Where should I store development credentials on a Spring Boot project?

Question

Where should I store development credentials on a Spring Boot project so that they are not committed to the repository? What\'s the most standard way?

In other framework

Answer 1

Spring-boot allows you to externalize your configuration in different places. For the scenario in question, one could place an application.properties file under ${PROJECT_ROOT}/config/. Those properties will override any other defined properties. In this case, it is not packaged within a deployable artifact.
Take a look at Application property files for further details.

Provide a sample configuration file under config/application.properties.example as a good starting point. That file could be version controlled. To avoid unintentional commits ignore everything else.

Using git, an ignore file could contain the following snippet (ignores everything but files ending with .example and a README.md):

.gitignore:

/config/*
!/config/README.md
!/config/*.example

Answer 2

It depends on your configuration. Thanks to Spring's Environment abstraction, you can override properties at runtime from the environment, so depending on your deployment, there are many ways of doing that. However, be warned that, a false sense of security can be a real pain in the neck. You'd want to maintain configuration as code - that can be versioned, reviewed and audited, not as a text file on someone's PC that they use to inject random runtime variables. It is the classic "works on my machine" problem.

You didn't say anything about your deployment so it's almost impossible to say; if you're using Tomcat, you can use the setenv.sh. Your question, as it stands, is pretty vague; I'll update my answer when you update your post.

Edit, based on what OP said in the comments:

You could just provide key-value pairs as JVM variables. For example, if using Gradle to build, you could do gradle clean bootRun -Dmy.secret.key=whatever, and in the build.gradle:

bootRun {
  systemProperties = System.properties
}

You could also keep a application-local.properties that's not committed to Git, and start the application with a -Dspring.profiles.active=default,local profile, in which case Spring would merge application.properties and application-local.properties, with higher preference given to the later. Like I said before, this is a very bad idea, but you're a free man, so...

Spring Boot in itself doesn't have first-class support for encrypting properties, but if you're willing to do that yourself, you could commit everything, and either start the app passing in the key, or somehow manage it in your build environment (like a property in Maven settings.xml).

Edit 2, how to override properties in application.properties using env variables at runtime:

my.secret.key=${MY_SECRET_KEY:default}

If env variable MY_SECRET_KEY is present, my.secret.key will be equal to it's value; else it will be equal to default.