These are chat archives for alvarosanchez/spring-security-rest

23rd
Apr 2015
Lawrence Lee
@ChaosWars
Apr 23 2015 08:54
Hi, what options do I need to set to get rid of the "WARNING: you are using the default RSA key provider, which generates a pair of public/private keys every time the application runs"
I have set the following options, but it remains:
jwt {
    DefaultRSAKeyProvider = 'FileRSAKeyProvider'
    expiration = 2592000 // 30 days
    privateKeyPath = "$baseDir/grails-app/config/private_key.der"
    publicKeyPath = "$baseDir/grails-app/config/public_key.der"
    useEncryptedJwt = false
}
Lawrence Lee
@ChaosWars
Apr 23 2015 09:16
I'm trying to get rid of the message (and keep the tokens valid between server reboots) without using token encryption
Álvaro Sánchez-Mariscal
@alvarosanchez
Apr 23 2015 09:36
you have to set your own PKI files:
grails.plugin.springsecurity.rest.token.storage.jwt.useEncryptedJwt = true
grails.plugin.springsecurity.rest.token.storage.jwt.privateKeyPath = '/path/to/private_key.der'
grails.plugin.springsecurity.rest.token.storage.jwt.publicKeyPath = '/path/to/public_key.der'
Lawrence Lee
@ChaosWars
Apr 23 2015 09:38
ok, but that will actually encrypt the JWT right?
I'm just actually trying to keep the signing valid between runs
or is this unnecessary for that?
Álvaro Sánchez-Mariscal
@alvarosanchez
Apr 23 2015 11:03
you have 2 options: signing or encrypting
signing uses an HMAC algorithm, so as long as you keep the secret constant in your configuration, it will work across executions
Lawrence Lee
@ChaosWars
Apr 23 2015 11:44
ok, thanks
Álvaro Sánchez-Mariscal
@alvarosanchez
Apr 23 2015 12:17
encryption can use auto-generated pubilc/private keys (the one with the warning, which is suitable for development), or your own provided key pair (which should be used for production)
whether you use encryption or not will depend if the information in the claims is sensitive
Lawrence Lee
@ChaosWars
Apr 23 2015 16:13
Ok, the weird thing is that you get the message about the autogenerated keys even if useEncryptedJwt is set to false. And setting your own secret doesn't make it go away