Spring Data REST – Data Meets Hypermedia + Security

so today we’re here to talk about spring date of rest data meets hypermedia and got a lot of fun demos so we’re in for a treat here for some quick introductions my name is Greg turnquist and I droid Clarkson and we both work at pivotal so you can follow us on twitter but i want to start it off and ask a question does anybody recognize what website this is now i will admit that the shameless plug for a book i wrote last fall that happens to be there it’s a certain website you can maybe buy a couple books that’s all they do right I hear they they do other stuff but they sell stuff to some developers and stuff but but yeah this is Amazon but it is something missing from this website it seems a little of bear well what’s missing are a whole bunch of links and how many links were missing on this previous slide if you flip between the two about that many links are gone I wouldn’t wrote a little code and yanked out all the links and instead i thought you know is the answer to a page with no links to actually go and navigate to a document that looks like that anybody recognize what kind of document that is swagger i went and took all the links and put over 200 links into a swagger document that’s definitely how I want to shop on amazon I don’t I don’t know if my mother could purchase anything at amazon if she had to use this kind of approach to things so i got a couple opening quotation marks or this is one statement by roy fielding that the man that wrote the PhD thesis on rest and he said I’m getting frustrated by the number of people that are calling any HTTP based service or interface arrest API today’s example is the social site it’s RPC it screams RPC so what needs to be done to make the rest architectural style clear that it’s that hypertext is a constraint if the engine of Apple tation state and the API is not driven by hypertext it cannot be restful it’s not a REST API is there a broken manual somewhere that needs to be fixed I feel like everybody out there trying to solve this problem of you know any do any documentation we need links and stuff but they’re going and using other solutions instead of what was actually written in the dissertation on rest so we’re going to show how spring data rest kind of tackles this approach the point is not everything as a REST API yes not not everything fits into that constraint not everything works that way but we’re going to go explore what the spring day to rest can do to with that and to do that I’m going to start off with a little quick demo on the this is my phone here streamed up on the display here this is my billion dollar idea i’m going to launch this app it’s going to be called spring a gram and i’m going to sell it to some big social network company for maybe a billion dollars i’ll take five hours you’ll settle for five so i’m going to do a josh long style let’s get a picture of the side my see if it’ll did it earlier it would actually auto okay all right let’s take a picture we’ll take that let’s update let’s upload it to my cool seat I hit the button right there we go okay uploading uploading oh that’s the problem I need to log back in secure site okay let’s try that again all right whoo-hoo okay use the picture uploading over right there there there’s our awesome picture let’s send us right side and it’s right side up and you know let’s let’s tweet it out there and share with all our friends online okay okay so

that was my this is our real cool demo app that’s going to make us like tons of money where you take nap pictures and upload them and it’s all built on top of spring day to rest and other stuff we’re going to dive into here in fact it’s the the various components of spring or on the page here you know at the bottom of everything we use the awesomely cool spring framework got some spring boot sitting on top of that to make stuff really slick and cool and if you’re getting into boot go check out this interesting book called learning spring boot okay on top of that we have some spring data spring hay dios wait I’m sorry and we also have some spring security and we even have some cloud stuff your spring cloud and spring cloud services to make very cool development experience so we’re going to spend the first part of this discussion going into like what a spring data rest what is hypermedia and things like how and then later on we’ll show adding on some other critical features in production what spring data rest is it’s a project that leverages hypermedia and internet standards it makes it possible for you to go build apps and export your data and do them do it the right way the restful way the first time we use a lot of existing standards we don’t go and invent our own format of data instead we’re using popularly accepted ones out on there like how hypertext application language Alps is a form of a metadata to describe the services another variant of that is called JSON schema those are draft standards right now but we also use things like you are I templates that’s where you can have a path through a resource but parts of it are a parameter rise so you can feed arguments to it we have a media type called text you are I list where you can feed a list of you our eyes for collection and then we have something called a profile link relation which is a standard definition of where to go look for metadata and so the big message and all this stuff is that we’re not we’re not building our own proprietary format we’re not building something going to be locked into instead we’re building what the rest community is being very popular and interested in and later on we actually have a tool that was built by somebody the person