# Spring CredHub

Spring CredHub provides client-side support for storing, retrieving, and deleting credentials from a CredHub (opens new window) server running in a Cloud Foundry (opens new window) platform.

CredHub provides an HTTP API (opens new window) to securely store, generate, retrieve, and delete credentials of various types. Spring CredHub provides a Java binding for the CredHub API, making it easy to integrate Spring applications with CredHub.

# 1. Getting started

Spring CredHub supports CredHub server version 1.x and 2.x. This library is intended to provide full coverage of the CredHub API - all operations on all credential types.

Spring CredHub has been optimized to work with Spring Boot applications. To include Spring CredHub in a Spring Boot application, add some dependencies to the project build file.

# 1.1. Maven Dependencies

Add the Spring CredHub starter to the dependencies section of the build file:

    <dependencies>
        <dependency>
            <groupId>org.springframework.credhub</groupId>
            <artifactId>spring-credhub-starter</artifactId>
            <version>2.2.0</version>
        </dependency>
    </dependencies>

To enable reactive support in Spring CredHub, add the following Spring WebFlux (opens new window) dependency to the build file:

    <dependencies>
        <dependency>
            <groupId>org.springframework.boot</groupId>
            <artifactId>spring-boot-starter-webflux</artifactId>
            <version>5.3.13</version>
        </dependency>
    </dependencies>

To use OAuth2 authentication to CredHub, add the following Spring Security (opens new window) dependencies to the build file:

    <dependencies>
        <dependency>
            <groupId>org.springframework.security</groupId>
            <artifactId>spring-security-config</artifactId>
            <version>5.5.3</version>
        </dependency>
        <dependency>
            <groupId>org.springframework.security</groupId>
            <artifactId>spring-security-oauth2-client</artifactId>
            <version>5.5.3</version>
        </dependency>
    </dependencies>

# 1.2. Gradle Dependencies

Add the Spring CredHub starter to the dependencies section of the build file:

    dependencies {
        compile('org.springframework.credhub:spring-credhub-starter:2.2.0')
    }

To enable reactive support in Spring CredHub, add the following Spring WebFlux (opens new window) dependency to the build file:

    dependencies {
        compile("org.springframework.boot:spring-boot-starter-webflux:5.3.13")
    }

To use OAuth2 authentication to CredHub, add the following Spring Security (opens new window) dependencies to the build file:

    dependencies {
        compile("org.springframework.security:spring-security-config:5.5.3")
        compile("org.springframework.security:spring-security-oauth2-client:5.5.3")
    }

# 2. Spring Boot Configuration

When using the Spring CredHub starter dependency, Spring CredHub can be configured with Spring Boot application properties (opens new window). With the proper configuration properties, Spring CredHub will auto-configure a connection to a CredHub server.

# 2.1. Mutual TLS Authentication

An application running on Cloud Foundry can authenticate to a CredHub server deployed to the same platform using mutual TLS. Mutual TLS is the default authentication scheme when no other authentication credentials are provided. To use mutual TLS authentication to a CredHub server, simply provide the URL of the CredHub server as an application property:

spring:
  credhub:
    url: [CredHub server URL]

See the CredHub documentation (opens new window) for more information on mutual TLS authentication.

An application running on Cloud Foundry can use the internal address [https://credhub.service.cf.internal:8844](https://credhub.service.cf.internal:8844) to communicate with a CredHub server deployed to the same platform.

# 2.2. OAuth2 Authentication

OAuth2 can be used to authenticate via UAA to any CredHub server. Spring CredHub supports client credentials grant tokens for authentication using the following Spring CredHub and Spring Security configuration:

spring:
  credhub:
    url: [CredHub server URL]
    oauth2:
      registration-id: credhub-client
  security:
    oauth2:
      client:
        registration:
          credhub-client:
            provider: uaa
            client-id: [OAuth2 client ID]
            client-secret: [OAuth2 client secret]
            authorization-grant-type: client_credentials
        provider:
          uaa:
            token-uri: [UAA token server endpoint]

The ID provided in spring.credhub.oauth2.registration-id must refer to a client configured under spring.security.oauth2.client.registration. See the Spring Boot documentation (opens new window) for more information on Spring Boot OAuth2 client configuration.

The OAuth2 client specified in the Spring Security client registration must have CredHub scopes such as credhub.read or credhub.write to perform most operations. See the CredHub documentation (opens new window) for more information on OAuth2 authentication with UAA.

# 2.2.1. Auto-configuration of Spring Security OAuth2

When spring.credhub.oauth2 properties are set and Spring Security is on the application classpath, Spring CredHub will auto-configure the Spring Security beans required for OAuth2 authentication. An application can provide the required Spring Security OAuth2 beans to override the auto-configuration if necessary.

