1 of 13

Spring Book

About this book

Inside the Guide

This guide is a concise collection of spring boot knowledge we picked up over the years of Java development, the sections are divided up as follows:

Tutorials - longer format deep dives into topics
Recipes - quick code first solution oriented bites

Any feedback would be very much appreciated at [email protected]

If you like this content you may want to partner with us for your development needs

While our guide provides the some quick tips, sometimes achieving your project goals requires a bit more. That's where we come in. At Katyella, we provide US based staff augmentation. Whether you're looking to scale your team quickly or need specific expertise, we're here to help.

Interested in learning more about how we can help bring your projects to the next level? Visit us at . Let's make your development journey a shared success.

Tutorials

JWT Authentication and Role-Based Authorization with Java Spring Boot

Introduction to JSON Web Tokens (JWTs), Authentication, and Authorization

JSON Web Tokens (JWTs) are a compact and self-contained way for securely transmitting information between parties as a JSON object. This information can be verified and trusted because it is digitally signed. JWTs can be signed using a secret or a public/private key pair using the RSA or ECDSA algorithms.

Role in Authentication

Authentication is the act of validating that users are who they claim to be using passwords, biometrics, one-time passwords, and more. JWTs can be used to establish the identity of users. When a user logs in, the server generates a JWT that encodes a set of claims. The server then returns this token to the client, and the client sends the token back with each request. The server verifies the token and only allows the request to proceed if the token is valid.

Role in Authorization

Authorization is the process by which individual users or groups of users are granted access to a specific resource or function. JWTs also play a crucial role in authorization, as they enable servers to know what resources a user can have access to. When the JWT includes claims like user roles or permissions, the server can determine whether to grant or deny access to certain operations or resources.

Importance in API Security and Access Control

Securing APIs and managing access control are critical in web applications. JWTs help in securing APIs by allowing the server to process requests without having to look up too much user information since the token is self-contained. The authorization process using JWTs enables role-based access control, ensuring that users only have access to the resources and operations their role permits.

Overall, JWTs are integral to the security architecture of modern web applications, enabling reliable authentication and fine-grained authorization while also being lightweight and easily transmittable over the web.

Project Setup

Overview of Tools and Technologies

In this project, we are going to employ several key tools and technologies:

Java Spring Boot: An open-source Java-based framework used to create a microservice. It is easy to create stand-alone, production-grade Spring based applications with minimal effort.
H2 Database: A lightweight in-memory database that can be embedded in Java applications or run in the client-server mode. It's perfect for development and testing since it doesn't require any setup like a regular database.
JSON Web Tokens (JWT): A standard token format used in authentication and authorizations that allows you to securely transmit data between parties as a JSON object.

Creating Your Spring Boot Project

Visit the .
Select Maven as your Project Type and Java as your language
Choose your desired version of Spring Boot. This tutorial uses 3.2.2.

Once downloaded and extracted, create the following Java Packages in your <ArtifactId> folder (com in this diagram)

Adding Necessary Dependencies

To include the necessary dependencies for Spring Security, the H2 database, and JWT, open the pom.xml file and add the following dependencies:

Make sure to consult the official documentation for up-to-date version numbers.

Set Properties in `application.resources`

We will need to configure a few properties related to our H2 database, logging, JWT authentication, and authorization. Here are the settings used in our project:

Configuring Spring Security

To secure our web application, we implement Spring Security by defining a SecurityConfig class. This class utilizes a combination of annotations to integrate Spring Security with our project effectively.

Below is an overview of what the SecurityConfig class accomplishes:

@EnableWebSecurity: This annotation activates Spring Security’s web security support and provides the Spring MVC integration. It also extends the Spring Security configuration using HTTPSecurity.
@EnableMethodSecurity: This enables method-level security based on annotations. It allows us to secure methods in our controllers by specifying roles and conditions for access.

The SecurityConfig includes the following Beans:

AuthenticationProvider: This Bean sets the custom user details service and password encoder. It is necessary for authenticating users based on username and password.
AuthenticationManager: This Bean gets the authentication manager from Spring Security's AuthenticationConfiguration which in turns help manage the authentication procedure.

