A Guide to Spring CredHub

Azure Spring Apps is a fully managed service from Microsoft (built in collaboration with VMware), focused on building and deploying Spring Boot applications on Azure Cloud without worrying about Kubernetes.

And, the Enterprise plan comes with some interesting features, such as commercial Spring runtime support, a 99.95% SLA and some deep discounts (up to 47%) when you are ready for production.

>> Learn more and deploy your first Spring Boot app to Azure.

You can also ask questions and leave feedback on the Azure Spring Apps GitHub page.

Slow MySQL query performance is all too common. Of course it is. A good way to go is, naturally, a dedicated profiler that actually understands the ins and outs of MySQL.

The Jet Profiler was built for MySQL only, so it can do things like real-time query performance, focus on most used tables or most frequent queries, quickly identify performance issues and basically help you optimize your queries.

Critically, it has very minimal impact on your server's performance, with most of the profiling work done separately - so it needs no server changes, agents or separate services.

Basically, you install the desktop application, connect to your MySQL server, hit the record button, and you'll have results within minutes:

>> Try out the Profiler

Accelerate Your Jakarta EE Development with Payara Server!

With best-in-class guides and documentation, Payara essentially simplifies deployment to diverse infrastructures.

Beyond that, it provides intelligent insights and actions to optimize Jakarta EE applications.

The goal is to apply an opinionated approach to get to what's essential for mission-critical applications - really solid scalability, availability, security, and long-term support:

>> Download and Explore the Guide (to learn more)

The AI Assistant to boost Boost your productivity writing unit tests - Machinet AI.

AI is all the rage these days, but for very good reason. The highly practical coding companion, you'll get the power of AI-assisted coding and automated unit test generation.
Machinet's Unit Test AI Agent utilizes your own project context to create meaningful unit tests that intelligently aligns with the behavior of the code.
And, the AI Chat crafts code and fixes errors with ease, like a helpful sidekick.

Simplify Your Coding Journey with Machinet AI:

>> Install Machinet AI in your IntelliJ

Looking for the ideal Linux distro for running modern Spring apps in the cloud?

Meet Alpaquita Linux: lightweight, secure, and powerful enough to handle heavy workloads.

This distro is specifically designed for running Java apps. It builds upon Alpine and features significant enhancements to excel in high-density container environments while meeting enterprise-grade security standards.

Specifically, the container image size is ~30% smaller than standard options, and it consumes up to 30% less RAM:

>> Try Alpaquita Containers now.

DbSchema is a super-flexible database designer, which can take you from designing the DB with your team all the way to safely deploying the schema.

The way it does all of that is by using a design model, a database-independent image of the schema, which can be shared in a team using GIT and compared or deployed on to any database.

And, of course, it can be heavily visual, allowing you to interact with the database using diagrams, visually compose queries, explore the data, generate random data, import data or build HTML5 database reports.

>> Take a look at DBSchema

Slow MySQL query performance is all too common. Of course it is. A good way to go is, naturally, a dedicated profiler that actually understands the ins and outs of MySQL.

Critically, it has very minimal impact on your server's performance, with most of the profiling work done separately - so it needs no server changes, agents or separate services.

Basically, you install the desktop application, connect to your MySQL server, hit the record button, and you'll have results within minutes:

>> Try out the Profiler

And, the Enterprise plan comes with some interesting features, such as commercial Spring runtime support, a 99.95% SLA and some deep discounts (up to 47%) when you are ready for production.

>> Learn more and deploy your first Spring Boot app to Azure.

You can also ask questions and leave feedback on the Azure Spring Apps GitHub page.

1. Overview

In this tutorial, we’ll implement Spring CredHub, a Spring abstraction of CredHub, to store secrets with access control rules that map credential resources to users and operations. Please note that before running the code, we need to make sure that we have our application running in the Cloud Foundry platform that has CredHub installed.

2. Maven Dependencies

First, we need to install the spring-credhub-starter dependency:

<dependency>
    <groupId>org.springframework.credhub</groupId>
    <artifactId>spring-credhub-starter</artifactId>
    <version>2.2.0</version>
</dependency>

3. Why Is Credential Management Important?

Credential management is the process of securely and centrally handling credentials throughout their lifecycle, which mainly includes generation, creation, rotation, and revocation. Even though the application and information technology environments of each company are very different from one another, there is one thing that is consistent: a credential, which is required by every application to get access to other apps, databases, or tools.

Credential management is vital for data security, as it gives users and applications access to sensitive information. Therefore, keeping them secured both in transit and at rest is important. One of the best strategies is to replace hardcoded credentials and their manual management with an API call to dedicated credential management tools like CredHub to retrieve them programmatically.

4. CredHub APIs

4.1. Authentication

There are two ways to authenticate CredHub APIs: UAA(OAuth2) and mutual TLS.

By default, CredHub provides integrated mutual TLS authentication. To use this scheme, specify the CredHub server’s URL in the application property:

spring:
  credhub:
    url: <CredHub URL>

Another method for authenticating APIs is via UAA, which requires client credentials grant token to obtain an access token:

spring:
  credhub:
    url: <CredHub URL>
    oauth2:
      registration-id: <credhub-client>
  security:
    oauth2:
      client:
        registration:
          credhub-client:
            provider: uaa
            client-id: <OAuth2 client ID>
            client-secret: <OAuth2 client secret>
            authorization-grant-type: <client_credentials>
        provider:
          uaa:
            token-uri: <UAA token server endpoint>

The access token can then be passed to the authorization header.

