Client support
Spring Vault supports various HTTP clients to access Vault’s HTTP API. Spring Vault uses
RestTemplate as primary interface accessing Vault.
Dedicated client support originates from customized SSL configuration
that is scoped only to Spring Vault’s client components.
Spring Vault supports following HTTP imperative clients:
-
Java’s builtin
HttpURLConnection(default client if no other is available) -
Apache Http Components
-
OkHttp 3
Spring Vault’s reactive integration supports the following reactive HTTP clients:
-
Java’s builtin reactive
HttpClient(default client if no other is available) -
Reactor Netty
-
Apache Http Components
-
Jetty
Using a specific client requires the according dependency to be available on the classpath so Spring Vault can use the available client for communicating with Vault.
Java’s builtin HttpURLConnection
Java’s builtin HttpURLConnection is available out-of-the-box without additional
configuration. Using HttpURLConnection comes with a limitation regarding SSL configuration.
Spring Vault won’t apply customized SSL configuration as it would
require a deep reconfiguration of the JVM. This configuration would affect all
components relying on the default SSL context. Configuring SSL settings using
HttpURLConnection requires you providing these settings as System Properties. See
Customizing JSSE for further details.
External Clients
You can use external clients to access Vault’s API. Simply add one of the following dependencies to your project. You can omit the version number if using Spring Vault’s Dependency BOM
<dependency>
<groupId>org.apache.httpcomponents.client5</groupId>
<artifactId>httpclient5</artifactId>
</dependency>| Apache HttpClient’s wire logging can be enabled through logging configuration. Make sure to not accidentally enable wire logging as logs may expose traffic (tokens and secrets) between your application and Vault in plain text. |
<dependency>
<groupId>com.squareup.okhttp3</groupId>
<artifactId>okhttp</artifactId>
</dependency><dependency>
<groupId>io.projectreactor.netty</groupId>
<artifactId>reactor-netty</artifactId>
</dependency><dependency>
<groupId>org.apache.httpcomponents.core5</groupId>
<artifactId>httpcore5-reactive</artifactId>
</dependency><dependency>
<groupId>org.eclipse.jetty</groupId>
<artifactId>jetty-reactive-httpclient</artifactId>
</dependency>Vault Client SSL configuration
SSL can be configured using SslConfiguration by setting various properties.
You can set either javax.net.ssl.trustStore to configure
JVM-wide SSL settings or configure SslConfiguration
to set SSL settings only for Spring Vault.
SslConfiguration sslConfiguration = SslConfiguration.create( (1)
new FileSystemResource("client-cert.jks"), "changeit".toCharArray(),
new FileSystemResource("truststore.jks"), "changeit".toCharArray());
SslConfiguration.forTrustStore(new FileSystemResource("keystore.jks"), (2)
"changeit".toCharArray())
SslConfiguration.forKeyStore(new FileSystemResource("keystore.jks"), (3)
"changeit".toCharArray())
SslConfiguration.forKeyStore(new FileSystemResource("keystore.jks"), (4)
"changeit".toCharArray(),
KeyConfiguration.of("key-password".toCharArray(),
"my-key-alias"))| 1 | Full configuration. |
| 2 | Configuring only trust store settings. |
| 3 | Configuring only key store settings. |
| 4 | Configuring only key store settings with providing a key-configuration. |
Please note that providing SslConfiguration can be only applied when either Apache Http Components or the OkHttp client is on your class-path.
The SSL configuration supports also PEM-encoded certificates as alternative to a Java Key Store.
KeyStoreConfiguration keystore = KeyStoreConfiguration
.of(new ClassPathResource("ca.pem")).withStoreType("PEM");
SslConfiguration configuration = SslConfiguration.forTrustStore(keystore);PEM files may contain one or more certificates (blocks of -----BEGIN CERTIFICATE----- and -----END CERTIFICATE-----).
Certificates added to the underlying KeyStore use the full subject name as alias.
