Spring Boot Misconfiguration: MongoDB credentials stored in the properties file
Description
This Spring Boot application stores MongoDB database credentials in plain text within application properties files (e.g., application.properties or application.yml) using the spring.data.mongodb.password property. Storing sensitive credentials in unencrypted configuration files is a security misconfiguration that violates secure coding practices and exposes authentication secrets to unauthorized access.
Remediation
Remove plain text credentials from properties files and implement secure credential management using one of the following approaches:
Option 1: Use Jasypt for Property Encryption
1. Add the Jasypt Spring Boot dependency to your project
2. Encrypt sensitive properties using the Jasypt CLI or programmatically
3. Replace plain text values with encrypted values in your properties file:
spring.data.mongodb.password=ENC(encrypted_value_here)4. Configure the encryption password via environment variable or secure vault
Option 2: Use Environment Variables
Remove the password from properties files and inject it at runtime:
spring.data.mongodb.password=${MONGODB_PASSWORD}Set the MONGODB_PASSWORD environment variable in your deployment environment securely.Option 3: Use External Secret Management
Integrate with enterprise secret management solutions like HashiCorp Vault, AWS Secrets Manager, Azure Key Vault, or Spring Cloud Config Server to retrieve credentials at runtime without storing them in application files.
Ensure that properties files are excluded from version control systems by adding them to .gitignore if they contain any sensitive configuration.