I have a SpringBoot 2.1.4.RELEASE RESTful Web Service app., using Spring Initializer, embedded Tomcat, Thymeleaf template engine, and package as an executable JAR file, which is using a third party REST API secured by JWT, so I need to store in the WebApp the plain username and password to authenticate to the API, and I would like to know what is the best practice to keep the credentials
1) in the HttpSession object ?
2) in the DB as a plan text ?
Secrets management should be done outside the app, preferably with help of third party products / API, as it could be cumbersome to create our very own robust secret management system.
One such popular & robust product for secret management is HashiCorp Vault.
Since you are already using Spring do refer to this excellent article on how vault can be utilized for the secrets management.
Like others have said its best not to store secrets in the application.
To avoid storing any user credentials you could use a strategy similar to OAuth2 where the client requests a JWT token directly from the API provider (usually Javascript logic in your front end) then future client requests to your application pass the JWT token along that you can use to make requests against the API.
This way all user credentials are stored only on the client side only giving your application access to the JWT token which probably expires after some period of time.
The best practice is not to store in your app. This is a interesting approach if you are hosting your app on AWS. https://medium.com/poka-techblog/the-best-way-to-store-secrets-in-your-app-is-not-to-store-secrets-in-your-app-308a6807d3ed
