Posted on

Learn How to Use Vue and Spring Boot to Create a Single-Page App

In this tutorial, you'll create a single-page application (SPA) with a Spring Boot resource server and a Vue front-end client. You'll learn how to utilize JSON Web Tokens (JWTs) for authentication and authorization, using Spring Boot to configure the JWTs, with Okta as your OAuth 2.0 and OpenID Connect (OIDC) provider. You'll also learn how to use the Vue CLI to bootstrap a Vue client app and how to secure it using the Okta Sign-In Widget.

Okta is a computer security service provider with helpful information for safeguarding online applications. The Okta Sign-In Widget provides protection for front-end apps by letting you quickly add a secure login form that can be configured for single sign-on and social sign-on with external providers like Google, Facebook, and LinkedIn. It includes a PKCE implementation of the OAuth 2.0 authorization code flow (Proof Key for Code Exchange).

Posted on

OAuth 2.0 Session Clustering

"How do I control OAuth in a load-balanced application?" is typical of the OAuth 2.0 questions we hear. The short answer is: Session clustering for OAuth isn't unique in any way. The longer answer is that cluster session management is still likely to be a concern. This post explains how an OAuth login affects your app session. To demonstrate, we'll create a basic, secure, and load-balanced app.

Table of Contents

Posted on

Codeless OAuth API and Email API Attachments

The OAuth API allows you to get the full benefits of third-party OAuth login but with a new Codeless block, your application can include login with the likes of Facebook, Twitter, Google, Amazon, LinkedIn, Discord, GitHub, Spotify, and more.

In addition to the OAuth API, Backendless has also added new functionality for adding email attachments via API, which is also now available in Codeless. Email attachments – PDFs, images, videos, etc. – can even be added to email templates using Codeless. Read on to learn more.

Posted on

Easy Access to OAuth 2.0 Protected Resources With the Spring WebClient

Spring Framework 5.0 introduced Spring WebClient as part of the WebFlux reactive web stack. WebClient is a reactive HTTP client that provides a functional and fluent API based on Reactor, allowing declarative composition of asynchronous non-blocking requests.  No need to  manage concurrency issues. Support for filter registration means it can intercept and modify requests, which can be used for cross-cutting concerns such as authentication, as demonstrated in this tutorial.

The WebTestClient is also an HTTP client designed for application testing. With a testing interface wrapper to check replies, WebClient can be used to execute end-to-end HTTP testing and connect to a live server. It can also bind to a controller or application context and simulate requests and responses without requiring a running server.

Posted on

Accessing Non-Blocking Databases Using R2DBC and Spring

Large numbers of data and requests from the web can be handled well by responsive APIs. Clients (like your browser) can subscribe to “events” by utilizing the “server-side event” model, which “pushes” available events to the client. 

It is not useful in cases with simple CRUD applications, but when dealing with situations with millions of “subscribers”, it is significantly faster than traditional “request-response” architectures. 

Posted on

API Security Weekly: Issue #136

This week, we check out how API attacks can be used to squash political dissent, a handy OAuth 2.0 security checklist as well as some common OAuth vulnerabilities and the ways to detect and mitigate them, and a case study of API penetration testing.

Vulnerability: Russian Opposition Email List Breach

Companies typically avoid providing details on their data breaches. Today we have a rare exception. The staff of the Russian opposition leader, Alexey Navalny, has posted a detailed report on both the breach they had earlier this year and their investigation into the breach. Unfortunately, the report is in Russian, so you might need to use Google Translate or auto-generated English subtitles in the video version that they posted on YouTube.

Posted on

Authorization Technology is the Future of Collaboration

Back in the day, security was built around the principle that the people who work for the organization are the good guys that we give access to, while everyone outside the organization are the bad guys we need to keep out.

Well, two things have radically changed since then.

Posted on

Use Both JWT and Opaque Access Tokens With Spring Boot

How can one validate OAuth 2.0 access tokens? This question frequently comes up — along with the topic of validating JSON Web Tokens (JWT) based access tokens— however, this is NOT part of the OAuth 2.0 specification. JWTs are used so commonly that Spring Security supported them before adding support for remotely validating tokens. 

