When using Spring Boot application we use different application.properties files according to different environments.
We put important credentials like: database configurations, server IPs, admin username/password and so on.
I am worrying about what would happen if someone would obtain our application properties and get all important details.
Is there any good approach to put important credentials somewhere and obtain them in our Spring Boot application based on environment?
Many techniques
Using tokens replacement (maven replacor)
application.properties spring.datasource.password=#MY_DB_PASSWORD#
tokens.properties #MY_DB_PASSWORD#=SECRET_PASSWORD
where tokens.properties has an access protection
Using environment variable
mvn spring-boot:run -Dspring.datasource.password=SECRET_PASSWORD
or simply
spring.datasource.password=${myDbPasswordEnv}
Using Jaspyt to encrypt your properties
One solution is to use Environment variables and property placeholders in the application properties. Lets say, you want to store the password of the database. Create an environment variable:
setx DEV_DB_PASS <your_dev_database_password>
Now, in the application properties file, you can access this value as:
spring.datasource.password = ${DEV_DB_PASS}
You can refer to the official documentation.
Please never think environment variables are hidden - The proc entry env has these owned by process owner. Security by obscurity does not help.
# ls -asl /proc/6475/environ
0 -r-------- 1 karl karl 0 Sep 22 13:58 /proc/6475/environ
You should use spring cloud config. As it is best suited for managing configuration in central place using git repository or any similar.
