Posted on

How To Build Web Service Using Spring Boot 2.x

Architecture Contains

  • MVC Architecture
  • JWT Based Authentication
  • Spring Data (JPA)
  • Application User Password Encryption
  • DB password Encryption.
  • SQL Server
  • Slf4j
  • Swagger For API Doc

Repository Contains

  • Application Source code
  • SQL script of Data Base along with key data
  • DB.txt file contains the DB config details.
  • Postman JSON script to test all web services.

Steps to Run Applications

  • Install JDK 11 or the latest version.
  • Clone the Project repository into local.
  • Git Url: https://github.com/VishnuViswam/sample-web-service.git
  • Install SQL server 2012.
  • Create application DB and user
  • Insert the DB key data.
  • Add the decoding key of the database password into the system variables. It is present in the DB.txt file.
  • Sometimes we may need to restart the windows to pick up the updated system variables.
  • Run the project source code.
  • To call the web services, import provided postman JSON scripts into the postman client application.

About Project Configurations

Web-Service Declaration

Each Web-services of the application will be declared in the controller layer.

Example

Java
  
@RequestMapping("/api/v1/user")
@RestController
@Validated
public class UserController {

    private static final Logger logger = LoggerFactory.getLogger(UserController.class);

    @Autowired
    private GeneralServices generalServices;

    @Autowired
    private UserService userService;

    /**
     * Web service to create new user
     *
     * @param httpServletRequest
     * @param user
     * @return
     */
    @PostMapping(consumes = MediaType.APPLICATION_JSON_VALUE, produces = MediaType.APPLICATION_JSON_VALUE)
    public ResponseEntity<Object> createUser(HttpServletRequest httpServletRequest,
                                             @Valid @RequestBody UserCreateModel user) {
        logger.debug("<--- Service to save new user request : received --->");
        ApiSuccessResponse apiResponse = userService.createUser(user, generalServices.getApiRequestedUserId(httpServletRequest));
        logger.debug("<--- Service to save new user response : given --->");
        return ResponseEntity.status(HttpStatus.CREATED).body(apiResponse);

    }

}
  • @RequestMapping("/api/v1/user") annotation is used to mention the category of web service.
  • @RestController annotation will configure the class to receive the rest-full web service call.
  • @PostMapping() annotation will decide the HTTP request type.
  • consumes & consumes tags will decide the content type of the HTTP request and response.

From this "controller layer," API requests will be taken to the service layer. All business logic will be handled here, then it will talk with the database using JPA.

Posted on

Authentication With Remote LDAP Server in Spring WebFlux

In my previous article, we covered authentication and authorization with remote LDAP servers in Spring Web MVC. Since base concepts are the same, some sections are unavoidably the same in these two articles and they are kept in both articles in order to create a seamless reading experience for WebFlux and MVC learners. 

In this article, we will develop a reactive Spring Boot project and integrate into remote LDAP through Spring Security. In addition, we will perform authentication (auth) and authorization (autz) operations over JWT (JSON Web Token) for the APIs we will open. 

Posted on

Authentication With Remote LDAP Server in Spring Web MVC

There are plenty of articles, videos, and courses about this topic, but nearly all of them use embedded LDAP as a source for user information. In this article, we will develop a Spring Boot project and integrate to remote LDAP through Spring Security. In addition, we will perform authentication (auth) and authorization (autz) operations over JWT (JSON Web Token) for the APIs we will open. 

In a business scenario, our application serves as a user portal service that authenticates and authorizes users against specific APIs with their LDAP authorities. First, let's talk about the terms we will use.

Posted on

How To Propagate Context Information Throw Spring Batch

Introduction

While developing applications using Spring batch, we sometimes face one or most of the following cases:

  • The necessity of getting the security context to call methods or perform processing that requires security authorization.
  • Propagating the trace Id and Span Id required by Sleuth in micro-service context.
  • Getting the user Locale (i18n) in order to generate internationalized output.
  • Printing MDC information.

Those cases can be resolved by passing the context information as job parameters and restoring them before the job or step runs using JobExecutionListener or StepExecutionListener, respectively, according to the execution configuration made (One thread per job or thread pool that).

Posted on

Authorization Code Grant Flow With Spring Security OAuth 2.0

Introduction

We have learned about OAuth - 2.0 specification in previous articles and how we can implement OAuth - 2.0 client credentials grant flow working with spring's authorization server. In this article, we're going to see how we can implement authorization code grant flow get working with spring security. 

According to the OAuth-2.0 specification, authorization code grant flow is a two-step process mainly used by confidential clients(a web server or secured application that can promise the security of credentials). In the first step, we request the authorize endpoint to get authorization code from the authorization server and then use it to get an access token from the authorization server at the token endpoint.

Posted on

Database Authentication + Spring Security SAML

If you are going to be developing web applications in Java, there is no doubt you are familiar with Spring Boot, a veritable toolbox for developing web applications. The most common method of authenticating users is database authentication, where credentials are stored in a database to identify authorized users that are accessible by the application. A common open standard is SAML, which can be used to handle authentication, specifically between service providers and identity providers. 

