Reading secrets from Secure Vault of WSO2 Identity Server with Java
WSO2 Identity Server is an Open-Source, Cloud-Native IAM product. Since it’s open-source you can get it easily and do many customizations on top of it very easily.
So, I recently added a new connector to the Identity Server in which I had to read some configurations from an XML file. So, the configurations file looked like below (I cannot show my exact config file 😜).
EndPointURL=tcp://localhost:61616
Username=admin
Password=admin
Timeout=5000
Lifetime=5000Here notice that I have a piece of very confidential information (`Password`), in plain text. This is a very bad practice. When I was looking for a solution, I came across WSO2 Secure vault.
WSO2 Identity Server is shipped with a Secure Vault implementation and which allows us to use aliases instead of the actual passwords in the configuration files for better security. So I went through the official documentation and tried it. After doing that my configuration file looked like below (NOTE: Here I used admin_user_password as the alias for the actual value).
EndPointURL=tcp://localhost:61616
Username=admin
Password=$secret{admin_user_password}
Timeout=5000
Lifetime=5000Now my target is achieved. No one can now read the exact password by looking at the config file. So, let me explain how we can implement the code to get the actual password using the alias.
First, you need to add the maven dependency. Here I used version 1.1.3. Add this to your project.
<dependency>
<groupId>org.wso2.securevault</groupId>
<artifactId>org.wso2.securevault</artifactId>
<version>1.1.3</version>
</dependency>Following is my sample implementation.
Let me explain this in a very brief way. `CustomConfigBuilder` is a class that can read the properties in my config file. The loadProperties() method will read the config file and will return a Properties object. This object will have all the custom properties with actual values for confidential content. The actual values for the confidential properties will be resolved by the resolveSecrets methods. This resolveSecrets method is implemented in a way that it will read secrets from secure vault only if we have added secure vault to the custom configs. That means if I decided to go without using secure vault, this will work without any issues.
Yep, that is it. In this way, you can easily integrate WSO2 Secure Vault with your custom code. Thank you very much and don’t forget to clap if you have learnt something from this.