By default, JasperReports Server does not enable the Secure Socket Layer/Transport Layer Security (SSL/TLS) to encrypt all data between the browser and the server, also known as HTTPS. Enabling HTTPS requires a certificate and a careful configuration of your servers. We recommend implementing HTTPS but recognize that it is not always feasible. See Enabling SSL in Tomcat
Without HTTPS, all data sent by the user, including passwords, appear unencrypted in the network traffic. Because passwords should never be visible, JasperReports Server provides an independent method for encrypting the password values without using HTTPS. Passwords are encrypted in the following cases:
| • | Passwords sent from the login page. |
| • | Passwords sent from the change password dialog. See Configuring User Password Options. |
| • | Passwords sent from the user management pages by an administrator. |
When a browser requests one of these pages, the server generates a private-public key pair and sends the public key along with the page. A JavaScript in the requested page encrypts the password when the user posts it to the server. Meanwhile, the server saves its private key and uses it to decrypt the password when it arrives. After decrypting the password, the server continues with the usual authentication methods.
Login encryption is not compatible with password memory in the browser. Independent of the autocomplete setting described in section Configuring Password Memory, the JavaScript that implements login encryption clears the password field before submitting the page. As a result, most browsers will never prompt to remember the encrypted password.
The disadvantage of login encryption is the added processing and the added complexity of web services login. For backward compatibility, login encryption is disabled by default. To enable login encryption, set the following properties. After making any changes, redeploy the JasperReports Server webapp or restart the application server.
| | When login encryption is enabled, web services and URL parameters must also send encrypted passwords. Your applications must first obtain the key from the server and then encrypt the password before sending it. See the JasperReports Server Web Services Guide. |
| Login Encryption | ||
| Configuration File | ||
| .../WEB-INF/classes/esapi/security-config.properties | ||
| Property | Value | Description |
| encryption.on | truefalse | Turns login encryption on or off. Encryption is off by default. Any other value besides case-insensitive “false” is equivalent to true. |
| encryption.type | RSA <default> | Encryption algorithm; currently, only RSA is supported. |
| encryption.key.length | integer power of 2 | The length of the generated encryption keys. This affects the strength of encryption and the length of the encrypted string. |
| encryption.dynamic.key | true <default> | When true, a key will be generated per every single request. When false, the key will be generated once per application installation. See descriptions in Static Key Encryption below. |
Encryption has two modes, dynamic and static, as determined by the encryption.dynamic.key parameter. These modes provide different levels of security and are further described in the following sections.
Dynamic Key Encryption
The advantage of encrypting the password at login is to prevent it from being seen, but also to prevent it from being used. For password encryption to achieve this, the password must be encrypted differently every time it's sent. With dynamic key encryption, the server uses a new public-private key pair with every login request.
Every time someone logs in, the server generates a new key pair and sends the new public key to the JavaScript on the page that sends the password. This ensures that the encrypted password is different every time it's sent, and a potential attacker won't be able to steal the encrypted password to log in or send a different request.
Because it's more secure, dynamic key encryption is the default setting when encryption is enabled. The disadvantage is that it slows down each login, though users may not always notice. Another effect of dynamic key encryption is that it doesn't allow remembering passwords in the browser. While this may seem inconvenient, it's more secure to not store passwords in the browser. See Configuring Password Memory.
Static Key Encryption
JasperReports Server also supports static key encryption. In this case, a unique key pair is generated automatically on the user's first login and remains the same for the entire server installation. Because the key is always the same, the encrypted value of a user’s password is always the same. This means an attacker could steal the encrypted password and use it to access the server.
Static key encryption is very insecure and is recommended only for intranet server installation where the network traffic is more protected. The only advantage of static encryption over no encryption at all is that passwords can't be deciphered and used to attack other systems where users might have the same password.
Before setting encryption.dynamic.key=false to use static encryption, you must also configure the secure file called keystore where the key pair is kept. Be sure to customize the keystore parameters listed in the following table to make your keystore file unique and secure.
| | For security reasons, always change the default keystore passwords immediately after installing the server. |
Keystore Configuration (when encryption.dynamic.key=false) | ||
Configuration File | ||
.../WEB-INF/classes/esapi/security-config.properties | ||
Property | Value | Description |
keystore.location | keystore.jks | Path and filename of the keystore file. This parameter is either an absolute path or a file in the webapp classpath, for example <tomcat>/webapps/jasperserver-pro/WEB-INF/classes>. By default, the keystore.jks file is shipped with the server and doesn’t contains any keys. |
keystore.password | jasper123 <default> | Password for the whole keystore file. This password is used to verify keystore's integrity. |
keystore.key.alias | jasper <default> | Name by which the single key is retrieved from keystore. If a new alias is specified and does not correspond to an existing key, a new key will be generated and inserted into the keystore. |
keystore.key.password | jasper321 <default> | Password for the key whose alias is specified by keystore.key.alias. |
When you change the key alias, the old key will not be deleted. You can use it again by resetting the key alias. Also, once the key has been created with a password, you can't change the password through the keystore configuration. To delete keys or change a keystore password, the server administrator must use the Java keytool.exe utility in the bin directory of the JRE or JDK. If you change the keystore password or the key password, the keystore configuration above must reflect the new values or login will fail for all users.
Recommended Comments
There are no comments to display.