jasypt web configuration using WebPBEConfigServlet - where is the password stored?

StackOverflow https://stackoverflow.com/questions/19072079

  •  29-06-2022
  •  | 
  •  

Question

In the Jasypt configuration documentation for the http://jasypt.org/webconfiguration.html, the following is stated:

This servlet's URL should be called by the webapp administrator at deploy time, for setting the passwords of all the PBE encryptors...

The following is not clear to me from the documentation:

1) Where are the passwords that are entered through the web app stored? Are they stored in memory, or somewhere else?

2) Do the passwords need to be entered only when deploying the app? What happens if the application server (or JVM) is restarted, do the passwords need to be re-entered again?

3) Is it possible to share a jasypt configuration across multiple web apps? If passwords need to be re-entered on application server/JVM restart, and I have lots of applications deployed, my application deployers will not like having to re-enter the passwords multiple times.

Was it helpful?

Solution

1) Passwords are stored in the web application context (i.e: in the internal memory of the application instance)

2) Yes, they do need to be set only during the deployment process. But you have to get you mind clear about the fact that while the application-server is restarted, all the application instances in it get redeployed. So the result is that you should re-enter the passwords again.

3) Based on point 1, passwords are kept in the application internal context, so they cannot be used by other application (though, i think it depends of the kind of applications you're implementing, if they do share such context). Whats over, if you're restarting the app-server, and all your applications are inside it, then they will all be redeployed. It would make sense only if your sharing instances which reside in different servers, and i don't know if this might be possible (or recommended).

Summary: yes you have to re-enter the passwords, but normally on a production ambient you would not make many re-deployments. Even if you don't use this type of configuration, a restart would be a temporary problem for the client.

Licensed under: CC-BY-SA with attribution
Not affiliated with StackOverflow
scroll top