Brightspot CMS Developer Guide

Secure secrets configuration and usage

There are three main aspects of the secrets system:

  1. Configuration of the secret service
  2. Storing of the secret in some data model
  3. Accessing the secret from the data model

Configuration of the secret service is done via environment variables, typically in your Tomcat context.xml file. The key and respective values are described in the table below:

Key Value
brightspot/cms/defaultSecretService The name of the default secret service. This is used in other keys below and is designated as {name}.
brightspot/cms/secretService/{name}/class The fully qualified class name of the secret service you would like to use. For example, this would be com.psddev.cms.secret.DatabaseSecretService for the Database Secret Service and for the AWS Secret Service.

Individual secret services could require additional configuration. Both the Database Secret Service and AWS Secret Service do require additional configuration.

Storage of secrets is done by adding a field to your data model of type com.psddev.cms.secret.Secret. Once this field is added, the Brightspot Secret Service system automatically ensures that any data added by users to this field is encrypted by the default secret service that is configured.

If no default service is configured for the Brightspot instance, the value will be stored as plain text in the database, and the user will be warned that the data is not securely stored. Once a secret service is configured, the data will be securely stored on the next save of the parent object.

import com.psddev.cms.secret.Secret;

public class AcmeApiServiceSettings extends Content {

    @DisplayName("API Key")
    private Secret apiKey;

  • Brightspot annotations can be used on Service fields as usual. Here you can see we change the display name of the field.
  • Use the @Required annotation to require the input of a value for the field.

Secret Field in CMS

Once you have a Secret field on a data model, you can then access the unencrypted value of this secret. This is done by calling Secret#getSecret , which returns the unencrypted value as a string.

import java.util.Optional;

import com.psddev.cms.secret.Secret;

public class AcmeApiServiceSettings extends Content {

    @DisplayName("API Key")
    private Secret apiKey;

    public boolean isValidApiKey(String providedKey) {
        return Optional.ofNullable(apiKey)
            .map(unencryptedSecret -> unencryptedSecret.equals(providedKey))
  • Secret#getSecret is called to get the unencrypted value of the secret.

Previous Topic
Secure secrets
Next Topic
Database Secret Service
Was this topic helpful?
Thanks for your feedback.
The elements that get you up and running in a matter of days, from pre-built content types, to modules, to landing pages.

Content types
Landing pages
Everything you need to manage and administer content within Brightspot CMS, including plug-and-play integrations.

Admin configurations
A guide for installing, supporting and administering code on the Brightspot platform, including integrations requiring developer support to use.

Field types
Content modeling
Rich-text elements