GH-242: Remove jasypt dependency

Fixes https://github.com/spring-projects/spring-integration-samples/issues/242

Since `jasypt` is not compatible with Spring Security and recommendation
is to use BCrypt or NO-OP instead, remove its dependency and appropriate
bean definitions in favor of NO-OP password encoding.
The purpose of this `http-rest` application is out of Spring Security
encoding capabilities
This commit is contained in:
Artem Bilan
2019-02-19 12:54:01 -05:00
parent 7ed9f59844
commit a2bdf20551
5 changed files with 20 additions and 75 deletions

View File

@@ -191,7 +191,6 @@ subprojects { subproject ->
hsqldbVersion = '2.3.2'
h2Version = '1.4.194'
jacksonVersion = '2.9.8'
jasyptVersion = '1.7'
javaxInjectVersion = '1'
javaxMailVersion = '1.5.5'
jodaTimeVersion = '1.6'
@@ -1149,7 +1148,6 @@ project('rest-http') {
compile "com.fasterxml.jackson.core:jackson-databind:$jacksonVersion"
compile "org.springframework.security:spring-security-web:$springSecurityVersion"
compile "org.springframework.security:spring-security-config:$springSecurityVersion"
compile "org.jasypt:jasypt:$jasyptVersion"
compile "org.apache.logging.log4j:log4j-core:$log4jVersion"
}

View File

@@ -165,18 +165,6 @@
</exclusion>
</exclusions>
</dependency>
<dependency>
<groupId>org.jasypt</groupId>
<artifactId>jasypt</artifactId>
<version>1.7</version>
<scope>compile</scope>
<exclusions>
<exclusion>
<artifactId>jackson-module-kotlin</artifactId>
<groupId>com.fasterxml.jackson.module</groupId>
</exclusion>
</exclusions>
</dependency>
<dependency>
<groupId>org.apache.logging.log4j</groupId>
<artifactId>log4j-core</artifactId>

View File

@@ -1,2 +1 @@
#REST HTTP User - Password is 'spring'
SPRING=gI/OZ3yejUtSxsF9XySg5TfFJFo=,ROLE_REST_HTTP_USER,enabled
SPRING={noop}spring,ROLE_REST_HTTP_USER,enabled

View File

@@ -1,6 +1,7 @@
<?xml version="1.0" encoding="UTF-8"?>
<beans xmlns="http://www.springframework.org/schema/beans"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:security="http://www.springframework.org/schema/security"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:security="http://www.springframework.org/schema/security"
xsi:schemaLocation="
http://www.springframework.org/schema/beans
http://www.springframework.org/schema/beans/spring-beans.xsd
@@ -11,40 +12,17 @@
secured-annotations="enabled" />
<!-- Configure Spring Security -->
<security:http auto-config="true" use-expressions="true" realm="REST HTTP Web Service" create-session="never">
<security:http use-expressions="true" realm="REST HTTP Web Service" create-session="never">
<security:http-basic />
<security:form-login />
<security:intercept-url pattern='/services/employee/*' access="hasRole('ROLE_REST_HTTP_USER')" />
</security:http>
<!-- In this example, we are using in memory authentication. The password encoder depends on
Jasypt's String Digester to digest the password stored in users.properties -->
<!-- In this example, we are using in memory authentication. -->
<security:authentication-manager alias="authenticationManager">
<security:authentication-provider>
<security:password-encoder ref="passwordEncoder"/>
<security:user-service properties="classpath:users.properties" />
</security:authentication-provider>
</security:authentication-manager>
<!--
Use the StringDigester to create uni-directional password encryption.
All uni-directional encryption methods supported in jasypt is integrated into
Spring Security
-->
<bean id="jasyptStringDigester" class="org.jasypt.digest.StandardStringDigester" >
<property name="algorithm" value="SHA-1" />
<property name="iterations" value="100000" />
<property name="saltGenerator">
<bean id="zeroSaltGenerator" class="org.jasypt.salt.ZeroSaltGenerator"/>
</property>
<property name="saltSizeBytes" value="10"/>
</bean>
<!--
This Spring Security-friendly PasswordEncoder implementation will
wrap the StringDigester instance so that it can be used from
the security framework.
-->
<bean id="passwordEncoder" class="org.jasypt.spring.security3.PasswordEncoder">
<property name="stringDigester" ref="jasyptStringDigester"/>
</bean>
</beans>

View File

@@ -1,19 +1,19 @@
<?xml version="1.0" encoding="UTF-8"?>
<web-app xmlns="http://java.sun.com/xml/ns/j2ee"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://java.sun.com/xml/ns/j2ee http://java.sun.com/xml/ns/j2ee/web-app_2_5.xsd"
version="2.5">
<web-app xmlns="http://java.sun.com/xml/ns/javaee"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_3_0.xsd"
version="3.0">
<display-name>Spring Integration Rest HTTP Path Usage Demo</display-name>
<context-param>
<param-name>contextConfigLocation</param-name>
<param-value>
<!-- Spring application context declaration -->
/WEB-INF/config/web-application-config.xml
/WEB-INF/config/web-application-config.xml
</param-value>
</context-param>
<!--
Key of the system property that should specify the root directory of this
web app. Applied by WebAppRootListener or Log4jConfigListener.
@@ -22,7 +22,7 @@
<param-name>webAppRootKey</param-name>
<param-value>rest-http.root</param-value>
</context-param>
<!--
Location of the Log4J config file, for initialization and refresh checks.
Applied by Log4jConfigListener.
@@ -31,25 +31,7 @@
<param-name>log4jConfigLocation</param-name>
<param-value>/WEB-INF/classes/log4j.properties</param-value>
</context-param>
<!--
- Configures Log4J for this web app.
- As this context specifies a context-param "log4jConfigLocation", its file path
- is used to load the Log4J configuration, including periodic refresh checks.
-
- Would fall back to default Log4J initialization (non-refreshing) if no special
- context-params are given.
-
- Exports a "web app root key", i.e. a system property that specifies the root
- directory of this web app, for usage in log file paths.
- This web app specifies "rest-http.root" (see log4j.properties file).
-->
<!-- Leave the listener commented-out if using JBoss -->
<listener>
<listener-class>org.springframework.web.util.Log4jConfigListener</listener-class>
</listener>
<!--
- Loads the root application context of this web app at startup,
- by default from "/WEB-INF/applicationContext.xml".
@@ -66,7 +48,7 @@
<listener>
<listener-class>org.springframework.web.context.ContextLoaderListener</listener-class>
</listener>
<filter>
<filter-name>charEncodingFilter</filter-name>
<filter-class>org.springframework.web.filter.CharacterEncodingFilter</filter-class>
@@ -91,7 +73,7 @@
<filter-name>springSecurityFilterChain</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
<servlet>
<servlet-name>Spring Integration Rest HTTP Path Usage</servlet-name>
<servlet-class>org.springframework.web.servlet.DispatcherServlet</servlet-class>
@@ -105,5 +87,5 @@
<servlet-name>Spring Integration Rest HTTP Path Usage</servlet-name>
<url-pattern>/*</url-pattern>
</servlet-mapping>
</web-app>
</web-app>