Integrate Secrets to Spring Boot Apps in Runtime

Don’t: It isn’t good practice to hard code secrets in source code or to add in configuration files or to set set as environment variables. To ensure security compliance, secrets should be added to the service/app instance in runtime.

Dos: 1. Get the secrets during runtime and set to the instance of the Spring boot application. So, secret exists in memory as long as app instance exists. If application is shutdown, secrets will be deleted too.

Example: How to set secret to the Spring Boot application. 1. Add the key name in Spring Boot application yaml file, Ex: secretName

Note: If key already exists in the properties file, it will overwrite it.

1. Connect and extract secrets from key management system.

2. Set secrets in properties instance. import java.util.Properties; Properties properties = new Properties(); properties.put(secretName, secretValue);

3. Set the properties instance to Spring Boot application instance. Ex: SpringApplication sa = new SpringApplication(AppMainClassName.class); sa.setDefaultProperties(properties); sa.run(args); Note: args are from main method.

Example:

@SpringBootApplication
public class AppMainClassName {

  public static void main(String[] args) {
// Assume, KMS is a class for handling secret operations.
  KMS kmsInstance = KMS.getInstance(); 
  SpringApplication sa = new   SpringApplication(AppMainClassName.class);
  Properties properties = new Properties();       properties.setProperty("secretName",  kmsInstance.get("secretName"));
      .......
      // Add secrets to Spring Boot App Instance
      sa.setDefaultProperties(properties);
      // Run the app
      sa.run(args);
  }
}