that built the house back to talk to how services and it works with our stuff perfectly so Greg can you tell me what the relationship is between spring day to rest and spring videos how do those things work together or what was the difference okay well you know at the topper time at spring data rest bring data rest take several things together for instance its job is to go look at any repository based a solution that you’re using like if you were looking at leave it Christoph’s presentation on springdale elasticsearch and as a repository model we there’s other things like jpa and stuff what spring data rest will do is export the data but what it’s doing it’s leveraging the spring hay dios library below it for to build links the spring hay dios library is designed to help help you go build links in your applications and spring day to rest takes it the extra mile by automatically generating the links that it’s going to do for you and then underneath all that is basically spring MVC where we have our you know built in native rest support so at the end of the day when you build a spring day to rest app what you’re really doing is bringing you’re building a spring MVC app with spring data stored into it which different repositories were supportive well for our demo we’re using a spring day to jpa but we know that it works with MongoDB neo4j gemfire Cassandra those are the ones i’ve officially tested Owen sino Apache Solr but anybody that implements the repository model that all he was talking about this morning should work with spring day to rest out of the box now I want to talk here about this a little bit of data and what it looks like in the code the the picture I just snapped a picture and uploaded it and what we do is we call in this app we call it an item in this case we’re talking about a restful resource so this is an this is an item resource record at the top you see that it has a piece of data called an image and there it’s a URL to the actual image that it’s going to render on the page but then below that it has a lynx attribute and this is the part of hypermedia that’s critical is that you know I can look at this particular image but I also have links to show me related data that’s relevant to this record the the first item on the list is a self record and in rest a self self link is a link to this record it’s kind of like using of this pointer inside your code and this is a how representative yeah this is this is a how formatted document the the the notation that it’s using

underscore links as comes right out of the house back further down you can see the second item is item and it tells us that this item in fact does have some options we can feed it it’s a URI template you can see the projection bit at the right hand side and it tells us it’s templated and that that particular format is what a URI templates spec looks like so you go out and find a library like a JavaScript library if it speaks how or it speaks URI template and he’ll then you can do that and that’s what we’re actually using as part of the demo we’re actually going to show how to use that later in the presentation at the bottom we can see the gallery that’s a relationship which I’ll show you the code for in a moment and this shows that this particular item item 32 we can go to items 32 gallery and find the gallery that its associated with so you can take a picture and you can put in a gallery the record we just saw here’s the code that we have written for it and it’s a class called item we happen to use some project lombok in stations at the tops I don’t have to write any Gators or setters and I’ve coded it to fine tune the two string method but we have a generated ID value we have a string for the image value and then we have a mini to one relationship with a gallery entity now at the bottom there’s another piece of data that wasn’t shown on the previous record and that’s the user data because in this case we have security plugged in and when you upload an image the image gets connected to you so you own the image but we put in a JSON ignore directive so that that would not get serialized out by default to the screen now the other side of that we talked about how in our demo app we relate items to two galleries so you can go put several items into one gallery and in this case we have a mystic collection of cats somewhere look like before it has the date at the top in this case it just has one field description cats and then below we have the the how links listed including its its self link in this case the gallery link looks the same because you know there’s no template art options in this situation and at the bottom you can start with a gallery and say show me the items related to this gallery and so if you look at the corresponding class you can see a similar structure here we have an ID field that’s that’s managed by the persistence container we have a string value for the description and then we have a one-to-many relationship with items so you can have one gallery can contain many items one item can belong to one and only one gallery or 0 or 1 gallery I should say so what I’m going to do here is look at live system I have a local have a copy of the demo app here let me zoom it up here that’s not what I meant so if I logged into my billion dollar idea let me go upload little image here okay so okay if I go visit this particular image that i uploaded I can click on my demo app and see a how record the museum it up here to make a little more readable so this looks similar to the static data you know this is all linked stuff and the browser can read most of this you know if I click on that it can give me the raw image data if I click on this thing