Searching online for how to set up the credentials to access the database (or any other service) while in development leads to a lot of articles that propose something that works, but it’s wrong: putting your credentials in the application.properties file that you then commit to the repository.
The source code repository should not have any credentials, ever:
- You should be able to make your project open source without your security being compromised.
- You should be able to add another developer to your team without them knowing any credentials to your own development machine.
- You should be able to hire a company that does a security analysis of your application, give them access to your source code and they shouldn’t gain access to your database.
- You should be able to use a continuous integration service offered by a third party without that third party learning your database credentials.
If you want to see what happens when you commit your credentials to your repo, check out these news articles:
- Dev put AWS keys on Github. Then BAD THINGS happened
- Developers keep leaving secret keys to corporate data out in the open for anyone to take
- Users Scramble as GitHub Search Exposes Passwords, Security Details
- How you could be leaking your secrets onto GitHub
- PSA: Don’t upload your important passwords to GitHub
That’s probably enough. I hope I convinced you.
In an effort to find a solution for this, I asked in Stack Overflow and I got pointed in the right direction.
Leave application.properties where it is, in your resources of code folder, commit it to the repository. Instead, create a new file in ${PROJECT_ROOT}/config/application.properties and also add it to your version control ignore file (.gitignore, .hgignore, etc). That file will contain the credentials and other sensitive data:
# This should be used only for credentials and other local-only config.
spring.datasource.url = jdbc:postgresql://localhost/database
spring.datasource.username = username
spring.datasource.password = password
Then, to help onboard new developers on your project (or yourself in a new computer), add a template for that file, next to it. Something like ${PROJECT_ROOT}/config/application.template.properties that will contain:
# TODO: copy this to application.properties and set the credentials for your database.
# This should be used only for credentials and other local-only config.
spring.datasource.url = jdbc:postgresql://localhost/database
spring.datasource.username =
spring.datasource.password =
And voila! No credentials on the repo but enough information to set them up quickly.
Disclaimer: I’m new to Spring Boot, I only started working with it a few days ago, so, I may be missing something big here. If I learn something new that invalidates this post, I’ll update it accordingly. One thing I’m not entirely sure about is how customary it would be to have ${PROJECT_ROOT}/config/application.properties on the ignore list. Please, leave a comment with any opinions or commentary.
Leave a Reply