I have a SpringBoot 2.1.4.RELEASE RESTful Web Service app., using Spring Initializer, embedded Tomcat, Thymeleaf template engine, and package as an executable JAR file, which is using a third party REST API secured by JWT, so I need to store in the WebApp the plain username and password to authenticate to the API, and I would like to know what is the best practice to keep the credentials
1) in the HttpSession object ?
2) in the DB as a plan text ?
Secrets management should be done outside the app, preferably with help of third party products / API, as it could be cumbersome to create our very own robust secret management system.
One such popular & robust product for secret management is HashiCorp Vault.
Since you are already using Spring do refer to this excellent article on how vault can be utilized for the secrets management.