if I click on this it just keeps taking me back to this now here’s the fun thing browsers don’t speak uri template so if i try to click on that it’s not going to handle it correctly and i’m going to let Roy talk about that later but to one thing fright I’m going to do one thing I’m going to take my little picture and I’m going to put it into this collection okay so now in my collection of cats i have my nice little bazinga t-shirt shot that i uploaded when go to that how record and i go to the and i navigate the gallery relationship it should show me and should take me to the collection of cats in this case i can see you know the gallery itself or i can navigate in the other direction it can give me now here this is a collection of all the items that are in this gallery and in this case this is all this is all the hal formatted document in this case you see the embedded tag but the embedded tight because it contains a collection of data

in it are you using a plug-in yes in this case i’m uh i’m using the json view plugin which I’ve seen it work on chrome and firefox i’m unsure about Safari Safari has this nasty side effect that if you click on certain how documents are just downloads it as a text file into your file system so i don’t use safari for demos but i can click that button and look at the raw document that it sent me and this one looks nice and pretty fide other systems may look at maybe be compressed json so you know the ideas i can kind of navigate around and the i want to go look at this stuff in its raw form because everybody understands what json is let’s kind of get the concept down about we have both data and we have relationships via links and that’s what the critical stuff of hypermedia is you know yet we’re field spring data rest is automatically putting them in there I didn’t have to write any spring MVC controllers to go take that data that was loaded in the database and exported out to here I didn’t have to write any view resolvers or anything like that spring day to rest just takes everything that’s in your repository and exposes it as hyper medium yes it takes every repository that it can find and will export it for better for worse leads us to a issue because part of this thing is to talk about security which we’re going to get to but first before you go in that direction and I want to show you what it what does it take to actually turn on Springs data rest you just need these two dependencies spring boot starter data rest and spring boot starter data jpa if you’re not caught up on spring boot spring boot comes with a lot of starter palms and this is to pull in a items that you need and one thing you’ll notice here is there’s no version numbers because when you spring booth the version numbers are pre picked for you don’t have to manage that and four the starters usually come with multiple dependencies and then in this case I said we’re using data jpa but I could have pulled that out and swapped it out for spring boot starter data or used to another dependency for that on the other side of that is if you want to write a job if you want to write some Java code that’s going to talk to one of these services in other words what we talked about was for building like a server if you want to do a Java client to talk to a one of these Hal based services you want the spring hay dios project you don’t have to have spring day to rest to talk to one and in this case you would want the spring boot starter hideo’s dependency excuse me so it raises a question you are using spree boot for the application and you’ve given the spring boot dependencies but are there project dependencies that are not spring boot if somebody would want to use spring boot or not want to use for you I can’t imagine yeah there’s a there’s different ways to pick it you can either you can go to the project pages actually look up what version like it if you go like what I’m going to do is go back to my IDE and let me go to this one and because that’s absolutely unreadable in that format let’s zoom it up here little so here at the top I have spring boot starter data jpa and spring boot starter data rest what this is doing for me is that is not the right key if I open up and look in that pom file this is spring boot starter data rest and scroll down here it is pulling in spring boot starter spring boot starter web jackson annotations jackson databind spring core spring TX and spring day the rest web at NBC and essentially if you go pulling those to pay you can pull in those dependencies yourself if you’re not using boot some of these are other are other boot starters so you can navigate down that trail and pull in all the parts but part of what this shows is that spring day dress is very very high on the application development stead of being a low-level framework or you know low-level core component it’s relatively high level point in lots of components to build a fully functional web app that is not why I meant it okay yeah the date of JP one which is what I was trying to jump to the data jpa one it pulls in some boot starter stuff and you know you can look down in here or it has things like jdbc and etc but this is the magic of if you’re not using spring

