Final Java Spring Boot API

The final OAuth secured Java API code sample, which returns mock investments data:

• The API takes finer control over claims-based authorization to enable security with good manageability.
• The API uses structured logging and log aggregation, for the best supportability.

API Serves Frontend Clients

The API can run as part of an OAuth end-to-end setup, to serve my blog's UI code samples.
Running the API in this manner forces it to be consumer-focused to its clients:

API Security is Testable

The API's clients are UIs, which get user-level access tokens by running an OpenID Connect code flow.
For productive test-driven development, the API instead mocks the authorization server:

API is Load Testable

A basic load test fires batches of concurrent requests at the API.
This further verifies reliability and the correctness of API logs.

API is Supportable

You can aggregate API logs to Elasticsearch and run Technical Support Queries.

Local Development Quick Start

To run the code sample locally you must configure some infrastructure before you run the code.

Configure DNS and SSL

Configure custom development domains by adding these DNS entries to your hosts file:

127.0.0.1 localhost api.authsamples-dev.com login.authsamples-dev.com

Install OpenSSL 3+ if required, create a secrets folder, then create development certificates:

export SECRETS_FOLDER="$HOME/secrets"
mkdir -p "$SECRETS_FOLDER"
./certs/create.sh

If required, configure Java SSL trust for the root CA at the following location:

./certs/authsamples-dev.ca.crt

You can do so by running the following command:

sudo "$JAVA_HOME/bin/keytool" -import -alias authsamples.ca -cacerts -file ./certs/authsamples-dev.ca.crt -storepass changeit -noprompt

Clean up after testing with this command:

sudo "$JAVA_HOME/bin/keytool" -delete -alias authsamples.ca -cacerts -storepass changeit -noprompt

Run the Code

• Install a Java 21+ SDK.
• Also install Docker to run integration tests that use Wiremock.

Then run the API with this command:

./start.sh

Test the API

Stop the API, then re-run it with a test configuration:

./testsetup.sh

Then run integration tests and a load test:

./gradlew test
./gradlew loadtest

Further Details

• See the API Journey - Server Side for further information on the API's behaviour.
• See the Overview Page for further details on how to run the API.
• See the OAuth Integration Page for some implementation details.

Programming Languages

• The API uses Java 21 and Spring Boot 3.

Infrastructure

• Tomcat is the HTTP server that hosts the API endpoints.
• AWS Cognito is the API's default authorization server.
• The jose4j library manages in-memory JWT validation.
• The project includes API deployment resources for Docker and Kubernetes.