# Servlet and Non-reactive Applications

Spring CredHub requires beans of the following types, provided by Spring Security, in order to authenticate using OAuth2.

Required Bean Type Auto-configured Type
ClientRegistrationRepository (opens new window) InMemoryClientRegistrationRepository (opens new window)
OAuth2AuthorizedClientRepository (opens new window) AuthenticatedPrincipalOAuth2AuthorizedClientRepository (opens new window)
OAuth2AuthorizedClientManager (opens new window) DefaultOAuth2AuthorizedClientManager (opens new window)

The auto-configured DefaultOAuth2AuthorizedClientManager assumes the application is running in a servlet container and has an active HttpServletRequest. An application might need to provide an alternate implementation of the OAuth2AuthorizedClientManager bean such as AuthorizedClientServiceOAuth2AuthorizedClientManager (opens new window) to process requests outside of an HttpServletRequest, as shown in the following example:

/*
 * Copyright 2016-2020 the original author or authors.
 *
 * Licensed under the Apache License, Version 2.0 (the "License");
 * you may not use this file except in compliance with the License.
 * You may obtain a copy of the License at
 *
 *      https://www.apache.org/licenses/LICENSE-2.0
 *
 * Unless required by applicable law or agreed to in writing, software
 * distributed under the License is distributed on an "AS IS" BASIS,
 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 * See the License for the specific language governing permissions and
 * limitations under the License.
 */

package com.example.credhub;

import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.security.oauth2.client.AuthorizedClientServiceOAuth2AuthorizedClientManager;
import org.springframework.security.oauth2.client.ClientCredentialsOAuth2AuthorizedClientProvider;
import org.springframework.security.oauth2.client.OAuth2AuthorizedClientService;
import org.springframework.security.oauth2.client.registration.ClientRegistrationRepository;

@Configuration
public class CredHubSecurityConfiguration {

	@Bean
	public AuthorizedClientServiceOAuth2AuthorizedClientManager reactiveClientManager(
			ClientRegistrationRepository clientRegistrationRepository,
			OAuth2AuthorizedClientService authorizedClientService) {
		AuthorizedClientServiceOAuth2AuthorizedClientManager clientManager = new AuthorizedClientServiceOAuth2AuthorizedClientManager(
				clientRegistrationRepository, authorizedClientService);
		clientManager.setAuthorizedClientProvider(new ClientCredentialsOAuth2AuthorizedClientProvider());
		return clientManager;
	}

}

Refer to the Spring Security documentation (opens new window) for more information and examples of configuring other beans.

# Reactive Applications

Spring CredHub requires beans of the following types, provided by Spring Security, in order to authenticate using OAuth2.

Required Bean Type Auto-configured Type
ReactiveClientRegistrationRepository (opens new window) InMemoryReactiveClientRegistrationRepository (opens new window)
ServerOAuth2AuthorizedClientRepository (opens new window) UnAuthenticatedServerOAuth2AuthorizedClientRepository (opens new window)
ReactiveOAuth2AuthorizedClientManager (opens new window) DefaultReactiveOAuth2AuthorizedClientManager (opens new window)

The auto-configured DefaultReactiveOAuth2AuthorizedClientManager requires an active ServerHttpRequest context. An application might need to provide an alternate implementation of the ReactiveOAuth2AuthorizedClientManager bean such as AuthorizedClientServiceReactiveOAuth2AuthorizedClientManager (opens new window) to process requests outside of an ServerHttpRequest, as shown in the following example:

/*
 * Copyright 2016-2020 the original author or authors.
 *
 * Licensed under the Apache License, Version 2.0 (the "License");
 * you may not use this file except in compliance with the License.
 * You may obtain a copy of the License at
 *
 *      https://www.apache.org/licenses/LICENSE-2.0
 *
 * Unless required by applicable law or agreed to in writing, software
 * distributed under the License is distributed on an "AS IS" BASIS,
 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 * See the License for the specific language governing permissions and
 * limitations under the License.
 */

package com.example.credhub;

import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.security.oauth2.client.AuthorizedClientServiceReactiveOAuth2AuthorizedClientManager;
import org.springframework.security.oauth2.client.ClientCredentialsReactiveOAuth2AuthorizedClientProvider;
import org.springframework.security.oauth2.client.ReactiveOAuth2AuthorizedClientService;
import org.springframework.security.oauth2.client.registration.ReactiveClientRegistrationRepository;

@Configuration
public class CredHubReactiveSecurityConfiguration {

	@Bean
	public AuthorizedClientServiceReactiveOAuth2AuthorizedClientManager reactiveClientManager(
			ReactiveClientRegistrationRepository clientRegistrationRepository,
			ReactiveOAuth2AuthorizedClientService authorizedClientService) {
		AuthorizedClientServiceReactiveOAuth2AuthorizedClientManager clientManager = new AuthorizedClientServiceReactiveOAuth2AuthorizedClientManager(
				clientRegistrationRepository, authorizedClientService);
		clientManager.setAuthorizedClientProvider(new ClientCredentialsReactiveOAuth2AuthorizedClientProvider());
		return clientManager;
	}

}

Refer to the Spring Security documentation (opens new window) for more information and examples of configuring other beans.