boot then you should be if you go do that a lot of the stuff is covered and as you upgrade your version of boot it will upgrade to the latest stable release or you know if you’re using an m1 release you keep up with what the releases are and that’s a big problem to deal with yeah Dave kept using the work you know phrase it’s magic last night in the keynote and it’s not magic but there there is some complicated stuff that’s going on and I was looking through the spring a dios auto-configuration and spring boot earlier today and it’s a couple pages long of conditionals and things that spring boot is handling for you and wiring up for you that you would have to do on your own if you weren’t using spring boot that same thing goes with the rest of the spring data projects as well our next slide said a little part of demo is I was showing you sort of the raw format of the JSON going through the browser and at the beginning I mentioned that the spec lead for the house back Mike Kelly actually went and built a backbone JS app a purely front-end app to talk to how services and we actually called the hound browser let’s zoom it back a little so we can see everything what this is doing is this is going out interrogating the same set of data and coming back with stuff and on the left hand side you can you can specify your starting point so it’s pointing to our route location where r how data is coming from down here it shows me some links that it has there’s a there’s a galleries link there’s an item’s clink and then there’s a profile link that i was mentioning earlier some data and over here i can see the outputs here down at the bottom we have this you know another hal document this is at the root of your spring data rest service it will show you a link for each of the exported repositories and in this case we have an item repository and we have a repository earlier I was having to navigate question yeah let’s get absolutely work in a micro service configuration and what maybe some of you to spot and we’re going to talk about more detail later on as we actually this app has been split up into multiple microservices in this case we’re talking to one of the micro services at this point in time looking at this Hal data and that’s per and royal be able to talk about that a little bit more but I want to stress here is earlier I was clicking on certain links and it was if you you know some links the browser knew how to talk to some the browser did not this browser does know how to talk to all those links like if I go to this if I click on this thing for the to go view all items you know it shows me that I have several options to pick from and I can actually go type the values in if I want to substitute any of those arguments but i’m going to say now i’m going to leave them empty just go ahead and navigate to that so now if you look at the top here you can see that i’ve navigated to / AP I items you may notice that the port number is different than what I started with at the top that’s because it I went in through a front end and it routed me to where the actual how data is being served from and that’s we’re going to talk more about the microserver stuff later in this case it pointed out we have a we actually got a page of data but the collection that we saw that we saw on amongst items is actually being represented down below in this embedded resources and I can just see that I have one item total which is the my bazinga shot and if i expand this I can see that one piece of image data earlier on the raw data we saw images and we saw the links side by side but what they do in the how browser is they show you the data at the top and then they put the links in the separate box to navigate by it and this makes it this is actually possible where I can you know I can go in here and actually do post or put operations through this thing I make make a restful calls to alter stuff you know but like if I’m looking at this I’m right now I’m looking at this is item 0 it’s my bazinga shot I can see the gallery relationship at the bottom and I can say click on that take me to the gallery and it takes me to the collection of cats again and it gives me you know here’s the here’s the links for that thing and I can go now I can go to the self link and it does this the important thing I remember about a self link is is no second ago at red gallery

it I back it up here it said item / 1 / gallery that denotes a relationship it says in there lay in the context of items 1 what it’s related gallery but if you click on a self link it says now drop all that context and just give me the canonical reference to that gallery and this is gallery 1 and so over here on the right you know i can i can see the links i can navigate on the links here and i can also look at what response body was sent back through the thing so i mean you can take this app and pointed it into any house service and that’s what we did we didn’t the only edit i made i actually submitted the contribution of this project was to take up take advantage of our JSON schema data when creating new entities you that is correct the the question comment is that you can get the link but it doesn’t it didn’t show anything about the verbs you can exercise that’s that’s halfway correct in the sense that there’s actually another button over here they call it they call it non get and what this is is they’ve made this real generic pop-up box here where you can type in all the stuff but actually right here they actually default to post but you could do that so you can type it in they don’t have it as a drop-down it’s not actually using any of spring day to rest metadata to say what do you support like it’s not doing an options query to say what do you what options do you have but that was your question as it wasn’t actually showing the verbs on the screen yeah I look at this tool this is this is a real handy tool there’s a lot of rooms to improve it on but it’s to me it’s kind of fascinating that you can pick this tool up that was developed by somebody else independently and because we both are using the same format of data according to the spec you know it plugs in its interoperable yes okay the question