Here's how we set up the SecurityConfig:

This setup is pivotal for JWT-based authentication, ensuring that each request is properly authenticated and has the correct authority to access various resources.

Implement JWT Authentication

JWT Authentication is a key aspect in securing web applications by validating the identity of users via tokens. Let's dive into how the JwtService class in the provided code snippet helps in implementing JWT authentication:

The JwtService class performs several essential actions:

Token Generation: generateToken(UserDetails userDetails) method generates a new token for a user based on their UserDetails. It includes the user's username as the subject, current time as the issue time, and sets the expiration time based on the jwtExpirationMs value.
Token Validation: isTokenValid(String token, UserDetails userDetails) method checks if the token is valid by comparing the username in the token with the username in the passed

Here's the entire JwtService code for clarity:

Role-Based Authorization

This code snippet is a sample controller which demonstrates how role-based access-control can be implemented using Spring Security's @PreAuthorize annotation. It provides access to different REST endpoints based on the authenticated user's role.

GET /api/v1/test/users is secured with @PreAuthorize("hasRole('USER')"), restricting access to this endpoint to only allow authenticated users with the USER role.
GET /api/v1/test/admins is annotated with @PreAuthorize("hasRole('ADMIN')"), restricting access to this endpoint to only allow authenticated users with the

A more robust BookControllerthat interfaces with our database will be implemented in the next step. This BookController will use these principles of role-based authorization to manage access to book-related resources.

Build the Books API

Now that we have set up our project, implemented JWT-based authentication and role-based authorization, let's build the Books API to manage book-related resources. We'll create a BookController to handle CRUD (Create, Read, Update, Delete) operations on books.

Test the Application

Now we can start our application, sign up and sign with a new user or sign in with a pre-populated one, and use the JWT returned from that request to access our various endpoints according to the role assigned to our user!

Here's how we can sign up our user:

Or log in with our admin user:

Experiment with different calls with different roles to see how our application restricts what data is available to a user based on their role. Check the /src/test directory in the repo to view some example API calls. You will need to provide the JWT token fetched in the /signin step, and remember, it expires after 1 hour!

Here's an example of accessing the user-restricted endpoint as a user role:

Recipes

Handling Exceptions in RESTful User Responses

Explanation:

In the code snippet above, the BookController class includes:

Method getBookById:
- It uses the bookService to attempt to find the book. If the book is not found, bookService.findBookById(id) will return an empty Optional, and the orElseThrow method will throw a BookNotFoundException.
- The exception message includes the ID of the book that was not found, providing clarity in the logs and to the API users.
Exception Handler handleBookNotFoundException:
- This method remains the same as before. It handles the BookNotFoundException by logging the exception details and returning a user-friendly message along with a 404 Not Found status.

By including the getBookById method, we demonstrate a typical scenario in a RESTful service where a requested resource (in this case, a book) might not exist, leading to an exception that is gracefully handled by the handleBookNotFoundException method.

This structure ensures that your REST API for book management not only handles requests but also deals with exceptions in a user-friendly manner, improving the reliability and usability of your service.

Global REST Error Responses via @ControllerAdvice

Explanation: In RESTful services, ensuring consistent and user-friendly error responses across the entire application is crucial. The @ControllerAdvice annotation in Spring Boot allows you to handle exceptions globally, avoiding the need to declare exception handlers in each controller. Just by having a class with this annotation in the class path. Here's how you can implement global exception handling for a book management RESTful service:

Code Implementation:

Annotation

Proper vs. Improper Way to Implement CRUD in RESTful Services

In this quick recipe, we'll explore the proper and improper ways to implement CRUD (Create, Read, Update, Delete) operations in RESTful services

Proper Way to Implement CRUD in Spring Boot

Service Layer:

Assuming basic CRUD operations are defined in the UserService.

Improper Way to Implement CRUD in Spring Boot

Controller:

Referencing Values from Properties File in Components

Properties File (application.properties)

# Define properties
bookstore.name=My Awesome Bookstore
bookstore.location=Main Street, Springfield

Spring Component

In Spring Boot applications, you can easily externalize configuration and access properties in your components. The above code demonstrates how you can define properties in the application.properties file and inject them into your Spring components using the @Value annotation.