# 3. Introduction to CredHubOperations

The interface org.springframework.credhub.core.CredHubOperations and the implementation org.springframework.credhub.core.CredHubTemplate are the central classes in Spring CredHub.CredHubOperations provides access to additional operations interfaces that model the full CredHub API:

/**
 * Get the operations for saving, retrieving, and deleting credentials.
 */
CredHubCredentialOperations credentials();

/**
 * Get the operations for adding, retrieving, and deleting credential permissions.
 */
CredHubPermissionOperations permissions();

/**
 * Get the operations for adding, retrieving, and deleting credential permissions.
 */
CredHubPermissionV2Operations permissionsV2();

/**
 * Get the operations for retrieving, regenerating, and updating certificates.
 */
CredHubCertificateOperations certificates();

/**
 * Get the operations for interpolating service binding credentials.
 */
CredHubInterpolationOperations interpolation();

/**
 * Get the operations for retrieving CredHub server information.
 */
CredHubInfoOperations info();

# 3.1. Mapping to CredHub API

Each method of the Operations interfaces maps directly to one endpoint of the CredHub HTTP API. The following table shows the mapping between the CredHub API and the appropriate Spring CredHub Operations interface.

CredHub Credentials API (opens new window) CredHubCredentialOperations (opens new window)
CredHub Permissions API (opens new window) (v1) CredHubPermissionOperations (opens new window)
CredHub Permissions API (opens new window) (v2) CredHubPermissionV2Operations (opens new window)
CredHub Certificates API (opens new window) CredHubCertificateOperations (opens new window)
CredHub Interpolation API (opens new window) CredHubInterpolationOperations (opens new window)
CredHub Information API (opens new window) CredHubInfoOperations (opens new window)

# 3.2. CredHubOperations Auto-configuration

A CredHubOperations Spring bean is created using Spring Boot auto-configuration when application properties are properly configured. Application classes can autowire an instance of this bean to interact with a CredHub server.

/*
 * Copyright 2016-2020 the original author or authors.
 *
 * Licensed under the Apache License, Version 2.0 (the "License");
 * you may not use this file except in compliance with the License.
 * You may obtain a copy of the License at
 *
 *      https://www.apache.org/licenses/LICENSE-2.0
 *
 * Unless required by applicable law or agreed to in writing, software
 * distributed under the License is distributed on an "AS IS" BASIS,
 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 * See the License for the specific language governing permissions and
 * limitations under the License.
 */

package com.example.credhub;

import org.springframework.credhub.core.CredHubOperations;
import org.springframework.credhub.support.CredentialDetails;
import org.springframework.credhub.support.SimpleCredentialName;
import org.springframework.credhub.support.password.PasswordCredential;
import org.springframework.credhub.support.password.PasswordParameters;
import org.springframework.credhub.support.password.PasswordParametersRequest;
import org.springframework.stereotype.Component;

@Component
public class CredHubService {

	private final CredHubOperations credHubOperations;

	private final SimpleCredentialName credentialName;

	public CredHubService(CredHubOperations credHubOperations) {
		this.credHubOperations = credHubOperations;

		this.credentialName = new SimpleCredentialName("example", "password");
	}

	public String generatePassword() {
		PasswordParameters parameters = PasswordParameters.builder().length(12).excludeLower(false).excludeUpper(false)
				.excludeNumber(false).includeSpecial(true).build();

		CredentialDetails<PasswordCredential> password = this.credHubOperations.credentials()
				.generate(PasswordParametersRequest.builder().name(this.credentialName).parameters(parameters).build());

		return password.getValue().getPassword();
	}

	public String getPassword() {
		CredentialDetails<PasswordCredential> password = this.credHubOperations.credentials()
				.getByName(this.credentialName, PasswordCredential.class);

		return password.getValue().getPassword();
	}

}

# 4. Introduction to ReactiveCredHubOperations

The interface org.springframework.credhub.core.ReactiveCredHubOperations and the implementation org.springframework.credhub.core.ReactiveCredHubTemplate are the central classes in Spring CredHub reactive support.ReactiveCredHubOperations provides access to additional operations interfaces that model the full CredHub API:

/**
 * Get the operations for saving, retrieving, and deleting credentials.
 */
ReactiveCredHubCredentialOperations credentials();

/**
 * Get the operations for adding, retrieving, and deleting credential permissions.
 */
ReactiveCredHubPermissionOperations permissions();

