This version is still in development and is not considered stable yet. For the latest stable version, please use Spring Vault 3.2.0!spring-doc.cn

Client support

Spring Vault supports various HTTP clients to access Vault’s HTTP API. Spring Vault uses RestTemplate as primary interface accessing Vault. Dedicated client support originates from customized SSL configuration that is scoped only to Spring Vault’s client components.spring-doc.cn

Spring Vault supports following HTTP imperative clients:spring-doc.cn

Spring Vault’s reactive integration supports the following reactive HTTP clients:spring-doc.cn

Using a specific client requires the according dependency to be available on the classpath so Spring Vault can use the available client for communicating with Vault.spring-doc.cn

Java’s builtin HttpClient

Java’s builtin HttpClient is available out-of-the-box since Java 11 without additional dependencies.spring-doc.cn

External Clients

You can use external clients to access Vault’s API. Simply add one of the following dependencies to your project. You can omit the version number if using Spring Vault’s Dependency BOMspring-doc.cn

Example 1. Apache Http Components Dependency
<dependency>
  <groupId>org.apache.httpcomponents.client5</groupId>
  <artifactId>httpclient5</artifactId>
</dependency>
Apache HttpClient’s wire logging can be enabled through logging configuration. Make sure to not accidentally enable wire logging as logs may expose traffic (tokens and secrets) between your application and Vault in plain text.
Example 2. Reactor Netty
<dependency>
  <groupId>io.projectreactor.netty</groupId>
  <artifactId>reactor-netty</artifactId>
</dependency>
Example 3. Apache Http Components Reactive Dependency
<dependency>
  <groupId>org.apache.httpcomponents.core5</groupId>
  <artifactId>httpcore5-reactive</artifactId>
</dependency>
Example 4. Jetty
<dependency>
  <groupId>org.eclipse.jetty</groupId>
  <artifactId>jetty-reactive-httpclient</artifactId>
</dependency>

Vault Client SSL configuration

SSL can be configured using SslConfiguration by setting various properties. You can set either javax.net.ssl.trustStore to configure JVM-wide SSL settings or configure SslConfiguration to set SSL settings only for Spring Vault.spring-doc.cn

SslConfiguration sslConfiguration = SslConfiguration.create(            (1)
		new FileSystemResource("client-cert.jks"), "changeit".toCharArray(),
		new FileSystemResource("truststore.jks"), "changeit".toCharArray());

SslConfiguration.forTrustStore(new FileSystemResource("keystore.jks"),  (2)
                                      "changeit".toCharArray())

SslConfiguration.forKeyStore(new FileSystemResource("keystore.jks"),    (3)
                                      "changeit".toCharArray())

SslConfiguration.forKeyStore(new FileSystemResource("keystore.jks"),    (4)
                                      "changeit".toCharArray(),
                                      KeyConfiguration.of("key-password".toCharArray(),
                                      "my-key-alias"))
1 Full configuration.
2 Configuring only trust store settings.
3 Configuring only key store settings.
4 Configuring only key store settings with providing a key-configuration.

Please note that providing SslConfiguration can be only applied when Apache Http Components is on your class-path.spring-doc.cn

The SSL configuration supports also PEM-encoded certificates as alternative to a Java Key Store.spring-doc.cn

KeyStoreConfiguration keystore = KeyStoreConfiguration
        .of(new ClassPathResource("ca.pem")).withStoreType("PEM");
SslConfiguration configuration = SslConfiguration.forTrustStore(keystore);

PEM files may contain one or more certificates (blocks of -----BEGIN CERTIFICATE----- and -----END CERTIFICATE-----). Certificates added to the underlying KeyStore use the full subject name as alias.spring-doc.cn