While configuring SAML auth in Spring Security is common and can be shown in many different examples, like this one from the Okta blog, it can add another layer of difficulty when continuing both database and SAML authentication methods in the same Spring Boot application. This will allow the user to be authenticated both ways, and this tutorial will show you how to find a solution! 

Posted on

Authentication with Spring Boot and Spring Security — JWT and Postgres

I am going to talk about what has become a very common requirement for web/cloud-applications these days: Authentication in the context of REST API calls using JSON Web Token, or commonly known as JAWT these days.

The idea behind JSON WebToken is to provide authentication in a stateless API world. The tokens are generated with a Key on the basis of Subject (could be a unique field or combination for a user e.g id, username etc.) using an encryption algorithm such as SHA-256 etc.

Posted on

Introduction to Spring Data JPA, Part 3: Unidirectional One to Many Relations

We will look into unidirectional one-to-many relations. We will use Cascade Types, a constructor-based dependency injection by removing the @Autowired annotation. We will accomplish this with a small implementation where we will handle the DELETE operation, understand  @PathVariable annotation, use Orphan removal, and the @Transaction  annotation.

Let us consider an organization. Here there will be many employees, each taking up different tasks. Let us call the employees users and classify their tasks into roles they play. Some may be performing managerial task, so we'll give them the role MANAGER. Some may be performing system administration tasks, so we'll give them the role ADMIN.  

Posted on

Implement OAuth 2.0 Easily with Spring Boot and Spring Security

In this tutorial, you’ll migrate Spring Boot with OAuth 2.0 support from version 1.5.x to 2.1.x. Spring Boot 2.1.x promotes OpenID Connect to a first-class citizen in the stack, making implementation more accessible than ever. We’ll start with integrating Okta’s OAuth service using Spring Boot 1.5.19 and Spring Security 4.2.x and then replicate the same motion using Spring Boot 2.1.3 and Spring Security 5.1. To make the process even simpler, we’ll minimize the code and configuration even further with Okta’s Spring Boot Starter with Spring Boot 2.1.3. 

Three Minute Overview of OpenID Connect and OAuth 2.0

In the beginning, there were siloed web sites that didn’t talk to each other, and it was sad.

Posted on

Tutorial: Secure Your Java App in 5 Minutes with OAuth 2.0

Present-day apps depend on user authentication, which can be challenging for Java developers. Many developers build their own authentication service as a placeholder for a more powerful option only for that homegrown service to become a permanent solution. Through this post, I will show you how to integrate an enterprise auth service to a simple app as a solution to ending this heartbreak of a cycle. 

We’ll create an app that showcases user information. We’ll manually compose the authentication in the app to see the downsides. We’ll then move to the enterprise-auth solution. By the end of this post, you’ll learn how to secure a working Spring app using OAuth 2.0 for authentication in just 5 minutes.

Posted on

What Developers Need to Know About Java Security

Java gained a reputation as a secure programming language when it was introduced in the mid-1990s. At that time, C or C++ was used for the majority of business programming. Java removed many pitfalls and vulnerabilities of those languages, like manual memory allocation.

This reputation as a more secure language does not mean that all Java code is automatically secure. Developers still have to make sure that they deliver secure code. Fortunately, you can stay on top of your Java security by keeping an eye on possible Java threats.

Posted on

Deep Dive to OAuth2.0 and JWT (Part 4 JWT Use Case)

Up your Spring Security game!

Scenario

Assume that you are building an application for a hypothetical store chain. Each user of this application is assigned a role, and each role has a defined set of activities that it can perform (technically the API that it can access). Let say this store has the following roles and activities. (Note: this is part our in a series on JWTs security best-practices, parts one, two, and three can be found here, here, and here, respectively.)

  • Admin
    • Can add new stores.
    • Can add new users and assign roles to them (store admin and store user).
  • Store Manager
    • Can add new products to the store.
    • Can remove products from the store.
    • Can update product details.
  • User
    • Can view his/her detail.
    • Can view all products.
    • Can view a product using product id.
    • Can get all products from a store.

Environment

We will be implementing authentication with the following tools:

Posted on

Secure and Deploy Your Spring Boot App With AWS Elastic Beanstalk

Authentication and good user experience are crucial for all applications. Developers and companies need a quick way to verify and validate the requesters, without sacrificing the user experience. Seem like a lot of work, right? Luckily, we have tools like Spring Boot with Spring Security that allows developers to incorporate authentication within apps effectively. 

In this post, we’ll use Spring Boot with OAuth 2.0 to build a “Hello World” app and deploy it through AWS Elastic Beanstalk. We’ll also use Okta as the OAuth provider.

Posted on

Integrate SSO With Spring Boot and OAuth 2.0

Integrate SSO with Spring Boot and OAuth 2.0.

Single sign-on (SSO) is the standard nowadays, regardless of industry or company size. It might be strange to think that SSO used to only be available to enterprise companies that could afford it. 

Today, with service providers like Okta and enabling technologies such as OpenID Connect (OIDC) and OAuth 2.0, developers can easily integrate SSO into their websites and apps