Secure your Java Spring app with PropertyPlaceholderConfigurer
This is a trick that I have used many times which I first learned about on Mkyong.com – one of my favorite Java/Spring/Hibernate resources.
Just about any application will need to connect to external resources like databases, web services, file servers, and the like. And, if you are working on a corporate application or in an environment where your source control system like SVN or GIT is not a safe place to keep passwords, this can cause quite a security conundrum.
Enter Spring’s PropertyPlaceholderConfigurer class, one of the handiest little classes. It’s actually worth adding Spring in your application just to get access to this little gem. What this does is it allows you to load a properties file into your Spring configuration XML, and use its properties – thereby removing the sensitive content from the XML file.
Using it is very simple, place this bean in your Spring configuration XML:
You can now use placeholders for any property within the properties file.
For example, let’s say the
web.properties file contains:
You can then use this in your
Now to finish this off, don’t forget NOT to put your
web.properties file into SVN/Git. Generally, what I do is add a
web.properties-template to SVN, with all properties needed but without the actual passwords. Then, I add
web.properties itself to the SVN ignore list (just right click the file and add to svn:ignore). This way I can be sure I will never commit the
web.properties file to SVN with the password still in it by mistake.
That’s it. I nice quick and easy way to get your system password out of your source code and source code repository.
If you want some more information and an example of how to leverage PropertyPlaceholderConfigurer, check out MKYong.com’s PropertyPlaceholderConfigurer Example.