Java application demo
Once you have learned the fundamentals of Vault, the next step is to integrate your systems and applications with Vault to secure your organization's secrets.
This tutorial is a companion to a webinar that includes a live demo of how to manage secrets, access, and encryption in the public cloud with Vault.
Challenge
Incidents of data breaches which expose sensitive information make headlines more often than you would like to hear. It becomes more and more important to protect data by encrypting it whether the data is in-transit or at-rest. However, creating a highly secure and sophisticated solution by yourself requires time and resources which are in demand when an organization is facing a constant threat.
Solution
Vault centralizes management of cryptographic services used to protect your data. Your system can communicate with Vault easily through the Vault API to encrypt and decrypt your data, and the encryption keys never have to leave the Vault.

Prerequisites
This lab was tested on macOS using an x86_64 based processor. If you are running macOS on an Apple silicon-based processor, use a x86_64 based Linux virtual machine in your preferred cloud provider.
To perform the tasks described in this tutorial you must have:
- HashiCorp Vagrant installed
tree
installedgit
installed
Review the demo application implementation
Retrieve the configuration by cloning or downloading the hashicorp-education/learn-vault-spring-cloud repository from GitHub.
Clone the repository.
Or download the repository.
The repository contains supporting content for this Java application tutorial.
Review the demo application's source code directory structure.
The Java application in this demo leverages the Spring Cloud Vault library which provides lightweight client-side support for connecting to Vault in a distributed environment.
In the
TransitConverter
class, theconvertToDatabaseColumn
method on line 11 invokes a Vault operation to encrypt theorder
. Similarly, theconvertToEntityAttribute
method on line 19 decrypts theorder
data.TransitConverter.java1 2 3 4 5 6 7 8 9 1011121314151617181920212223242526
The
VaultDemoOrderServiceApplication
class defines themain
method.VaultDemoOrderServiceApplication.java1 2 3 4 5 6 7 8 9 10111213141516171819202122232425262728293031323334353637
The
OrderAPIController
class defines the API endpoint (api/orders
).OrderAPIController.java1 2 3 4 5 6 7 8 9 101112131415161718192021222324252627282930313233343536
Deploy and review the demo environment
For this tutorial, you will provision a Linux machine locally using Vagrant. The GitHub repository provides supporting files to provision the environment demonstrated in the webinar.

The learn-vault-spring-cloud/vagrant-local
directory contains
a Vagrantfile
that starts a Linux machine and configures the demo environment.
Change the working directory to
vagrant-local
.Run
vagrant up
to start the demo environment. This takes about 3 minutes.Verify the virtual machine was successfully created and running.
Connect to the demo Vagrant virtual machine.
Review the demo environment.
There are 3 Docker containers running on the machine:
spring
,vault
, andpostgres
.
Examine the Vault environment
During the demo machine provisioning, the /scripts/vault.sh
script was
executed to perform the following:
- Created a policy named
order
- Enabled the
transit
secrets engine and created an encryption key namedorder
- Enabled the
database
secrets engine and created a role namedorder
View the
vault
log.The log indicates that the Vault server is running in the
dev
mode, and the root token isroot
.Visit the Vault UI at http://localhost:8200/ui. Enter
root
and click Sign In.Select the
transit/
secrets engine, and you should find an encryption key namedorder
.Click Policies, then click order to view the policy.
The
order
policy is for the application. It permitsread
on thedatabase/creds/order
path so that the demo app can get a dynamically generated database credential from Vault. Therefore the PostgreSQL credentials are not hard-coded anywhere.The
update
permission for the transit secrets engine allows the app to request data encryption and decryption using theorder
encryption key in Vault.
Examine the Spring container
Review the
VaultDemoOrderServiceApplication
class.The
VaultDemoOrderServiceApplication
class logs messages during the successful execution ofinitIt()
.Verify that the log indicates that the demo app obtained a database credentials from Vault successfully.
Create a new shell session in the
spring
container.Review the
bootstrap.yaml
file.The client token was injected into the
spring
container as an environment variable (VAULT_TOKEN
) by Vagrant.Close the shell session in the
spring
container.
Examine the PostgreSQL database
Connect to the
postgres
container.Review the orders table.
List the existing database roles.
The role name starting with
v-token-order-
was dynamically created by the database secrets engine.Note
To learn more about the database secrets engine, read the Secrets as a Service: Dynamic Secrets tutorial.
Exit the
psql
session.
Run the demo application
You have verified in the spring
log that the demo app successfully retrieved a
database credential from the Vault server during its initialization.

Create a file
payload.json
with the following contents.Send a new order request via the demo app's orders API (http://localhost:8080/api/orders).
Example output:
The order data you sent gets encrypted by Vault. The database only sees the ciphertext.
Note
Alternately, you can use tool such as Postman instead of cURL to invoke the API.
Connect to the PostgreSQL container.
Verify that the order information stored in the database is encrypted.
In this demo, Vault encrypts the customer names; therefore the values in the
customer_name
column do not display the names in a human readable manner ("John").Close the shell session in the
postgres
container.Retrieve the order data via the orders API.
Example output:
The customer names should be readable. Remember that the
order
policy permits the demo app to encrypt and decrypt data using theorder
encryption key in Vault.
Web UI
You can also use the Vault web UI to decrypt the data.
In the Secrets tab, click transit > order.
Click Decrypt from the Key Actions pane.
Copy the ciphertext from the
orders
table in the previous section and paste it in.Click Decrypt, then click Copy & Close.
The value returned is base64 encoded.
Base64 decode the value using the command-line.
Example:
Reload the static secrets
Test another API endpoint, api/secret
, provided by the demo app.
A Java object, Secret
defines a get method for key
and value
.
The SecretController.java
defines an API endpoint, api/secret
.
The order
policy grants permissions on the secret/spring-vault-demo
path.
The demo app retrieves the secret from secret/spring-vault-demo
and has a
local copy. If someone (or perhaps another app) updates the secret, it makes the
secret held by the demo app obsolete.

Spring offers Spring Boot Actuator which can be used to facilitate the reloading of the static secret.
Read the secret
The initial key-value was set by Vagrant during the provisioning. (See the
Vagrantfile
at line 48.)
Invoke the demo app's secret API (
api/secret
).Example output:
This is the secret that the demo app knows about.
Update the secrets
Update the secret stored in Vault using the API.
Verify that the secret value was updated.
Example output:
Refresh the secret on the demo app
Run the demo app's secret API again.
Example output:
The current value stored in Vault is now
my-api-key
; however, the demo app still holdshello-vault
.Spring provides an actuator which can be leveraged to refresh the secret value. At line 54 of the
vault-guides/secrets/spring-cloud-vault/pom.xml
, you see that the actuator was added to the project.Refresh the secret using the actuator.
Example output:
Read back the secret from the demo app.
It should display the correct value.
Clean up
Disconnect from the
demo
virtual machine.When you are done exploring the demo implementation, destroy the virtual machine.
Remove the sample repository.
In the webinar, the demo environment was running in a public cloud, and Nomad
and Consul were also installed and configured. If you wish to build a similar
environment using Kubernetes, the assets in the vault-guides/secrets/spring-cloud-vault/kubernetes
folder provides you with some guidance.