is is we’re currently demonstrating jpa and use we’re using one too many and many to one annotations and in neo4j they have new things like Nate was a named entity graph is the name of it named graph okay this is where I’m going to meet Lee say I’m actually not very proficient with neo4j so I don’t only answer to that oh oh it’s jpa now my mistake I don’t know what it does in that situation but that is that’s a very good question because I would like to know the answer to that all you may know the answer to that one but he’s not here with us today but we can go try to look that up oh okay so if you want that thing this is all you need to do it added your application is to put this in there it’s a it’s it’s a project that’s out on github they don’t even release it to know necessarily but there’s a web jar for it we’ve grabbed the web jar we’ve wrapped it up with some nice spring MVC magic and it’s there with 11 added dependency so that’s dropping it into a spring day to rest project yeah that’s to put this in yeah if you want to use that you want to go put that into your where you have your spring day to rest stuff because then it will have that available to look at it sad Jason spring day to rest service that’s right there and and you go to it yeah sorry good you navigate it to it at / browser in your app in this case I’ve configured the app to be serving the data up it / AP i– so in this case you find it @ / AP I / browser before we go ahead i was wondering if you could talk a little bit about consuming this on the client so we talked about the spring videos project but maybe you could show how you okay all right what I’m see I’m going to move this to presentation so I have written the front end using react Jas and if you go check spring bio / blog today I actually have part two of a five-part blog series that I’m writing

called react j/s and spring date of rest and I wrote a little bit of code and I’m happen to be using library called Cujo Jas and they have a library in this tool kit called r SJ s that has how support and URI template support and some other good stuff but but essentially I have an idea where you start at a root document and you navigate through a set of relationships in this case I start at the root and then I go look for a particular relationship name that’s in that Hal document on inside the links called items so it goes and finds the items how document it returns it back then in this case we have a custom finder method and in spring data rest it will serve up all the finders underneath a sub relationship called search and in there I this is a case to look for all items that are not assigned to a gallery or where the gallery entry is null but you can also go use something else like maybe restangular or something that people are using an angularjs I help somebody who had built an angular tutorial and they’d written a whole lot of boilerplate code and I said did you know you can rip out 34 c or java code put in spring day to rest and your whole app will still work in that case they had handwritten all the verbs in verses of some of these libraries that can actually speak how what two in the in this case you can see the you know the embedded thing like you like we showed in that JSON document etc but the spring hideous project itself also has a module if you’re writing Java code to talk to it and they have what I would go and find in the documentation that’s called the traverse and library I was inspired by a JavaScript project with the same name and it essentially does what this thing is doing where you can navigate a certain shape trail of relationship and at the at the end then you’re like now let me do something with that data results set whether it’s a single resource or collection resource so it’s a general idea that you would know within your client applications or the root URL and then you would be able to traverse the entire data graph without having to hard-code other URLs yeah that’s exactly the idea is that we should be navigating by relationships and this is what Roy fielding meant when he said we need to be using hypermedia to drive what we’re doing and in a sense it’s almost like you through the how browser I could navigate it because I could see what the things are that it was being shown to me because as such as the user of it you know I had to understand it and to a degree the idea of hard-coding you are eyes into the apps makes your app very brittle so when you are eyes changed or there’s adjustments made and if the relationship could be the same but if it’s going to break your code because your eyes are different and you didn’t update your swagger document or something then that’s that’s very unfortunate but in this sense you know we only have one root document and that makes it very easy to navigate this stuff that’s a good that’s a good question the question is is there a way to go ask hey spring day to rest what verbs do you support is that yeah so if I’m navigating to this uri what do you support do you support get these for post what do you support spring day to rest supports the h-2b verb options which is designed to do that you’re suppose to be able to use options against a URI and it’s supposed to give you back a particular header that lists all the verbs that are available right now by default the spring frameworks dispatcher servlet will not actually answer an options request instead it routes it directly to the container so if you stand up a spring day to rest service and you actually query that if you do an options query it’s going to go straight to top to the embedded tomcat server and say what do you support and tom cat says we support everything so it may not be accurate there’s actually a configuration setting if you go wire a dispatcher servlet in a spring boot app there’s a there’s a configure override where you can say i want the application to answer option requests then it will delegate it to the app and then spring day to rest will answer which what what it can support not support in that context there’s talk about the well what if you wanted to answer it for some things but not for others and the dispatcher servlet currently doesn’t handle that situation it’s kind of an all-or-nothing proposition and they don’t turn it on by default because it’s viewed right now as a potential security issue to give away that much information

