发表新帖
发表新帖

Where should I store development credentials on a Spring Boot project?

前端 未结
关注
2 1274
既然无缘
既然无缘 2021-02-08 04:45

Where should I store development credentials on a Spring Boot project so that they are not committed to the repository? What\'s the most standard way?

In other framework

2条回答
  • 庸人自扰
    庸人自扰 (楼主)
    2021-02-08 05:17

    It depends on your configuration. Thanks to Spring's Environment abstraction, you can override properties at runtime from the environment, so depending on your deployment, there are many ways of doing that. However, be warned that, a false sense of security can be a real pain in the neck. You'd want to maintain configuration as code - that can be versioned, reviewed and audited, not as a text file on someone's PC that they use to inject random runtime variables. It is the classic "works on my machine" problem.

    You didn't say anything about your deployment so it's almost impossible to say; if you're using Tomcat, you can use the setenv.sh. Your question, as it stands, is pretty vague; I'll update my answer when you update your post.

    Edit, based on what OP said in the comments:

    You could just provide key-value pairs as JVM variables. For example, if using Gradle to build, you could do gradle clean bootRun -Dmy.secret.key=whatever, and in the build.gradle:

    bootRun {
  systemProperties = System.properties
}

    You could also keep a application-local.properties that's not committed to Git, and start the application with a -Dspring.profiles.active=default,local profile, in which case Spring would merge application.properties and application-local.properties, with higher preference given to the later. Like I said before, this is a very bad idea, but you're a free man, so...

    Spring Boot in itself doesn't have first-class support for encrypting properties, but if you're willing to do that yourself, you could commit everything, and either start the app passing in the key, or somehow manage it in your build environment (like a property in Maven settings.xml).

    Edit 2, how to override properties in application.properties using env variables at runtime:

    my.secret.key=${MY_SECRET_KEY:default}

    If env variable MY_SECRET_KEY is present, my.secret.key will be equal to it's value; else it will be equal to default.

    0 讨论(0)
 看不清?
提交回复
热议问题