4.2. Credentials API

With the CredHubCredentialOperations interface, we can call CredHub APIs to create, update, retrieve, and delete credentials. The credential types that CredHub supports are:

value – a string for a single configuration
json – a JSON object for static configurations
user – 3 strings – username, password, and password hash
password – a string for passwords and other string credentials
certificate – an object containing root CA, certificate, and private key
rsa – an object containing a public key and private key
ssh – an object containing SSH-formatted public key and private key

4.2. Permissions API

Permissions are provided when a credential is written to control what users can access, update or retrieve. Spring CredHub provides the CredHubPermissionV2Operations interface to create, update, retrieve and delete permissions. The operations that a user is allowed to perform on the credentials are: read, write, and delete.

5. CredHub Integration

We’ll now implement a Spring Boot application that returns Order details and will demonstrate a few examples to explain the complete lifecycle of credential management.

5.1. CredHubOperations Interface

The CredHubOperations interface is located in the org.springframework.credhub.core package. It is a central class of Spring’s CredHub, supporting a rich feature set to interact with CredHub. It provides access to interfaces that model entire CredHub APIs and maps between domain objects and CredHub data:

public class CredentialService {
    private final CredHubCredentialOperations credentialOperations;
    private final CredHubPermissionV2Operations permissionOperations;

    public CredentialService(CredHubOperations credHubOperations) {
        this.credentialOperations = credHubOperations.credentials();
        this.permissionOperations = credHubOperations.permissionsV2();
    }
}

5.2. Credential Creation

Let’s start with creating a new credential of type password, which is constructed using PasswordCredentialRequest:

SimpleCredentialName credentialName = new SimpleCredentialName(credential.getName());
PasswordCredential passwordCredential = new PasswordCredential((String) value.get("password"));
PasswordCredentialRequest request = PasswordCredentialRequest.builder()
  .name(credentialName)
  .value(passwordCredential)
  .build();
credentialOperations.write(request);

Similarly, other implementations of CredentialRequest can be used to build different credential types, such as ValueCredentialRequest for value credentials, RsaCredentialRequest for rsa credentials, and so on:

ValueCredential valueCredential = new ValueCredential((String) value.get("value"));
request = ValueCredentialRequest.builder()
  .name(credentialName)
  .value(valueCredential)
  .build();

RsaCredential rsaCredential = new RsaCredential((String) value.get("public_key"), (String) value.get("private_key"));
request = RsaCredentialRequest.builder()
  .name(credentialName)
  .value(rsaCredential)
  .build();

5.3. Credential Generation

Spring CredHub also provides an option to dynamically generate credentials to avoid the efforts involved in managing them on the application side. This, in turn, enhances data security. Let’s see how we can implement this functionality:

SimpleCredentialName credentialName = new SimpleCredentialName("api_key");
PasswordParameters parameters = PasswordParameters.builder()
  .length(24)
  .excludeUpper(false)
  .excludeLower(false)
  .includeSpecial(true)
  .excludeNumber(false)
  .build();

CredentialDetails<PasswordCredential> generatedCred = credentialOperations.generate(PasswordParametersRequest.builder()
  .name(credentialName)
  .parameters(parameters)
  .build());

String password = generatedCred.getValue().getPassword();

5.4. Credential Rotation and Revocation

Another important stage of credential management is rotating credentials. The code below demonstrates how we can achieve that with password credential type:

CredentialDetails<PasswordCredential> newPassword = credentialOperations.regenerate(credentialName, PasswordCredential.class);

CredHub also let certificate credential type have multiple active versions at the same time so that they can be rotated without any downtime. The final and most crucial phase of credential management is the revocation of credentials which can be implemented as below:

credentialOperations.deleteByName(credentialName);

5.5. Credential Retrieval

Now that we have an understanding of the complete credential management lifecycle. We’ll see how we can retrieve the most recent version of the password credential for Orders API authentication:

public ResponseEntity<Collection<Order>> getAllOrders() {
    try {
        String apiKey = credentialService.getPassword("api_key");
        return new ResponseEntity<>(getOrderList(apiKey), HttpStatus.OK);
    } catch (Exception e) {
        return new ResponseEntity<>(HttpStatus.FORBIDDEN);
    }
}

public String getPassword(String name) {
    SimpleCredentialName credentialName = new SimpleCredentialName(name);
    return credentialOperations.getByName(credentialName, PasswordCredential.class)
      .getValue()
      .getPassword();
}

5.6. Control Access to Credentials

Permission can be attached to a credential to limit access. For instance, a permission that grants access to a credential to a single user and enables that user to perform all the operations on a credential. Another permission can be attached that allows all the users to perform just the READ operation on a credential.

Let’s see an example of adding a permission to a credential that allows a user u101 to perform READ and WRITE operations:

Permission permission = Permission.builder()
  .app(UUID.randomUUID().toString())
  .operations(Operation.READ, Operation.WRITE)
  .user("u101")
  .build();
permissionOperations.addPermissions(name, permission);

Spring CredHub provides support for several other operations in addition to READ and WRITE, which allows the user(s) to:

READ – Get a credential by id and name
WRITE – Set, generate, and regenerate a credential by name
DELETE – Delete a credential by name
READ_ACL – Get ACL(Access Control List) by credential name
WRITE_ACL – Add and delete an entry to credential ACL

6. Conclusion

In this tutorial, we’ve shown how to integrate CredHub with Spring Boot using the Spring CredHub library. We centralized the credential management for an Order application, covering two crucial aspects: credential lifecycle and permissions.

The complete source code for this article can be found over on GitHub.

REST with Spring

Learn Spring Security ▼▲

Learn Spring Security Core

Learn Spring Security OAuth

Learn Spring

Learn Spring Data JPA

Persistence

REST

Security

Full Archive

Baeldung Ebooks

About Baeldung

Write for Baeldung