11

We're using Jasypt to encrypt some config properties (database passwords) but since the decryption key is stored on each environment's file system we have to do some manual @Bean configuration to load the password from the file then overlay loading properties with an EncryptablePropertiesPropertySource.

Because it is so manual we've had to run this code in @PostConstruct of the WebApplicationConfig class and (although this hasn't happened yet) it runs the risk of loading these after the datasource bean is configured with calls to the Environment - giving null pointer exception. @Lazy loading would be an option but obviously this means we'd then be working with fragile config which we'd like to avoid.

Ultimately we want to be able to use the default classpath:application.properties so don't want to affect existing (default) setup, but we do want to be able to use an encryptable property source as a complete replacement to the Spring one, and to have Spring load the decryption code from a file before anything else happens. Is there a way to tighter integrate loading encryptable properties earlier in the application startup and configuration?

M. Deinum
  • 94,295
  • 20
  • 185
  • 191
user1016765
  • 2,555
  • 1
  • 24
  • 34
  • This isn't a problem with Boot alone but a general Spring problem (there are a couple of issues related to this in the Spring Framework JIRA). What we did was very early load the property files ourselves using an `ApplicationContextInitializer` and afterwards with another `ApplicationContextInitializer` wrap them in a `EncryptablePropertiesPropertySource` that way all the properties are available as soon as the loading starts. Spring Boot uses an `ApplicationListener` and reacts to events, you might be able to tap into that. – M. Deinum Sep 29 '14 at 09:44
  • 1
    That's also the approach we take in Spring Cloud, so you can copy the code from there or just use the library as is once it is released (but we don't use Jasypt). Link: https://github.com/spring-cloud/spring-cloud-config/tree/master/spring-cloud-config-client/src/main/java/org/springframework/cloud/bootstrap/encrypt – Dave Syer Sep 29 '14 at 15:26
  • @DaveSyer Any chance that this functionality might be rolled back into Spring Boot? – bstick12 Dec 15 '14 at 10:02
  • Possibly, if anyone asks. The spring-cloud-config-client is pretty lightweight though (only depends on Spring), so please try that as well in the meantime. – Dave Syer Dec 15 '14 at 11:35

2 Answers2

11

I'm "tailoring down" my previous answer since it got deleted because it was duplicate from a different question:

This library does exactly what you need jasypt-spring-boot which is basically to allow you use the @PropertySource annotation to define your properties the same way you're use to. You just have to add an extra annotation (@EnableEncryptableProperties) to your configuration file. It is not only limited to that, every PropertySource present in Environment will be converted to EncryptablePropertySourceWrapper, a custom wrapper that checks when a property is encrypted and decrypts it on access.

Ulises
  • 7,547
  • 2
  • 24
  • 26
2

The link Dave provided in the comments section unfortunately points to nothing now, but navigating from its root I got to the following example project: https://github.com/spring-cloud-samples/configserver (also written mostly by Dave, of course)

I think it serves as a great example for what was discussed in the comments until now.

Also, for future reference (maybe it will be done at some point), there's a Spring Framework Jira ticket for the feature of using encrypted properties: https://jira.spring.io/browse/SPR-12420

Cristina_eGold
  • 1,251
  • 19
  • 35