Explanation:

Properties File (application.properties):
- Contains key-value pairs defining properties and their values.
- bookstore.name and

Benefits:

Decoupling of Configuration and Code: Enables changing the application's behavior without code changes by modifying the properties file.
Ease of Maintenance: Centralizes configuration management, simplifying changes and management.
Flexibility for Different Environments: Allows for different configurations in development, testing, and production environments without changing the codebase.

By leveraging the @Value annotation in Spring Boot, you can maintain clean separation between your configuration and code, making your application more adaptable and easier to manage across different environments.

Disabling OAuth2 Security for Integration Tests with @TestConfiguration

TL;DR:

The @TestConfiguration annotation allows for the customization of Spring Boot's application context for testing purposes, without affecting the main application configuration. In the provided code snippet, @TestConfiguration is used to define a SecurityFilterChain bean that disables OAuth2 security, simplifying integration testing by bypassing authentication and authorization steps.

Explanation:

Custom Acutator Endpoints

TL;DR:

The @Endpoint annotation in Spring Boot Actuator allows for the creation of custom endpoints to expose specific application metrics or operations. In the provided code snippet, a custom endpoint activeSessions is defined to report the current number of active sessions, leveraging the SessionRegistry for real-time session tracking. This addition enhances monitoring capabilities by providing insights into user engagement and system load.

Detailed Explanation:

Purpose of @Endpoint: The @Endpoint annotation marks a class as a custom Actuator endpoint, enabling it to expose specific data or operations through the Actuator framework. It's a powerful feature for extending the built-in monitoring and management capabilities of Spring Boot.
Exposing Active Sessions Count: The activeSessions endpoint is designed to help monitor the current load on the application by reporting the number of active user sessions. This information is crucial for understanding user engagement and for scaling and performance tuning efforts.
Utilizing SessionRegistry: The SessionRegistry is a Spring Security class that tracks all active sessions. By injecting SessionRegistry into the custom endpoint, it's possible to count and report the number of active sessions in real-time.
Accessing the Custom Endpoint:
- HTTP GET Request: http://localhost:8080/actuator/activeSessions
- Response Example:

Benefits:

Enhanced Monitoring: Adding a custom endpoint for active sessions directly addresses the need for real-time monitoring of user engagement, offering a clear view of the application's current load.
Operational Efficiency: With this endpoint, administrators and developers can quickly assess the application's performance and responsiveness, enabling proactive adjustments to infrastructure and application settings.
Strategic Decision Making: Information on active sessions aids in capacity planning and scalability strategies, ensuring that the application can handle peak loads efficiently.

By integrating a custom Actuator endpoint to monitor active sessions, Spring Boot applications can significantly improve their operational monitoring and management capabilities. This approach not only provides valuable insights into application performance but also supports informed decision-making for enhancing user experience and system reliability.

Simplifying Spring Services with Lombok

Lombok is a Java library that helps reduce boilerplate code, particularly useful in Spring applications for creating cleaner, more maintainable codebases.

TL;DR:

Lombok's @RequiredArgsConstructor, @Slf4j, and @Data annotations significantly reduce the boilerplate code in Spring services and entities. @RequiredArgsConstructor automatically generates a constructor for dependency injection,

Logging Entities in Spring with Lombok

Effectively use Lombok for logging while cautiously managing entities with lazy-loaded relationships to circumvent potential performance issues.

