Brightspot CMS Developer Guide

Building a custom secret service

Brightspot’s Secret Service API provides a standardized interface for encrypting secrets in . To use this API, you must implement a custom secret service that securely stores data, either via encryption or by leveraging a third-party secret storage solution.

This topic provides guidance on how to implement a custom secret service integration. Note that since each integration can be quite different depending on the third-party service, this topic may not cover all details needed to build an integration with a specific third party.

To create a new secret service implementation, create a new java class that implements the com.psddev.cms.secret.SecretService interface.

To implement the SecretService interface, a class must implement the following methods:

  1. storeSecret(Secret secret)

    • This method should persist the given secret securely.
    • Parameters:

      • secret - The secret that should be stored.
  2. getSecret(Secret secret)

    • This method should securely retrieve the value for the given Secret .
    • Parameters:

      • secret - The secret whose value should be retrieved.
    • Returns:

      • The unencrypted value of the given secret.
  3. deleteSecret(Secret secret)

    • This method should delete the stored value of the given secret.
    • Parameters:

      • secret - The secret whose stored value should be deleted.

The SecretService interface extends SettingsBackedObject , which allows your SecretService to be initialized by com.psddev.dari.util.Settings . These settings are typically set in your Tomcat context.xml file. To apply these settings you can extend the initialize(String settingsKey, Map<String, Object> settings) method from SettingsBackedObject . An example implementation is shown below:

Initialize Implementation
public class CustomSecretService implements SecretService {
        private static final String PREFIX_SUB_SETTING = "prefix";

     * A Prefix to append to all keys stored by this Secret manager.
    private String prefix;

    public void initialize(String settingsKey, Map<String, Object> settings) {
        prefix =, settings.get(PREFIX_SUB_SETTING));

In the above example, the prefix value could now be configured with the brightspot/cms/secretService/{name}/prefix settings key.

Once you have your secret service implemented, enabling it must be done via environment variables, typically in your Tomcat context.xml file. The keys and respective values are described in the table below:

brightspot/cms/defaultSecretService The name of the default secret service. This is used in other keys below and is designated as {name} .
brightspot/cms/secretService/{name}/class The fully qualified java class name of your SecretService implementation.


Any additional settings can be configured via additional keys.