so we’re talking about how to we’re trying to design and figure out how to deal with that situation to have it on a more controlled fine-grain basis well yeah the other questions about what about content type or like when you’re doing like posting an image and and part of the stuff I had to do i do this important to figure out how the heck do you post an image over a URI so this case I had to look up I think of some JavaScript specific stuff at a camera of the details but I had to look up what was the size of the image on there to do an upload which I got in the upload controller so part of this is there’s a full you know there’s a particular form to get your together the four mentor you put on the page you have to collect the data off you know this is getting into some JavaScript we we details about how to go actually upload files and this is sort of i missing the point there okay like what it does here the content types it comes back with JSON and like it defaults here to using when you’re going to upload to use content type application JSON I don’t get your point more lies what this what’s not indicated in here is its what this historian is a string and the string in this case is an HR f2 where the image is and so to do that I would have to I have to go in and put in some message details let me go back to the roots good entry points to your concerns that it’s it’s just not giving you enough to information back for our client app to not have some domain knowledge about how to use that that URL here’s part of the metadata that I pulled up and in this case I have a slightly out-of-date a message here where it says this is a basic four encoded version of the image what I would I need to update that message though it actually reports this is the URL location of where the image is hosted at so to actually upload an image it’s a two-step process you first need to upload the image to your file store and then you need to get the location of that and then go create an entry in the items table with the H with the URL to the image why don’t we change gears here and do some security stuff okay Greg asked me to work on this app with him and one of the things that we wanted to include was security and partly because he made a comment that that’s not real until it’s secured and we said okay cool we’ll add some security Rob when she’s the spring security lead so do not implement security on your own so we naturally said we’re not going to do in our own so we turn to spring security and look to see what it could offer and in terms of securing a spring day to rest application and spring security is a comprehensive and extensible support for both authentication and authorization

and authentication is your credentials whether that’s username password two factor auth or biometrics something like that authorization is what you’re allowed to do so as a user am I allowed to post a picture and I allowed to view a gallery these are kind of things that authorization support within spring security allows you to configure within your app some of the common attack vectors that spring security will handle for you our session fixation in this case if an app is not designed particularly well and you had a user ID within the URL for example a malicious person that could view that and potentially take that ID and then login use it to login to somebody else and then interact with their account details spring security handles that out-of-the-box cross-site scripting this is a pretty common Securitech vector that’s where javascript is trying to load something from a different site and that way inject code into your application malicious code that’s able to potentially access sensitive data or get your user to enter sensitive data that can be captured cross-site request forgery also very similar getting user to it inter sensitive data that can be intercepted and then user interface redress of text what these are is using some malicious code on the client side to put something like a button on top of your user interface and again capture user information somehow instead of entering it into the website as it was meant to be and the good thing is that spring security just handles all these things so as a developer you can include spring security in your application and you don’t have to generally worry about these things obviously you talk to any security engineer and they’re constantly worried about everything so it’s not going to be out of their mind but as a developer we can be a little sure that there’s a large community working on this project and that they’re thinking about all of these different security vectors attack vectors so one of the things we wanted to you was to figure out how to secure the image data within the spring day to rest application in spring your gram so if we look up at the very top you’ve got a pre-authorized annotation and it’s looking for a role of role user and Greg and I both are have this role user for our accounts and the spring and Graham application so that