I am using Spring JPA to access my database but the username and password for the database is provided to me in the form of two files (username.txt and password.txt). The security guideline is that we are not supposed to paste password or any form of password (encrypted) in the config files.

I am trying to figure out ways to do something like this:

spring.datasource:
  url: <db url>
  username: "file:/path/username.txt"
  password: "file:/path/password.txt"

Does anyone have any idea on how to achieve something very similar to this?

PS. I want to keep the environment-specific credential file paths in this spring properties file. There are ways to pass in the file content as environment variable java -Dusername=${cat /path/username} but I want to avoid putting my config outside the the spring properties file.

EDIT: The username and password are stored as plaintext in separate files.

CodePudding user response：

You can’t read the contents of a file from Spring application properties file. But you can certainly configure the data source programmatically, and in code, read the files.

@Configuration
public class DataSourceConfig {
    
    @Bean
    public DataSource getDataSource() {
        DataSourceBuilder dataSourceBuilder = DataSourceBuilder.create();
        dataSourceBuilder.driverClassName("org.h2.Driver");
        dataSourceBuilder.url("jdbc:h2:mem:test");
        dataSourceBuilder.username("SA");
        dataSourceBuilder.password("");
        return dataSourceBuilder.build();
    }
}

See this article for details. I’m assuming you know how to read a file using Spring Boot, if not, you can see this article.

CodePudding user response：

Spring Boot 2.4 introduced the ability to read configuration values from files where the file name is the property name and the file content is the property value. For example, given the directory structure

path/
  spring.datasource.username
  spring.datasource.password

and the application.yaml file contains

spring.config.import: configtree:/path/

then the Environment will contain properties named spring.datasource.username and spring.datasource.password.

CodePudding user response：

There are multiple ways how you can load another config file containing your secrets (see documentation)

One idea is to create a environment specific application.yaml (e.g. application-prod.yaml containing only the prod config next to your application config (you dont need to pack that in your jar, you can simple put it next to you jar only in your production environment.

Another idea is to load additional config using -Dspring.config.additional-location=...

CodePudding user response：

Though I can't say, this is a good idea, but you can read file content to field. But you'll have to do 3 steps

1. Add path to file to application.properties

password.file=/Users/user/work/pass.txt

2. Implement of find a method, which can load file content into a single string.

For example

public static String readPassword(String filePath) throws IOException {
        return FileUtils.readFileToString(new File(filePath), Charset.defaultCharset());
}

3. Add SpEL expression to the field, which invokes this method using argument from properties

    @Value("#{T (com.github.TestComponent).readPassword(\"${password.file}\")}")
    private String password;

While startup, Spring will invoke this method and put the result to password field.

Class may look like

package com.github;

import java.io.File;
import java.io.IOException;
import java.nio.charset.Charset;

import org.apache.commons.io.FileUtils;
import org.springframework.beans.factory.annotation.Value;
import org.springframework.stereotype.Component;

@Component
public class TestComponent {

    @Value("#{T (com.github.TestComponent).readPassword(\"${password.file}\")}")
    private String password;
    
    public void showPassword() {
        System.out.println(password);
    }
    
    public static String readPassword(String filePath) throws IOException {
        return FileUtils.readFileToString(new File(filePath), Charset.defaultCharset());
    }
}

CodePudding user response：

When we serach for "spring-boot secrets", still this (2016) article pops up first:

Spring Vault!

Some modern approaches (here) with docker-secrets:

• docker secret with spring boot application is not working in docker swarm mode /run/secrets
• extracting docker secret in spring boot app instead of using properties file
• What is best way to secure secret keys with Docker in spring boot application
• How can I set the property spring.cloud.config.server.git.password using docker secret

But "pragmatically" and with the "latest rce's${;}", i would propose something like:

@Value("#{T(java.nio.file.Files).readString('/path/username.txt')}")
String username;

// or having the path in a property (named db.password.file):
@Value("#{T(java.nio.file.Files).readString('${db.password.file}')}")
String password;

Thx to:

• https://stackoverflow.com/a/14679461/592355
• https://stackoverflow.com/a/326440/592355