Best practice for consumer secret and key in a Java application


#1

What is the best practice for storing consumer secret and key in a Java application source code, especially a WAR file ?

.properties in WEB-INF ?
obfuscation ?
proxy pattern ?

The app is going to be made accessible over web initially, possibly on desktop and mobile as well later. The source code will be shared in open source as well and would like to not share the secret and key.

What are the implications of sharing consumer secret and key ?

I’m looking for suggestions or best practices.


#2

I know this is an old post, but just curious how you ultimately handled this?