Service Class with Lombok Logging:

Log Output Example:

TL;DR:

Utilizing Lombok's @ToString annotation with the exclude attribute allows for the exclusion of lazy-loaded fields, such as orders in a User entity, preventing unintended loading during logging. The @Slf4j

WebScrapping on a Schedule

Spring Boot application for web scraping with JSoup

import org.jsoup.Jsoup;
import org.jsoup.nodes.Document;
import org.springframework.boot.SpringApplication;
import org.springframework.boot.autoconfigure.SpringBootApplication;
import org.springframework.scheduling.annotation.EnableScheduling;
import org.springframework.scheduling.annotation.Scheduled;
import org.springframework.stereotype.Service;

@SpringBootApplication
@EnableScheduling
public class WebScrapingApplication {

    public static void main(String[] args) {
        SpringApplication.run(WebScrapingApplication.class, args);
    }

    @Service
    public static class WebScrapingService {

        @Scheduled(fixedRate = 10000) // Runs every 10 seconds
        public void scrapeWebsite() {
            try {
                Document doc = Jsoup.connect("https://example.com").get();
                String title = doc.title();
                System.out.println("Website Title: " + title);
            } catch (Exception e) {
                e.printStackTrace();
            }
        }
    }
}

TL;DR:

Setup: This Spring Boot application is configured to perform web scraping tasks using JSoup. It includes the @EnableScheduling annotation to enable scheduled tasks.
Scheduled Task: The WebScrapingService class contains a method scrapeWebsite annotated with @Scheduled, set to execute every 10 seconds. This method uses JSoup to connect to a specified URL, retrieves the document, and prints the website's title.
Running: Upon running the application, the scheduled task will automatically scrape the website at the defined interval, demonstrating a basic use case of web scraping in a Spring Boot application.

This example provides a streamlined approach to integrating web scraping capabilities into a Spring Boot application, showcasing the ease of setting up scheduled tasks with JSoup for HTML parsing.

JWT Authentication and Role-Based Authorization with Java Spring Boot

Introduction to JSON Web Tokens (JWTs), Authentication, and Authorization

Role in Authentication

Role in Authorization

Importance in API Security and Access Control

Project Setup

Overview of Tools and Technologies

In this project, we are going to employ several key tools and technologies:

Java Spring Boot: An open-source Java-based framework used to create a microservice. It is easy to create stand-alone, production-grade Spring based applications with minimal effort.
H2 Database: A lightweight in-memory database that can be embedded in Java applications or run in the client-server mode. It's perfect for development and testing since it doesn't require any setup like a regular database.
JSON Web Tokens (JWT): A standard token format used in authentication and authorizations that allows you to securely transmit data between parties as a JSON object.

Creating Your Spring Boot Project

Visit the .
Select Maven as your Project Type and Java as your language
Choose your desired version of Spring Boot. This tutorial uses 3.2.2.

Once downloaded and extracted, create the following Java Packages in your <ArtifactId> folder (com in this diagram)

Adding Necessary Dependencies

To include the necessary dependencies for Spring Security, the H2 database, and JWT, open the pom.xml file and add the following dependencies:

Make sure to consult the official documentation for up-to-date version numbers.

Set Properties in `application.resources`

We will need to configure a few properties related to our H2 database, logging, JWT authentication, and authorization. Here are the settings used in our project:

Configuring Spring Security

Below is an overview of what the SecurityConfig class accomplishes:

@EnableWebSecurity: This annotation activates Spring Security’s web security support and provides the Spring MVC integration. It also extends the Spring Security configuration using HTTPSecurity.
@EnableMethodSecurity: This enables method-level security based on annotations. It allows us to secure methods in our controllers by specifying roles and conditions for access.

The SecurityConfig includes the following Beans:

AuthenticationProvider: This Bean sets the custom user details service and password encoder. It is necessary for authenticating users based on username and password.
AuthenticationManager: This Bean gets the authentication manager from Spring Security's AuthenticationConfiguration which in turns help manage the authentication procedure.

Here's how we set up the SecurityConfig:

This setup is pivotal for JWT-based authentication, ensuring that each request is properly authenticated and has the correct authority to access various resources.

