Brightspot CMS Developer Guide

Secure secrets configuration and usage

There are three main aspects of the secrets system:

  1. Configuration of the secret service
  2. Storing of the secret in some data model
  3. Accessing the secret from the data model

Configuration of the secret service is done via environment variables, typically in your Tomcat context.xml file. The key and respective values are described in the table below:

Key Value
brightspot/cms/defaultSecretService The name of the default secret service. This is used in other keys below and is designated as {name}.
brightspot/cms/secretService/{name}/class The fully qualified class name of the secret service you would like to use. For example, this would be com.psddev.cms.secret.DatabaseSecretService for the Database Secret Service and for the AWS Secret Service.

Individual secret services could require additional configuration. Both the Database Secret Service and AWS Secret Service do require additional configuration.

Storage of secrets is done by adding a field to your data model of type com.psddev.cms.secret.Secret. Once this field is added, the Brightspot Secret Service system automatically ensures that any data added by users to this field is encrypted by the default secret service that is configured.

If no default service is configured for the Brightspot instance, the value will be stored as plain text in the database, and the user will be warned that the data is not securely stored. Once a secret service is configured, the data will be securely stored on the next save of the parent object.

import com.psddev.cms.secret.Secret;

public class AcmeApiServiceSettings extends Content {

    @DisplayName("API Key")
    private Secret apiKey;

  • Brightspot annotations can be used on Service fields as usual. Here you can see we change the display name of the field.
  • Use the @Required annotation to require the input of a value for the field.

Secret Field in CMS Secret Field in CMS

Once you have a Secret field on a data model, you can then access the unencrypted value of this secret. This is done by calling Secret#getSecret , which returns the unencrypted value as a string.

import java.util.Optional;

import com.psddev.cms.secret.Secret;

public class AcmeApiServiceSettings extends Content {

    @DisplayName("API Key")
    private Secret apiKey;

    public boolean isValidApiKey(String providedKey) {
        return Optional.ofNullable(apiKey)
            .map(unencryptedSecret -> unencryptedSecret.equals(providedKey))
  • Secret#getSecret is called to get the unencrypted value of the secret.

Previous Topic
Secure secrets
Next Topic
Database Secret Service
Was this topic helpful?
Thanks for your feedback.
Our robust, flexible Design System provides hundreds of pre-built components you can use to build the presentation layer of your dreams.

Asset types
Module types
Page types
Brightspot is packaged with content types that get you up and running in a matter of days, including assets, modules and landing pages.

Content types
Landing pages
Everything you need to know when creating, managing, and administering content within Brightspot CMS.

Admin configurations
A guide for installing, supporting, extending, modifying and administering code on the Brightspot platform.

Field types
Content modeling
Rich-text elements
A guide to configuring Brightspot's library of integrations, including pre-built options and developer-configured extensions.

Google Analytics
Apple News