/**
 * Get the operations for adding, retrieving, and deleting credential permissions.
 */
ReactiveCredHubPermissionV2Operations permissionsV2();

/**
 * Get the operations for retrieving, regenerating, and updating certificates.
 */
ReactiveCredHubCertificateOperations certificates();

/**
 * Get the operations for interpolating service binding credentials.
 */
ReactiveCredHubInterpolationOperations interpolation();

/**
 * Get the operations for retrieving CredHub server information.
 */
ReactiveCredHubInfoOperations info();

# 4.1. Mapping to CredHub API

Each method of the Reactive…​Operations interfaces maps directly to one endpoint of the CredHub HTTP API. The following table shows the mapping between the CredHub API and the appropriate Spring CredHub Reactive…​Operations interface.

CredHub Credentials API (opens new window) ReactiveCredHubCredentialOperations (opens new window)
CredHub Permissions API (opens new window) (v1) ReactiveCredHubPermissionOperations (opens new window)
CredHub Permissions API (opens new window) (v2) ReactiveCredHubPermissionV2Operations (opens new window)
CredHub Certificates API (opens new window) ReactiveCredHubCertificateOperations (opens new window)
CredHub Interpolation API (opens new window) ReactiveCredHubInterpolationOperations (opens new window)
CredHub Information API (opens new window) ReactiveCredHubInfoOperations (opens new window)

# 4.2. ReactiveCredHubOperations Auto-configuration

A ReactiveCredHubOperations Spring bean is created using Spring Boot auto-configuration when application properties are properly configured and the Spring WebFlux library is on the classpath. Application classes can autowire an instance of this bean to interact with a CredHub server.

/*
 * Copyright 2016-2020 the original author or authors.
 *
 * Licensed under the Apache License, Version 2.0 (the "License");
 * you may not use this file except in compliance with the License.
 * You may obtain a copy of the License at
 *
 *      https://www.apache.org/licenses/LICENSE-2.0
 *
 * Unless required by applicable law or agreed to in writing, software
 * distributed under the License is distributed on an "AS IS" BASIS,
 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 * See the License for the specific language governing permissions and
 * limitations under the License.
 */

package com.example.credhub;

import reactor.core.publisher.Mono;

import org.springframework.credhub.core.ReactiveCredHubOperations;
import org.springframework.credhub.support.SimpleCredentialName;
import org.springframework.credhub.support.password.PasswordCredential;
import org.springframework.credhub.support.password.PasswordParameters;
import org.springframework.credhub.support.password.PasswordParametersRequest;
import org.springframework.stereotype.Component;

@Component
public class ReactiveCredHubService {

	private final ReactiveCredHubOperations credHubOperations;

	private final SimpleCredentialName credentialName;

	public ReactiveCredHubService(ReactiveCredHubOperations credHubOperations) {
		this.credHubOperations = credHubOperations;

		this.credentialName = new SimpleCredentialName("example", "password");
	}

	public Mono<String> generatePassword() {
		PasswordParameters parameters = PasswordParameters.builder().length(12).excludeLower(false).excludeUpper(false)
				.excludeNumber(false).includeSpecial(true).build();

		return this.credHubOperations.credentials()
				.generate(PasswordParametersRequest.builder().name(this.credentialName).parameters(parameters).build(),
						PasswordCredential.class)
				.map((password) -> password.getValue().getPassword());
	}

	public Mono<String> getPassword() {
		return this.credHubOperations.credentials().getByName(this.credentialName, PasswordCredential.class)
				.map((password) -> password.getValue().getPassword());
	}

}

# 5. HTTP Client Support

Spring CredHub CredHubOperations supports multiple HTTP client libraries to communicate with the CredHub API. The following libraries are supported:

Choosing a specific client library requires the appropriate dependency to be available on the application classpath. The application classpath will be inspected for each client library in the order listed above.

Spring CredHub ReactiveCredHubOperations only supports the Netty HTTP client library.

# 5.1. Apache HttpComponents

To use Apache HttpComponents to communicate with CredHub, add the following dependency to the application:

<dependency>
  <groupId>org.apache.httpcomponents</groupId>
  <artifactId>httpclient</artifactId>
</dependency>
Apache HttpClient’s wire logging (opens new window) can be enabled through logging configuration. Make sure to not accidentally enable wire logging as logs may expose traffic (including tokens and secrets) between your application and CredHub in plain text.

# 5.2. OkHttp 3

To use OkHttp 3 to communicate with CredHub, add the following dependency to the application:

<dependency>
  <groupId>com.squareup.okhttp3</groupId>
  <artifactId>okhttp</artifactId>
</dependency>

# 5.3. Netty

To use Netty to communicate with CredHub, add the following dependency to the application:

<dependency>
  <groupId>io.netty</groupId>
  <artifactId>netty-all</artifactId>
</dependency>