This article will introduce how to build a simple application that utilizes both types of validation.

Posted on

Securing Web Apps Using PKCE With Spring Boot

Technology has a way of updating faster than security standards. OAuth 2.0 is the latest and greatest standard for modern applications, but it’s eight years old now! Its contributors are working on the next version as we speak, and in the meantime, they release “guidance” periodically to help developers use OAuth 2.0 with new technology.

Last year, the developers submitted two drafts of important pieces of guidance for OAuth 2.0. OAuth 2.0 Security Best Current Practices gives advice for securing modern apps with OAuth 2.0, and OAuth 2.0 for Browser-Based Apps focuses specifically on web app best practices.

Posted on

Easy OAuth 2.0 Single Sign-on in Java

Different applications need different permissions. Although you might have a single resource server providing data to multiple apps, it’s often the case that you don’t want all users of application A to access application B. 

In this tutorial, you’ll learn how to use Okta and Spring Boot to implement SSO with two client applications and a single resource server. You’ll also learn how to restrict access to the resource server based on app scores and how to use access policies to enforce authentication and authorization rules.

Posted on

Authorization Approach for Multiple Web API Providers

Azure Active Directory (Azure AD) is a popular enterprise identity service used by many organizations for enabling single sign-on for applications and protect their web APIs.

Version 2.0 of Microsoft Identity platform (aka Azure AD) is the latest and improved implementation of OpenId Connect (OIDC) based authentication and OAuth 2.0 authorization flows.

Posted on

Implement OAuth 2.0 Easily with Spring Boot and Spring Security

In this tutorial, you’ll migrate Spring Boot with OAuth 2.0 support from version 1.5.x to 2.1.x. Spring Boot 2.1.x promotes OpenID Connect to a first-class citizen in the stack, making implementation more accessible than ever. We’ll start with integrating Okta’s OAuth service using Spring Boot 1.5.19 and Spring Security 4.2.x and then replicate the same motion using Spring Boot 2.1.3 and Spring Security 5.1. To make the process even simpler, we’ll minimize the code and configuration even further with Okta’s Spring Boot Starter with Spring Boot 2.1.3. 

Three Minute Overview of OpenID Connect and OAuth 2.0

In the beginning, there were siloed web sites that didn’t talk to each other, and it was sad.

Posted on

Tutorial: Secure Your Java App in 5 Minutes with OAuth 2.0

Present-day apps depend on user authentication, which can be challenging for Java developers. Many developers build their own authentication service as a placeholder for a more powerful option only for that homegrown service to become a permanent solution. Through this post, I will show you how to integrate an enterprise auth service to a simple app as a solution to ending this heartbreak of a cycle. 

We’ll create an app that showcases user information. We’ll manually compose the authentication in the app to see the downsides. We’ll then move to the enterprise-auth solution. By the end of this post, you’ll learn how to secure a working Spring app using OAuth 2.0 for authentication in just 5 minutes.

Posted on

Getting Started With Java and JSF

Learn more about using JavaServerFaces (JSF) in your Java apps.

JavaServer Faces (JSF) is a Java framework standard for building out component-based user interfaces for web applications. JSF is supported by a wide range of ready-to-use components, libraries, tools, and vendors — making it even more powerful.

You may also like: [DZone Refcard] JavaServer Faces 2.0

Why choose JSF over JavaServer Pages (JSP)? There are two main reasons:

Posted on

Build a Secure Spring Boot App With Kotlin

Learn how to build a secure Spring Boot app with Kotlin.

Kotlin was created by JetBrains in 2011 to make app development easier and to address some well-known issues with Java at the time like its verbosity.  It rapidly gained popularity and even more so when Google formally announced Kotlin support on Android.

Countless companies are taking advantage of the features that Kotlin offers and switching over from Java, making it a significant language within the Java Virtual Machine (JVM) ecosystem.