Implement JWT Authentication

The JwtService class performs several essential actions:

Token Generation: generateToken(UserDetails userDetails) method generates a new token for a user based on their UserDetails. It includes the user's username as the subject, current time as the issue time, and sets the expiration time based on the jwtExpirationMs value.
Token Validation: isTokenValid(String token, UserDetails userDetails) method checks if the token is valid by comparing the username in the token with the username in the passed

Here's the entire JwtService code for clarity:

Role-Based Authorization

GET /api/v1/test/users is secured with @PreAuthorize("hasRole('USER')"), restricting access to this endpoint to only allow authenticated users with the USER role.
GET /api/v1/test/admins is annotated with @PreAuthorize("hasRole('ADMIN')"), restricting access to this endpoint to only allow authenticated users with the

Build the Books API

Test the Application

Here's how we can sign up our user:

Or log in with our admin user:

Here's an example of accessing the user-restricted endpoint as a user role:

package dev.katyella.oauth.configs; import dev.katyella.oauth.filters.JwtAuthenticationFilter; import dev.katyella.oauth.services.UserService; import lombok.RequiredArgsConstructor; import org.springframework.context.annotation.Bean; import org.springframework.context.annotation.Configuration; import org.springframework.http.HttpMethod; import org.springframework.security.authentication.AuthenticationManager; import org.springframework.security.authentication.dao.DaoAuthenticationProvider; import org.springframework.security.config.annotation.authentication.configuration.AuthenticationConfiguration; import org.springframework.security.config.annotation.method.configuration.EnableMethodSecurity; import org.springframework.security.config.annotation.web.builders.HttpSecurity; import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity; import org.springframework.security.config.annotation.web.configurers.AbstractHttpConfigurer; import org.springframework.security.config.http.SessionCreationPolicy; import org.springframework.security.crypto.password.PasswordEncoder; import org.springframework.security.web.SecurityFilterChain; import org.springframework.security.authentication.AuthenticationProvider; import org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter; @Configuration @EnableWebSecurity @EnableMethodSecurity @RequiredArgsConstructor public class SecurityConfig { private final JwtAuthenticationFilter jwtAuthenticationFilter; private final UserService userService; private final PasswordEncoder passwordEncoder; @Bean public AuthenticationProvider authenticationProvider() { DaoAuthenticationProvider authProvider = new DaoAuthenticationProvider(); authProvider.setUserDetailsService(userService.userDetailsService()); authProvider.setPasswordEncoder(passwordEncoder); return authProvider; } @Bean public AuthenticationManager authenticationManager(AuthenticationConfiguration config) throws Exception { return config.getAuthenticationManager(); } @Bean public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception { http .csrf(AbstractHttpConfigurer::disable) .sessionManagement(session -> session.sessionCreationPolicy(SessionCreationPolicy.STATELESS)) .authorizeHttpRequests(authorize -> authorize .requestMatchers(HttpMethod.POST, "/api/v1/signup", "/api/v1/signin").permitAll() .requestMatchers(HttpMethod.GET, "/api/v1/test/**").permitAll() .anyRequest().authenticated() ) .authenticationProvider(authenticationProvider()).addFilterBefore(jwtAuthenticationFilter, UsernamePasswordAuthenticationFilter.class); return http.build(); } }

package dev.katyella.oauth.services; import java.security.Key; import java.util.Date; import java.util.HashMap; import java.util.Map; import java.util.function.Function; import org.springframework.beans.factory.annotation.Value; import org.springframework.security.core.userdetails.UserDetails; import org.springframework.stereotype.Service; import io.jsonwebtoken.Claims; import io.jsonwebtoken.Jwts; import io.jsonwebtoken.SignatureAlgorithm; import io.jsonwebtoken.io.Decoders; import io.jsonwebtoken.security.Keys; @Service public class JwtService { @Value("${token.secret.key}") String jwtSecretKey; @Value("${token.expirationms}") Long jwtExpirationMs; public String extractUserName(String token) { return extractClaim(token, Claims::getSubject); } public String generateToken(UserDetails userDetails) { return generateToken(new HashMap<>(), userDetails); } public boolean isTokenValid(String token, UserDetails userDetails) { final String userName = extractUserName(token); return (userName.equals(userDetails.getUsername())) && !isTokenExpired(token); } private <T> T extractClaim(String token, Function<Claims, T> claimsResolvers) { final Claims claims = extractAllClaims(token); return claimsResolvers.apply(claims); } private String generateToken(Map<String, Object> extraClaims, UserDetails userDetails) { return Jwts .builder() .setClaims(extraClaims) .setSubject(userDetails.getUsername()) .setIssuedAt(new Date(System.currentTimeMillis())) .setExpiration(new Date(System.currentTimeMillis() + jwtExpirationMs)) .signWith(getSigningKey(), SignatureAlgorithm.HS256) .compact(); } private boolean isTokenExpired(String token) { return extractExpiration(token).before(new Date()); } private Date extractExpiration(String token) { return extractClaim(token, Claims::getExpiration); } private Claims extractAllClaims(String token) { return Jwts .parserBuilder() .setSigningKey(getSigningKey()) .build() .parseClaimsJws(token) .getBody(); } private Key getSigningKey() { byte[] keyBytes = Decoders.BASE64.decode(jwtSecretKey); return Keys.hmacShaKeyFor(keyBytes); } }

