jetty password obfuscation for props values

2026-02-06 13:07:02 +00:00 · 2018-08-24 14:54:54 +02:00 · 2018-08-24 14:54:54 +02:00 · 30faaf2c44
commit 30faaf2c44
parent 54e385f934
2 changed files with 21 additions and 5 deletions
--- a/README.md
+++ b/README.md
@ -355,6 +355,7 @@ The Encrypt/Decrypt workflow is :

 1st, 2nd and 3rd step can be done using an external tool

+
 ####Encrypting props values with openssl on the commandline

 1. Export the public certificate from the keystore:
@ -370,6 +371,17 @@ The Encrypt/Decrypt workflow is :
 echo -n $2 |openssl pkeyutl -pkeyopt rsa_padding_mode:pkcs1 -encrypt  -pubin -inkey $1 -out >(base64)
 ```

+## Using jetty password obfuscation with props file
+
+You can obfuscate passwords in the props file the same way as for jetty:
+
+1. Create the obfuscated value as described here: https://www.eclipse.org/jetty/documentation/9.3.x/configuring-security-secure-passwords.html
+
+2. A props key value, XXX, is considered obfuscated if has an obfuscation property (XXX.is_obfuscated) in addition to the regular props key name in the props file e.g:
+
+   *  db.url.is_obfuscated=true
+   *  db.url=OBF:fdsafdsakwaetcetcetc
+

   
 ## Scala / Lift
--- a/src/main/scala/code/api/util/APIUtil.scala
+++ b/src/main/scala/code/api/util/APIUtil.scala
@ -2077,16 +2077,20 @@ Returns a string showed to the developer
    * @return Decrypted value of a property
    */
  def getPropsValue(nameOfProperty: String): Box[String] = {
-    (Props.get(nameOfProperty), Props.get(nameOfProperty + ".is_encrypted")) match {
-      case (Full(base64PropsValue), Full(isEncrypted))  if isEncrypted == "true" =>
+    (Props.get(nameOfProperty), Props.get(nameOfProperty + ".is_encrypted"), Props.get(nameOfProperty + ".is_obfuscated") ) match {
+      case (Full(base64PropsValue), Full(isEncrypted), Empty)  if isEncrypted == "true" =>
        val decryptedValueAsArray = decrypt(privateKey, Helpers.base64Decode(base64PropsValue), CryptoSystem.RSA)
        val decryptedValueAsString = new String(decryptedValueAsArray)
        Full(decryptedValueAsString)
-      case (Full(property), Full(isEncrypted))  if isEncrypted == "false" =>
+      case (Full(property), Full(isEncrypted), Empty)  if isEncrypted == "false" =>
        Full(property)
-      case (Full(property), Empty) =>
+      case (Full(property),Empty, Full(isObfuscated)) if isObfuscated == "true" =>
+        Full(org.eclipse.jetty.util.security.Password.deobfuscate(property))
+      case (Full(property),Empty, Full(isObfuscated)) if isObfuscated == "false" =>
        Full(property)
-      case (Empty, Empty) =>
+      case (Full(property), Empty,Empty) =>
+        Full(property)
+      case (Empty, Empty, Empty) =>
        Empty
      case _ =>
        logger.error(cannotDecryptValueOfProperty + nameOfProperty)