| Category: | Bug report |
Priority: | High |
Status: | New |
| Project: | Severity: | Major |
Resolution: | Open |
|
| Component: | Reproducibility: | Always |
Assigned to: |
In order to encrypt j_password parameter, I've enabled static key encryption.
Unfortunately, it is not possible to load keystore from both classpath and external file due to errors.
When in configuration (jasperserver-pro.war/WEB-INF/classes/esapi/security-config.properties) keystore location is set to classpath:
encryption.on=true
encryption.dynamic.key=false
keystore.location=keystore.jks
I've got an exception:
Caused by: java.lang.IllegalArgumentException: URI scheme is not "file"
at java.io.File.<init>(File.java:421)
at com.jaspersoft.jasperserver.api.security.encryption.EncryptionManager.generateKeys(EncryptionManager.java:124)
When in configuration (jasperserver-pro.war/WEB-INF/classes/esapi/security-config.properties) keystore location is set to external file:
encryption.on=true
encryption.dynamic.key=false
keystore.location=file:///opt/path/to/keystore.jks
I've got NPE:
Caused by: java.lang.NullPointerException
at com.jaspersoft.jasperserver.api.security.encryption.EncryptionManager.generateKeys(EncryptionManager.java:118)
According to source code from jasperreports-server-cp-6.1.0-src.zip com.jaspersoft.jasperserver.api.security.encryption.EncryptionManager#generateKeys:
File keystoreFile = null;
final URL keystoreResource = EncryptionManager.class.getClassLoader().getResource(keystoreLocation);
is = keystoreResource.openStream(); //line 118
if (is == null) {//if not on the classpath, look for an external file on the system
keystoreFile = new File(keystoreLocation);
is = new FileInputStream(keystoreLocation);
}
else
keystoreFile = new File(keystoreResource.toURI()); //line 124
it's a bug in code, because javadoc of ClassLoader#getResource(String) http://docs.oracle.com/javase/7/docs/api/java/lang/ClassLoader.html#getR... says:
Returns:
A URL object for reading the resource, or null if the resource could not be found or the invoker doesn't have adequate privileges to get the resource.
So when resource with location specified by keystore.location property can't be found on classpath, it will return null and line 118 keystoreResource.openStream() will throw NPE.
When resource can be found on classpath, is == null will be false and line 124 new File(keystoreResource.toURI()) will throw IllegalArgumentException: URI scheme is not "file".
