everyone!

this is going to be my first time pushing a newly developed Spring Boot App and I was wondering if there is a way to protect passwords and other sensitive information written in the application.properties file.

Assuming we have the following lines:

# PostgreSQL connection settings
spring.datasource.jdbc-url=jdbc:postgresql://localhost:5432/bdreminder
spring.datasource.username=username
spring.datasource.password=password

The source code is to be first stored on GitHub and having the credentials stored in plain text does not seem to be a good idea. So, I could probably add the file to the .gitignore one; I could set some environment variables on the host but how would it populate the .properties file afterward? Also, this seems quite cumbersome in terms of the scaling later on.

So, basically, I am trying to see how it is done in a real-life :)

Please, help :)

CodePudding user response：

Simplest option is to create a profile specific application.properties file and activate that profile. So for example create application-private.properties and activate profile private. Of course you have to watch out to not commit this file.

Alternatively, and probably a safer option, is to define a file outside your project and import it in your application.properties with following line:

spring.config.import=file:../path/to/your/external.properties

CodePudding user response：

Spring Boot has extensive support for external configuration. The usual approach is to use one of environment variables, configuration provided by a platform such as Kubernetes, or a specialized configuration system through Spring Cloud Config; these all keep secrets (or just environment-specific information) entirely outside of the code. They also have the advantages of providing a common style of configuration for other applications that do not use Spring Boot.