Before Spring Boot 3, there were certain keys that were automatically masked on the /env point. Users were also able to configure other keys to be masked.
With Spring Boot 3, however, we now have 3 choices NEVER show any values (i.e. always mask every value), ALWAYS show values (i.e. never mask any value) and WHEN_AUTHORIZED (i.e. never mask any value as long as the caller has been authorized)
In our use case, we protect the /env endpoint with opaque token authorization, and a required scope. If the user is not authorized, then we do not even let them see the endpoint response at all (they will get a 401). But if the user is authorized, then they can see the values of every key - even key/values that were provided by a secret manager.
With the 3 options we have above, NEVER/ALWAYS/WHEN_AUTHORIZED - every value will be shown or masked. There is no ability to mix. I believe it would be beneficial to provide some mechanism to allow some values to be shown while other values are masked. That could be a configurable list of keys (or keySuffixes/keyPrefixes) or one could configure the masking by source name or something.
I think the new enum is too limited and needs to be enhanced.
Comment From: wilkinsona
As described in the documentation, you can define a SanitizingFunction bean to take control of how the values are masked when using ALWAYS or WHEN_AUTHORIZED.
While getting the link to the documentation, I noticed that the Customizing Sanitization section is slightly misleading as the built-in key-based sanitization is no longer performed. I've opened https://github.com/spring-projects/spring-boot/issues/33990 to improve that.
Comment From: solidjb
@wilkinsona - Thank you for pointing that out - I tried to find referneces to things like masking - I was not using the words sanitize. I will look into implementing the custom santization.