Spring Boot Misconfiguration: Datasource credentials stored in the properties file
Description
This Spring Boot application stores database credentials in plain text within application properties files (e.g., application.properties or application.yml) using the spring.datasource.password property. Storing sensitive credentials in unencrypted configuration files creates a significant security risk, as these files are often included in version control systems, deployment packages, and backup archives where they can be accessed by unauthorized parties.
Remediation
Implement one of the following secure credential management approaches:
1. Use Environment Variables (Recommended for Cloud/Container Deployments):
Store credentials as environment variables and reference them in your properties file:
spring.datasource.password=${DB_PASSWORD}2. Use Jasypt for Property Encryption:
Add the Jasypt Spring Boot dependency and encrypt sensitive properties. In your properties file:
spring.datasource.password=ENC(encrypted_value_here)Configure Jasypt with a master password provided via environment variable or secure key management system.
3. Use External Secret Management (Recommended for Production):
Integrate with dedicated secret management solutions such as HashiCorp Vault, AWS Secrets Manager, Azure Key Vault, or Spring Cloud Config Server with encryption. Configure Spring Boot to retrieve credentials at runtime from these services.
4. Use Spring Cloud Config with Encryption:
Leverage Spring Cloud Config Server with symmetric or asymmetric encryption for centralized, encrypted configuration management.
Ensure that properties files containing sensitive data are excluded from version control using .gitignore, and audit existing repositories for accidentally committed credentials.