SecretConfiguration
Related Doc:
package http
the JCE provider to use.
the JCE provider to use. If null, uses the platform default
the application secret
The application secret. Must be set. A value of "changeme" will cause the application to fail to start in production.
With the Play secret we want to:
1) Encourage the practice of *not* using the same secret in dev and prod. 2) Make it obvious that the secret should be changed. 3) Ensure that in dev mode, the secret stays stable across restarts. 4) Ensure that in dev mode, sessions do not interfere with other applications that may be or have been running on localhost. Eg, if I start Play app 1, and it stores a PLAY_SESSION cookie for localhost:9000, then I stop it, and start Play app 2, when it reads the PLAY_SESSION cookie for localhost:9000, it should not see the session set by Play app 1. This can be achieved by using different secrets for the two, since if they are different, they will simply ignore the session cookie set by the other.
To achieve 1 and 2, we will, in Activator templates, set the default secret to be "changeme". This should make it obvious that the secret needs to be changed and discourage using the same secret in dev and prod.
For safety, if the secret is not set, or if it's changeme, and we are in prod mode, then we will fail fatally. This will further enforce both 1 and 2.
To achieve 3, if in dev or test mode, if the secret is either changeme or not set, we will generate a secret based on the location of application.conf. This should be stable across restarts for a given application.
To achieve 4, using the location of application.conf to generate the secret should ensure this.
the application secret
the JCE provider to use. If null, uses the platform default