1

I know Springboot applications can use application.properties or application.yaml files to retrieve variables like database connectivity setting, username, password etc.

However, and because of sensitive information, our development team has these only for test environment but not for production environments. These are not available to developers.

These are provided by security team and set up directly on server in server configuration files on Liberty server (these are server.xml files located in the server installation directory).

Developers have their own instance of Liberty server running where they have their own versions of server.xml files. If we could make Springboot read these files, then we could make it mimic production server environments and make transition easier instead of reading local application.properties files.

Is this possible?

If not, what would be a workaround?

pixel
  • 9,653
  • 16
  • 82
  • 149

2 Answers2

1

I will talk about alternative solution.

Firstly I do not understand how developer will access production server properties. And for securing sensitive properties you could use property encryptor tool. Sensitive properties will be in encrypted format in application.properties and during server startup it will decrypt encrypted properties and use accordingly.

Here is a such library for property encrytion library

mystery
  • 875
  • 6
  • 16
  • Maybe I wasn't clear enought but here is how it is . Production server uses production Liberty settings. Developer machine has local Liberty server. Local server mimics production server (e.g. has some username, password, database connectivity details), the values are different, develper machine uses values that are known to devs but production server values are unknow. However, the setting is same. So, on dev machine, user_password reads dev user password, but on production server it gets real user password. So, the setting is identical, just values change – pixel Nov 19 '21 at 16:27
  • @pixel then what is the difference in putting sensitive properties in application.properties vs liberty settings? – mystery Nov 20 '21 at 03:42
  • huge. it is accessible only to small team of people vs to anyone with access to code. Thanks, @Gas provided answer I was looking for already. – pixel Nov 21 '21 at 22:47
1

First, usually developer/application doesn't need direct access to props like database connectivity setting, username, password because all that is configured in server in data source configuration, so application just needs JNDI name of the datasource to connect to it.

Second, if you use technology that cannot be configured in server, developers and security team should utilize environment variables for such props.

Liberty can read env variables, or also define them via server.env and then utilize in server.xml config for example:

<dataSource  jndiName="jdbc/myDS">
   ...
        <properties.db2.jcc serverName="${JDBC_HOST}" portNumber="${JDBC_PORT}" databaseName="${JDBC_DB}" user="${JDBC_USER}" password="${JDBC_PASSWORD}"/> 
    </dataSource>

Similarly you can use env vars in your springboot either configuring it in application.properties like this:

jdbc.user=${JDBC_USER}

or directly in code:

@Value("${JDBC_USER}")
private String jdbcUser;

Utilizing env variables has additional benefit that you can override them later if deploying in containers for example.

Gas
  • 17,601
  • 4
  • 46
  • 93
  • Thanks Gas, but where is this JDBC_USER variable defined? In your answer, you are reading this variable in server.xml, application.properties, or injecting it into Springboot class, but where is it defined and how on the server? – pixel Nov 19 '21 at 16:23
  • 1
    The JDBC_USER variable can either be defined in the operating system environment via `export JDBC_USER =xyz` \ `SET JDBC_USER =xyz` (on Win) or via `server.env` file that is located in the liberty server directory. – Gas Nov 21 '21 at 00:33
  • Much appreciated – pixel Nov 21 '21 at 22:46