Apereo CAS - Customizing Configuration Security

Posted by Misagh Moayyed on April 29, 2023 · 4 mins read ·

A good number of Apereo CAS settings and properties may carry sensitive values. Database passwords, API tokens, and various other secrets need to be protected and secured first and then taught to CAS in a way that it can decode and process those values when connections and requests to those systems are made. While there are multiple ways to handle configuration security with CAS, it’s entirely possible that you might have your custom and unique way of handling CAS properties and need a way to allow CAS to learn and decrypt properties using your security strategy.

In this post, we will take a brief look at how CAS may be customized to decrypt secured properties on the fly. Our starting position is:


Configuration values and properties in Apereo CAS are ultimately managed internally via the Spring Cloud PropertySource components, which are responsible to connect with different sources and loading settings into the CAS runtime and ultimately the Spring application context. While settings are initially loaded, they may pass through a configuration cipher whose job is to examine settings and values and decide, conditionally, whether a property needs to be decrypted. If so, the cipher is given the chance to decrypt the property and pass the result back to the calling PropertySource.

To tap into this process, you need to design your cipher by first defining an @AutoConfiguration class and registering it with Spring Cloud:


Your auto-configuration class would look similar to the following:

public class MyConfiguration {

Next comes your own CipherExecutor bean definition and implementation:

public CipherExecutor<String, String> casConfigurationCipherExecutor(
    final Environment environment) {
    return new MyCipherExecutor(environment);

Your cipher needs to implement MyCipherExecutor#decode(Map, Object[]). It receives a Map which contains all the properties loaded by CAS already. This is where you decode values and finally return the results as a Map<String, Object> of all processed and possibly-decrypted settings.

Need Help?

If you have questions about the contents and the topic of this blog post, or if you need additional guidance and support, feel free to send us a note and ask about consulting and support services.


I hope this review was of some help to you and I am sure that both this post as well as the functionality it attempts to explain can be improved in any number of ways. Please feel free to engage and contribute as best as you can.

Happy Coding,

Misagh Moayyed