Spring Book

About this book

Tutorials

JWT Authentication and Role-Based Authorization with Java Spring Boot

hashtagIntroduction to JSON Web Tokens (JWTs), Authentication, and Authorization

hashtagRole in Authentication

hashtagRole in Authorization

hashtagImportance in API Security and Access Control

hashtagProject Setup

hashtagOverview of Tools and Technologies

hashtagCreating Your Spring Boot Project

hashtagAdding Necessary Dependencies

hashtagSet Properties in `application.resources`

hashtagConfiguring Spring Security

hashtagImplement JWT Authentication

hashtagRole-Based Authorization

hashtagBuild the Books API

hashtagTest the Application

Recipes

Handling Exceptions in RESTful User Responses

Global REST Error Responses via @ControllerAdvice

Proper vs. Improper Way to Implement CRUD in RESTful Services

Referencing Values from Properties File in Components

Disabling OAuth2 Security for Integration Tests with @TestConfiguration

Custom Acutator Endpoints

Simplifying Spring Services with Lombok

hashtagTL;DR:

Logging Entities in Spring with Lombok

WebScrapping on a Schedule

hashtagTL;DR:

About this book

JWT Authentication and Role-Based Authorization with Java Spring Boot

hashtagIntroduction to JSON Web Tokens (JWTs), Authentication, and Authorization

hashtagRole in Authentication

hashtagRole in Authorization

hashtagImportance in API Security and Access Control

hashtagProject Setup

hashtagOverview of Tools and Technologies

hashtagCreating Your Spring Boot Project

hashtagAdding Necessary Dependencies

hashtagSet Properties in `application.resources`

hashtagConfiguring Spring Security

hashtagImplement JWT Authentication

hashtagRole-Based Authorization

hashtagBuild the Books API

hashtagTest the Application

Handling Exceptions in RESTful User Responses

WebScrapping on a Schedule

hashtagTL;DR:

Referencing Values from Properties File in Components

Simplifying Spring Services with Lombok

hashtagTL;DR:

Logging Entities in Spring with Lombok

Global REST Error Responses via @ControllerAdvice

Disabling OAuth2 Security for Integration Tests with @TestConfiguration

hashtagConclusion

hashtagDetailed Explanation

hashtagConclusion

Custom Acutator Endpoints

Proper vs. Improper Way to Implement CRUD in RESTful Services

Introduction to JSON Web Tokens (JWTs), Authentication, and Authorization

Role in Authentication

Role in Authorization

Importance in API Security and Access Control

Project Setup

Overview of Tools and Technologies

Creating Your Spring Boot Project

Adding Necessary Dependencies

Set Properties in `application.resources`

Configuring Spring Security

Implement JWT Authentication

Role-Based Authorization

Build the Books API

Test the Application

TL;DR:

TL;DR:

Introduction to JSON Web Tokens (JWTs), Authentication, and Authorization

Role in Authentication

Role in Authorization

Importance in API Security and Access Control

Project Setup

Overview of Tools and Technologies

Creating Your Spring Boot Project

Adding Necessary Dependencies

Set Properties in `application.resources`

Configuring Spring Security

Implement JWT Authentication

Role-Based Authorization

Build the Books API

Test the Application

TL;DR:

TL;DR:

Conclusion

Detailed Explanation

Conclusion