What is the correct way to configure a spring TextEncryptor for use on Heroku
I have a spring TextEncryptor defined like this
-
My answer is a bit late but I wrote it to help anyone in need. By default, spring security uses a 256-bit key for encryption. This is not permitted by the JDK by default, which supported up to 128-bit keys only.
To solve this, you need need to download the local_policy.jar & US_export_policy.jar jars from oracle (Java Cryptography Extension (JCE) Unlimited Strength Jurisdiction Policy Files 7 Download) and replace them in jdk_path/jre/lib/security/. Make sure you restart the application server for the changes to take effect.
On a separate note, I wouldn't place the secret key in a properties file. Instead I recommend you put it in a key store. If you need help with that let me know.
讨论(0) -
So I think I've concluded Heroku just plain doesn't support 256 bit AEP which is what the stock TextEncoders in spring-security use.
Instead I've used the BasicTextEncryptor from the Java Simplified Encryption library as an alternative backend and implemented the TextEncryptor interface.
It's less secure but it works. It doesn't provide a salting mechanism, though I think there are provisions for that elsewhere in the library.
If anyone has any ideas how to get the stock encryptors working on heroku then that would still be preferable I think.
讨论(0) -
You can also do the following. Though this seems to have stopped working on the latest builds of Java 8.
Field field = Class.forName("javax.crypto.JceSecurity").getDeclaredField("isRestricted"); if (Boolean.TRUE.equals(field.get(null))) { if (Modifier.isFinal(field.getModifiers())) { Field modifiers = Field.class.getDeclaredField("modifiers"); modifiers.setAccessible(true); modifiers.setInt(field, field.getModifiers() & ~Modifier.FINAL); } field.setAccessible(true); field.setBoolean(null, false); // isRestricted = false; field.setAccessible(false); } textEncryptor = Encryptors.text(key, salt);讨论(0)
加载中...
- 热议问题