means if you’re logged in you have a role the user then you can interact with the item repository and if you see the the save and delete functions down here there’s two more pre-authorized with some longer expressions in the air to determine whether the user is null or not know and whether the user has an authenticated name and if you don’t have any of those then it’s not going to let you save or delete an image and it’s it’s really just that simple in terms of spring security adding protection on your your methods and classes anything I don’t know well the one nice thing about it is this is all an interface definition there is I don’t have to go write a concrete implementation of this code i can just declaratively put my security policy and the finders and stuff that i need here and spring day that will go generated for me and the code that you don’t write has no bugs yeah absolutely because we’re adding this straight onto spring data repository declarations it’s not extra code that we have to write that again the role user yeah i’ll show you in the code and just do it so we fell so we’ve got a user table that’s in the application and because Greg mentioned before spring day to rest is just going to kind of expose everything and he said for better or worse and in this case

that’s kind of a worse you really don’t want it to just arbitrarily display or allow access to everything within the user table so in this case we’ve got this is not a spring security annotation but this is a spring data annotation repository rest resource export it equals false so in this case it’s going to not export the user information and in in a way secure it so spring security can do a lot of things but you still as an application developer have to determine and figure out how you’re going to represent your data and be cognizant of things you know in how the data is going to be returned to the user and and what’s accessible and make sure that things like like user information and sensitive data are not being accidentally exposed so projections are also not a spring security concern but this is something that’s relatively new within spring data and we talked about that before we’ve got this template projection down here on the third eye third row worship whatever this item and something that that allows you to do is to to add some data to something to a record that’s not our resource that’s not necessarily not necessarily part of that resource so it allows you to kind of compile or combine some things together and in this case we wanted to expose the user or excuse me the owner within the item resource so we created an owner projection and again it’s an interface so it’s not code that we’ve written and this is something that spring data provides for you you name the projection and then you tell it the data that you want to be returning when it’s queried so let’s go take a look at that security configuration so so the question is is the projection applied to the JSON data that’s being rendered what it’s spring day to rest is leveraging Jackson to do JSON serialization and essentially we use the projection to change the getters that Jackson’s going to apply when serializing the data out to json you know he’s going to fish it up here but essentially when you say you know I render me an item you know an item element and apply this and says don’t use items getters to decide what serialize instead use what’s in the projection code and it can actually add data you know if you add fields like get user which he’s put in here or you can create projections that remove data and these Gators in the projection definition also support at Value spell expressions so you can actually create virtual attributes that would pull in different things like you grab first name and last name and put them together and make a virtual field like that and what goes along with all that is projections are in general a read-only concept so you don’t think about posting through projections or putting three projections to do updates that’s a good question i don’t know that one if you can apply security to a projection of not that would be interesting so this is where i’m going to recommend that you go to rob winches bring security talk on restful api zits tomorrow morning I’ve got the time and room a later slide but he’s going to spend the whole presentation talking about how to secure a restful api okay so the question is if you had to

find some kind of entity and has perhaps like ten attributes are you able to define projections where one role he has access to these seven and this other role has access to these five sets is that possible and what I’m thinking is it may be a little convoluted but it may be possible because you I’m trying to think if you can create a parent class and have subclasses that you have repositories against because then you could have different pre authorizations on them and you can definitely put pre-authorization headers on custom finders it may be it may be after you would have to go to the at query option there’s an annotation you can put on finder methods in any spring data project to write the query yourself so I’m not sure this tactic is the way to go but you could probably write two different finders and you could put an app pre-authorized on them and you have to write the at query dsl logical there so you could have two different finders and if you code that up spring day to rest will handle add yes yeah that’s that one’s a little more complicated I’m not sure about doing that query Stefan on writing operation so that one down i’m not sure about how to handle since i’m trying to think about how you wire the stuff in like your you said million Sam