Documentation

Documentation versions (currently viewingVaadin 24)

Storing Sensitive Data in a Spring Boot Application

Advice on storing sensitive data in Spring Boot applications.

It’s often bad practice to put sensitive information, such as database URI, username, or password, in your application.properties file. If sensitive information is stored in project files or code, it might leak when you commit your project to source control management systems.

To avoid leaking sensitive information, you should consider storing sensitive information outside of your project files. In no case should you ever git commit passwords or other secrets into the repository.

This guide demonstrates two ways to externalize sensitive data: using system environment variables; and using an external properties file

Use System Environment Variables

One of the easiest ways to externalize sensitive information is to set those values as system environment variables.

For example, a Vaadin Start project configured to use PostgreSQL might contain the following sensitive information in the application.properties file.

...
spring.datasource.url = jdbc:postgresql://localhost:5432/postgres
spring.datasource.username = postgres
spring.datasource.password = password
...

To replace the sensitive information with system environment variables, you should edit your file similarly to the following:

...
spring.datasource.url = ${DB_URL}
spring.datasource.username = ${DB_USER}
spring.datasource.password = ${DB_PASSWORD}
...

The ${…​} token is the special syntax for Spring’s property placeholder, while DB_URL, DB_USER, and DB_PASSWORD represent the actual environment variables that you need to set in your own system.

On Linux and macOS, use the following commands in a terminal to temporarily set the environment variables.

export DB_URL=jdbc:postgresql://localhost:5432/postgres
export DB_USER=postgres
export DB_PASSWORD=password

However, if you want to set the environment variables permanently, you need to add these commands to your ~/.zprofile (zsh) or ~/.bashrc (bash) files, depending on your system’s default shell.

On Windows, you can set the environment variable by:

  • Navigating to Control Panel > System.

  • In System Properties, select Advanced > Environment Variables.

  • Add new user or system environment variables by using the New buttons.

Add environment variable on Windows.

Import Configuration from External File

Another simple solution to externalize sensitive information would be to import external property files using Spring Boot’s spring.config.import properties.

Assuming that you have an external file called db.properties to hold your database secrets,

spring.datasource.url = jdbc:postgresql://localhost:5432/postgres
spring.datasource.username = postgres
spring.datasource.password = password

Then you can import this file into your Vaadin app’s default application.properties instead.

...
spring.config.import = file:/Users/MyUserName/secret/db.properties
...

FCC4C231-5DB9-4950-9559-C89630042A43