Best way define important credentials in spring boot

java security spring-boot password-protection
Abhishek saini picture Abhishek saini · Jun 19, 2018 · Viewed 7k times · Source

When using Spring Boot application we use different application.properties files according to different environments.

We put important credentials like: database configurations, server IPs, admin username/password and so on.

I am worrying about what would happen if someone would obtain our application properties and get all important details.

Is there any good approach to put important credentials somewhere and obtain them in our Spring Boot application based on environment?

Answer

Halayem Anis picture Halayem Anis · Jun 19, 2018

Many techniques

  • Using tokens replacement (maven replacor)

    application.properties spring.datasource.password=#MY_DB_PASSWORD#
    tokens.properties #MY_DB_PASSWORD#=SECRET_PASSWORD

    where tokens.properties has an access protection

  • Using environment variable
    mvn spring-boot:run -Dspring.datasource.password=SECRET_PASSWORD

    or simply
    spring.datasource.password=${myDbPasswordEnv}

  • Using Jaspyt to encrypt your properties

Related questions

Customize auth error from Spring Security using OAuth2

I was wondering if I could customize the following authorization error: { "error": "unauthorized", "error_description": "Full authentication is required to access this resource" } I get it when the user request does not have permissions. And I would like to customize …

Read More
Java Error: "Your security settings have blocked a local application from running"

I'm trying to run this simple HelloWorld code written in Java from my browser (Chrome): public class HelloWorld extends JApplet { public void init() { try { SwingUtilities.invokeAndWait(new Runnable() { public void run() { JLabel lbl = new JLabel("Hello World"); add(lbl); } }); } catch (…

Read More
Why is char[] preferred over String for passwords?

In Swing, the password field has a getPassword() (returns char[]) method instead of the usual getText() (returns String) method. Similarly, I have come across a suggestion not to use String to handle passwords. Why does String pose a threat to …

Read More