Documentation versions (currently viewingVaadin 23)

Storing Sensitive Data in a Spring Boot Application

It is often a bad practice to put sensitive information, such as database URI, username, or password, in your file. If sensitive information is stored in project files or code, then it might leak when you commit your project to source control management systems.

To avoid leaking sensitive information, you should consider storing sensitive information outside of your project files. And in all cases, you should never git commit passwords and other secrets into the repository.

This guide demonstrates two ways to externalize sensitive data:

  • Using system environment variables

  • Using an external properties file

Use System Environment Variables

One of the easiest ways to externalize sensitive information is to set those values as system environment variables.

For example, a Vaadin Start project configured to use PostgreSQL might contain the sensitive information below in the file.

spring.datasource.url = jdbc:postgresql://localhost:5432/postgres
spring.datasource.username = postgres
spring.datasource.password = password

To replace the sensitive information with system environment variables, you should edit your file like the one below.

spring.datasource.url = ${DB_URL}
spring.datasource.username = ${DB_USER}
spring.datasource.password = ${DB_PASSWORD}

The ${…​} token is the special syntax for Spring’s property placeholder, while DB_URL, DB_USER, and DB_PASSWORD represent the actual environment variables that you need to set in your own system.

On Linux and macOS, use the commands below in a terminal to temporarily set the environment variables.

export DB_URL=jdbc:postgresql://localhost:5432/postgres
export DB_USER=postgres
export DB_PASSWORD=password

If you want to set the environment variables permanently, however, you must add the commands above into your ~/.zprofile (zsh) or ~/.bashrc (bash) files, depending on your system’s default shell.

On Windows, you can set the environment variable by:

  1. Navigating to Control Panel > System.

  2. In System Properties, select Advanced > Environment Variables.

  3. Add new user or system environment variables by using the New buttons.

Import Configuration From External File

Another simple solution to externalize sensitive information would be to import external property files using Spring Boot’s spring.config.import properties.

Assuming that you have an external file called to hold your database secrets,

spring.datasource.url = jdbc:postgresql://localhost:5432/postgres
spring.datasource.username = postgres
spring.datasource.password = password

then you can import this file into your Vaadin app’s default instead.

spring.config.import = file:/Users/MyUserName/secret/