I am currently creating a Java Spring application that works with the spring security JWT. Everywhere I look and read about the "secret string", it says should be changed in production. Like this line in my application.properties: security.jwt.secret="this-is-a-512-bit-key-used-for-signing-jwt-tokens-that-should-be-changed-production"
As well as in stackoverflow question that are sort-of related like this one here: How to include jwt secret in application.yaml for Java Spring.
My question is, what should that string become in production? Am I supposed to generate this somewhere in a SecurityConfig class? Or should I generate a 512 bit string and just paste that in the application.properties file?
Thanks in advance.
Secrets should not be added in your regular application.properties file because that would be checked into your version control system. There are various ways to externalize configuration but the easiest is usually to define environment variables.
In your case, you would need an environment variable called SECURITY_JWT_SECRET and Spring Boot will pick this up automatically.
One way to change properties of a spring app is using Spring Cloud Config. Basically your config is in a GitHub repo and as soon as you modify, Spring cloud config server propagates it to other applications referencing it through application.properties.
https://cloud.spring.io/spring-cloud-config/reference/html/
I will share how it has been done in our application which I think one of the standard way of storing credentials.
There may be alternate ways also.
Its not ideal to store token or credentials in properties
We can externalize the token into Vault or config server
when server starts spring application can fetch the properties
Access to vault are controlled
As we have different vault servers across environments, we can store and change the token in runtime and refresh the application.
Regarding generating the jwt token, it should have some expiry time and refreshed periodically.
Related
I'm new to the spring cloud config server. Consider a scenario where we have 10 spring boot microservice fetching configurations from the Spring Boot Cloud Config. I was wondering How the 10 spring boot microservices will work when the Spring Boot Cloud Config itself is down?
Can someone answer to below queries:
If the config server is down, Will there be downtime for all the microservice connected to it?
Let's say we have a config file application.properties in GitHub and Spring boot config refers to the application.properties file in GitHub What if the username and password to access the application.properties file itself will change?
In terms of Disaster recovery, Do we need any backup of the config server? If yes, How can we achieve the same?
If the config server is down, Will there be downtime for all the microservice connected to it?
In real world application, there will be multiple instances of your config server deployed across multiple availability zones, fronted by load balancer or API gateway, or even you can register your multiple instance with eureka server so that there is No single point of failure.
So how the configuration will look like is instance 1 is in us-east-1
instance 2 in us-west-2, so even if one AZ is down it will not impact your services.
As far as GitHub or external repo is concerned, you can configure config server to read properties natively but that not something I will suggest !!
Let's say we have a config file application.properties in GitHub and Spring boot config refers to the application.properties file in GitHub What if the username and password to access the application.properties file itself will change?
First of all you should not commit password in Github for public repo, secondly password should be dynamically fetched from Idvault, or AWS secret Manager or other services whichever you prefer. So that even if you change password it will not affect any services.
In terms of Disaster recovery, Do we need any backup of the config server? If yes, How can we achieve the same?
Config server is just reading properties/config from repo that you provide,so repository where your code is hosted is of importance to you. Github can take care of that for you !!
Am trying spring cloud config server and client as stand-alone separate applications.
on git, i have folder structure like below-
my-config
----projectfolder1
--------application.properties
----projectfolder2
--------application.properties
I would like that spring cloud client named "projectfolder1" should search application.properties within projectfolder1 on git from spring cloud server i.e
----projectfolder1
--------application.properties
and client "projectfolder2" should get the below mentioned properties from spring cloud config server
----projectfolder2
--------application.properties
My Spring Cloud Config server application.properties has-
spring.cloud.config.server.git.search-paths='{application}'
projectfolder1 in its bootstrap.properties has
spring.application.name=projectfolder1
and projectfolder2 in its bootstrap.properties has
spring.application.name=projectfolder2
According to spring cloud config documentation '{application}' in search path should find the files within the "resolved application name" folder on git. But the above '{application}' doesn't work for me. Clients projectfolder1 and projectfolder2 are not able to get any property at all.
pls assist. i know its possible duplicate of another question on stack overflow. but that question is not resolved and i do not have rights to comment on any question being a new user, So i created this as another question here.
I solved it myself.
The trick is to give search-path {application} without quotes as given below.
It was a little tricky as spring documentation mentions it as '{application}' , probably spring developers just wanted to highlight it with quotes.
spring.cloud.config.server.git.search-paths={application}
instead of
spring.cloud.config.server.git.search-paths='{application}'
Currently i am working on a REST based project in Spring Boot.
I have added the api url in 'application.properties' file.
i.e.
application.properties
api-base-url=http://localhost:8080/RestServices/v1
And also this 'api-base-url' value access from java.
In some situations i need to change the 'api-base-url' dynamically.
I have change 'api-base-url' value dynamically & working fine.
But my problem is that
when wildfly restart then the configuration will be reset to default.
i.e
This is my default value
api-base-url=http://localhost:8080/RestServices/v1
dynamically change to
api-base-url=http://10.34.2.3:8080/RestServices/v1
when wildfly restart then the configuration will be reset to default.
i.e.
api-base-url=http://localhost:8080/RestServices/v1
Have any solution for this?
You might want to consider using a cloud config server to host your config. Two examples are Spring Cloud Config and Consul.
These servers will host your application's configuration and your spring boot application will make a call out to the config server on start up to get it's config.
spring-boot-actuator exposes the endpoint /refresh which forces the application to refresh it's configuration. In this case, it will call out to the config server to get the latest version.
This way you can change the config hosted in the config server then hit the /refresh endpoint and the changes will be picked up by your application.
As #moilejter suggests, one possible way is to persist in database table and at start time you simply read from that table instead of application.properties file. Your application.properties files can hold information necessary for database connection.
You would also need a JMX method or a REST API to trigger in your application that the url has changed and which inturn, would simply read from same table. This way you would be safe even if app restarts and you won't lose the override.
You can use BeanFactoryPostProcessor coupled with Environment bean to leverage spring placeholder concept.
#user2214646
Use spring expression language
Is it possible to share some properties for limited group of microservices? I mean I just want to declare common datasourse in one place for several microservices, which will use the same database
I try to implement it using gradle variables, which should consist all data related to db connection with profiles, but probably easier way to do it exists.
Thanks
Yes it is. You're looking for "Spring Cloud Config" server:
Spring Cloud’s config server acts as a single source of configuration
data for all other services in a microservice-based application. It is
itself a microservice whose job is to obtain configuration data from a
Git repository and serve it via RESTful endpoints. All other services
can either consume the config server’s API directly or, if they’re
Spring applications, treat the configuration server as another
property source in Spring’s Environment abstraction.
You can find a nice reading along with examples here.
While developing a springboot-liquibase application following this I need to specify the database username + password as liquibase.user and liquibase.password in the application.properties file. I am looking for a better secure way to use these parameter (dynamically fetched from some other place and use inside my java code)
Is there a way to achieve this?
There are couple of things you can do:
You can encrypt you properties file using jasypt-spring-boot. For more details have a look at demo app
If you are developing distributed system, then spring-cloud-config provides server and client-side support for externalized configuration in a distributed system. With the Config Server you have a central place to manage external properties for applications across all environments
Spring Cloud Config
This project allows you to use an external, centralized configuration repository for one or more applications. You don't need to rebuild your application if a property changes. You can simply change the property in your configuration repository and even push the changes to all of your applications.
See this Getting Started Guide.