How are users' password protected in Jasper Server?

0

We installed a new version of Jasper Server Community Edition (v64.3) coming from an obsolete version (v3.7). We noticed that the password of users have already been obscured. I want to know what mechanism were used from password protection? What type of encryption?

laggybuggy's picture
Joined: May 3 2018 - 5:40am
Last seen: 1 year 1 month ago

5 Answers:

0

Thanks @hozawa for getting back with me. The one you sent is used to encrypt passwords in configuration files.

I used your reference, though, to check for v6.4.X series and it lead me to this article: https://community.jaspersoft.com/documentation/tibco-jasperreports-serve.... There's a part there for cipher transformation. It is the one used to encrypt user passwords in the DB.

Thanks a lot!

laggybuggy's picture
Joined: May 3 2018 - 5:40am
Last seen: 1 year 1 month ago
0
elizam's picture
4597
Joined: Mar 5 2012 - 9:19am
Last seen: 7 hours 25 min ago
0

To enable encryption, check section 5. Password encryption in the JasperReports Server installation manual

https://community.jaspersoft.com/documentation/tibco-jasperreports-server-installation-guide/v71/installing-war-file-using-js-insta-0

 

The default_master.properties file has a property setting to enable encryption of passwords that reside on the file system. This applies to all files found under the buildomatic folder, as well as the connection pooling file used by Apache Tomcat (context.xml). Currently, password encryption for connection pooling supports only the Tomcat application server.

To enable encryption on the file system, uncomment the encrypt property so it looks like this:

encrypt=true

hozawa's picture
56222
Joined: Apr 24 2010 - 4:31pm
Last seen: 7 months 1 week ago
0

Thanks for your responses @elizam and @hozawa. But what I mean is something like the below.

In version 3.7, the password of a user can easily be retrieved in the Users module using Developer Tools in Chrome as seen below.

Unencrypted Password

In version 6.4.3, this is no longer available.

User password no longer shown

Also, if you check the DB entries for the users, the password stored there is encrypted as well. I'd like to know the encryption mechanism.

laggybuggy's picture
Joined: May 3 2018 - 5:40am
Last seen: 1 year 1 month ago
1

Not sure if this is what you're asking for but if you look at default_master.properties file, there's something like the following line. This is the default.

# encrypt=true
# build.key.algo=AES
# build.key.size=128
# enc.transformation=AES/CBC/PKCS5Padding
# enc.block.size=16
# propsToEncrypt=dbPassword

JasperReports Server is using Spring Security. Have you checked the following manual?

https://community.jaspersoft.com/documentation/tibco-jasperreports-serve...

hozawa's picture
56222
Joined: Apr 24 2010 - 4:31pm
Last seen: 7 months 1 week ago
Feedback