0

I need to set up my spring-boot project in a way that if you start it with the profile 'local', no 'external' .properties files (placed in the same directory as the jar) are accepted. When starting the jar with any other profile though, they should be accepted.

All the questions I found where only talking about configuring for the 'internal' resources inside the project structure. I couldn't figure out how to tell the application whether or not to accept such 'external' files as well.

James Z
  • 12,209
  • 10
  • 24
  • 44
Medwe
  • 318
  • 1
  • 12

1 Answers1

0

Spring boot supports external configurations with the property --spring.config.location

If can point on an actual file, a folder or any combination of those.

The values in these properties files will override the values from the internal configuration locations.

Make sure you've read the relevant chapter of documention

Update: as I've commented it's impossible to "suppress" an external configuration. However, As one of the workaround, you can consider implementing an EnvironmentPostProcessor that will dynamically add profiles.

It runs after the environment is available but before spring actually processes its beans; in a nutshell, it provides a way to customize your configuration.

So this could rely on the following assumptions:

  • an external file is called "application-external.properties"

  • the application is always started with --spring.config.locations=<path_to_external_folder>

  • in addition to the above specify the profile: --spring.profiles.active=local This will load application.properties and application-local.properties available internally but won't touch the external file unless in the post processor you add something like (a pseudo code):

    if(! getActiveProfiles().contains("local")) { addProfile("external"); }

You can read about environment post processors Here

Mark Bramnik
  • 39,963
  • 4
  • 57
  • 97
  • @Medwe want the configuration which will tell application not to use external configuration. is your answer is correct in that case ? – Yogesh Prajapati Sep 19 '19 at 07:30
  • Sadly it is not correct, I'd need one specific profile to not accept external configuration. – Medwe Sep 19 '19 at 07:50
  • I don't think spring boot allows "suppressing" external configurations once they're specified. It's like saying "I want to run with config X but please do not process it". Sounds weird, doesn't it? The best solution IMO would be putting some condition in the script that starts the application and checks whether the external configuration should be set. Having said that, @Medwe, could you please elaborate more on your use case, I've never met such a requirement, maybe its solvable in a different way... – Mark Bramnik Sep 19 '19 at 07:54
  • @Medwe, I've posted one possible workaround. Please check that out – Mark Bramnik Sep 19 '19 at 08:10
  • As far as I understand this does not solve our problem, though it may have answered my question. In your solution there'd still be a way to 'inject' properties when starting the local profile, by simply naming the file differently. As there's no authentication when starting the local profile, we don't want external properties files to be loaded into the application as you could change the database URL eg. – Medwe Sep 19 '19 at 10:36
  • So the requirement basically comes from security perspective? you mean that a malicious hacker can gain the access to the filesystem and place / override the values for the property file and rerun the application? – Mark Bramnik Sep 19 '19 at 10:50
  • Pretty much, yes – Medwe Sep 19 '19 at 17:03
  • In this case you might consider using totally different tools. For example, take a look at spring cloud config server. It supports protection of vulnerable configurations (like passwords) + integrates with Vault. This is a subject for a different question though. – Mark Bramnik Sep 19 '19 at 17:09