Password encrypt and decrypt using Spring-security

Question

Preface: I have a JAR which is developed by making use of spring-boot (maven project). Then, I will access my JAR folder and run the below command to execute it:

java -server -jar ${jarName}
--spring.config.location=classpath:config.properties

So my JAR reads the {key, value} pairs from the properties file and executes the code accordingly. This is working with no issues, but I have few a properties in my config.properties file which has DB details to connect to an Oracle database directly. It also has my application super-admin username & password.

I don't want to push this code to bit-bucket/stash/git, since it has all my passwords stored in it.

Work Around: I can push my code to git/stash with empty passwords and then run the below command to inject the properties file through --spring.config.location command as follows

java -server -jar ${jarName}
--spring.config.location=./config.properties

Question: How to encrypt and decrypt a String/password in spring applications?

I want to store the password in the properties file which is in encrypted format and then decrypt it through my code and connect to the Oracle database & to my application.

Answer 1

I stored application username, password in a text file in server. I then used a plugin to encrypt and decrypt them and use in my application. this way I can checkin the entire code in to git which will have no passwords at all..

Answer 2

Usually, I put this kind of config in the environment variables of the server. You can replace your password in your application.properties by ${MY_PASSWORD}, then put the password in environment variables (very helpful with docker).

You can also use two files, a application-dev.properties with your dev database password, and a application-prod.properties, with a reference to environment variables to make development easier.

Answer 3

Usually, these type of configuration files should be listed in the .gitignore and not pushed to the repository. Besides, if you want to encrypt and then decrypt them again, there is no reason to push them anyways. If there is a common configuration however, you might want to push that and store crediantials in another file that is not pushed.

An example:

• application.properties: common properties that you wish to push to the repository
• database.properties: properties to be kept secret and on the local machine

.gitignore

database.properties

Then you can use Spring annotations to load the property files at runtime.

@PropertySource(value = { "application.properties", "database.properties" })