How are users' password protected in Jasper Server?

Posted on August 22, 2018 at 12:51am

We installed a new version of Jasper Server Community Edition (v64.3) coming from an obsolete version (v3.7). We noticed that the password of users have already been obscured. I want to know what mechanism were used from password protection? What type of encryption?

JasperReports® Server
laggybuggy's picture
laggybuggy
255
Joined: May 3 2018 - 5:40am
Last seen: 4 years 5 months ago

5 Answers:

Posted on August 24, 2018 at 2:40am

Thanks @hozawa for getting back with me. The one you sent is used to encrypt passwords in configuration files.

I used your reference, though, to check for v6.4.X series and it lead me to this article: https://community.jaspersoft.com/documentation/tibco-jasperreports-serve.... There's a part there for cipher transformation. It is the one used to encrypt user passwords in the DB.

Thanks a lot!

laggybuggy's picture
laggybuggy
255
Joined: May 3 2018 - 5:40am
Last seen: 4 years 5 months ago
Posted on August 22, 2018 at 11:42am

Password encryption is described in the Security Guide: https://community.jaspersoft.com/documentation/tibco-jasperreports-server-security-guide/v71/encrypting-passwords-configuration-files

elizam's picture
elizam
14354
Joined: Mar 5 2012 - 9:19am
Last seen: 2 years 10 months ago
Posted on August 22, 2018 at 2:45pm

To enable encryption, check section 5. Password encryption in the JasperReports Server installation manual

https://community.jaspersoft.com/documentation/tibco-jasperreports-server-installation-guide/v71/installing-war-file-using-js-insta-0

 

The default_master.properties file has a property setting to enable encryption of passwords that reside on the file system. This applies to all files found under the buildomatic folder, as well as the connection pooling file used by Apache Tomcat (context.xml). Currently, password encryption for connection pooling supports only the Tomcat application server.

To enable encryption on the file system, uncomment the encrypt property so it looks like this:

encrypt=true

hozawa's picture
hozawa
177329
Joined: Apr 24 2010 - 4:31pm
Last seen: 3 years 11 months ago
Posted on August 23, 2018 at 9:17am

Thanks for your responses @elizam and @hozawa. But what I mean is something like the below.

In version 3.7, the password of a user can easily be retrieved in the Users module using Developer Tools in Chrome as seen below.

Unencrypted Password

In version 6.4.3, this is no longer available.

User password no longer shown

Also, if you check the DB entries for the users, the password stored there is encrypted as well. I'd like to know the encryption mechanism.

laggybuggy's picture
laggybuggy
255
Joined: May 3 2018 - 5:40am
Last seen: 4 years 5 months ago
Posted on August 23, 2018 at 5:50pm

Not sure if this is what you're asking for but if you look at default_master.properties file, there's something like the following line. This is the default.

# encrypt=true
# build.key.algo=AES
# build.key.size=128
# enc.transformation=AES/CBC/PKCS5Padding
# enc.block.size=16
# propsToEncrypt=dbPassword

JasperReports Server is using Spring Security. Have you checked the following manual?

https://community.jaspersoft.com/documentation/tibco-jasperreports-serve...

hozawa's picture
hozawa
177329
Joined: Apr 24 2010 - 4:31pm
Last seen: 3 years 11 months ago
Feedback