio / jasypt-spring-boot

Jasypt integration for Spring boot
MIT License
2.88k stars 516 forks source link

jasypt password visible when passed as argument or System property #17

Closed japako closed 8 years ago

japako commented 8 years ago

When an application is started in a way that is demonstrated below

java -jar target/jasypt-spring-boot-demo-0.0.1-SNAPSHOT.jar --jasypt.encryptor.password=password

java -Djasypt.encryptor.password=password -jar target/jasypt-spring-boot-demo-0.0.1-SNAPSHOT.jar

a linux user can see it by listing currently running processes. I belive that it could be solved with command: export MY_PASSW=password

however currently required variable is 'jasypt.encryptor.password' that is not valid name for environment settings. Could that be replace with name like: jasypt_encryptor_password

ulisesbocchio commented 8 years ago

yeah, sorry, I wish Spring Boot property sources would be smart enough to automatically replace _ with . for ENV variables since . is not permitted in ENV variables. You can solve this quickly by creating application.properties or application.yml and adding:

jasypt.encryptor.password=${JASYPT_ENCRYPTOR_PASSWORD:}

or in YAML

jasypt:
    encryptor:
        password: {${JASYPT_ENCRYPTOR_PASSWORD:}

basically what this does is to define the jasypt.encryptor.password property that points to a different property JASYPT_ENCRYPTOR_PASSWORD that you can inject any way you want (environment or system property). This technique can also be used to translate property name/values for any other library you need.

japako commented 8 years ago

HI,

That will work then. Looks like a good solution.

On 18 December 2015 at 02:03, Ulises Bocchio notifications@github.com wrote:

yeah, sorry, I wish Spring Boot property sources would be smart enough to automatically replace _ with . for ENV variables since . is not permitted in ENV variables. You can solve this quickly by creating application.properties or application.yml and adding:

jasypt.encryptor.password=${JASYPT_ENCRYPTOR_PASSWORD:}

or in YAML

jasypt: encryptor: password: {${JASYPT_ENCRYPTOR_PASSWORD:}

basically what this does is to define the jasypt.encryptor.password property that points to a different property JASYPT_ENCRYPTOR_PASSWORD that you can inject any way you want (environment or system property). This technique can also be used to translate property name/values for any other library you need.

— Reply to this email directly or view it on GitHub https://github.com/ulisesbocchio/jasypt-spring-boot/issues/17#issuecomment-165642274 .

Regards, Bartosz Jablonski