said about using a CLS so if you put it you can put it at the del main level you can I don’t know it’s gonna react if you try to try to push something that you’re not supposed to it may if it violates the ACL I guess could ripple back in here and not let you do that so it sound like a neat example to work on these showing us yeah so somebody was asking about the I’m going to be only go to be presentation mode so here’s the configuration that we have for enabling spring security got an annotation on a web security configuration adapter class it’s enabled web security and we’ve got enable global method security with pre post enabled equal true and as pre post enabled equal true allows us to use those annotations for preauthorization and there’s actually a corresponding one for post authorization which has its uses but you probably don’t you know generally speaking you’d probably want to use the pre-authorization because you want to make sure that the person has rights and access to do the things that you’re restricting and let’s see so we’re configuring a user details service and we’re using a password encoder and again Rob’s going to go into a lot more of these details he’s got two sessions one of them is right after this one and then there’s another one tomorrow morning in this case this is where you’re configuring the HTTP security we are allowing all of the static resources permit all meaning all of the JavaScript and CSS in this case all the the bower components everything that’s in that folder spring security is basically going to let anybody query those or retrieve those via HTTP there’s no security on that and then any other requests it has to be authenticated and we’re using form form login so form security and login page is also permit all meaning that you don’t have to be logged in to view the login page which is nice and then we’ve got to logout URL that’s where you specify that and see down here we’ve got some different profiles available within the application and we’ve named them basic and SSO and these are doing some checks to see if either of those profiles are enabled and in that case we would enable HTTP basic or we would enable the SSL support within spring security so if we go to look at security details

loader this was another question is where that that role user is coming from so right now we’re zoom it up against sorry presentation hood so in this case we’ve through code we’re wiring up a couple users Greg and myself greg scott role user and so so do i this is not how to stand up production data this is how you do a demo application but the question was where does that role user come from and this is where it’s coming from so we’re creating a user object and setting the roles on that ok so conveniently just like whispering data it’s very easy to get spring security within your application you add the spring booter spring boot starter excuse me spring boot starter security and that’s going to include all the dependencies that you need and then via those few annotations that we showed you on the configuration method will get you started and said talk about a note on HTTPS you need to use it in a production application there’s really no excuses you can add spring security and secure this application as tightly as you want but if your traffic is unencrypted then you might as well be attaching a safe to a piece of fiber board which is just like what’s in my hotel room seems very secure so but yeah seriously HCBS needs to be everywhere even even the most benign application you really need to consider doing HTTPS because of all of those cross-site forgery cross-site attacks people can do malicious things with thing with any website that’s not secured and HTTPS is really one of the frontline defenses on that I think I think the word I heard was it’s 2015 it’s time to encrypt everything and we do take the excuse this is just a demo so we have not we’re not running the silver SSL one other thing I did want to show you and this has been in a few blog posts on spring i blog is within spring boot this is how you can enable ssl support with tomcat i I do want a hedge I do want to hedge something here in spring booth there’s actually a single flag setting to actually flip on SSL support if you want to use it you have to supply it with a key file the proper properly setup key file to do that it’s got it like a default name for it all what that configuration does is it turns on SSL for report 443 it does not turn on any form of redirect from for 280 what I have here is actually how to configure it if you wanted both port 80 and 443 and if you want 482 automatically redirect you to port 443 using spring security settings any security professional will tell you that is still subject to a man in the middle of attack I say the windows a little narrower and you have to go evaluate if that’s the right solution for your shop or if you can just tell all your clients to go to HTTPS and say I don’t know put a put a static page if they go to port 80 and say we don’t don’t do this this way and tell people to go start correctly yeah actually I talked to rob a couple times before this this talk and he’s showing and going to be demonstrating several ways of doing some of these attacks and how spring security can protect you against those question well if you turn on this profile it does expose both of them it exposes both HP and HBS so this would handle the redirects what kind of was not mentioned is one of the default the settings that spring security turns on its HST s which directs your browser that once you go to an SSL site it tells your browser the next time automatically prefix it with a

TPS and start on a secure port and you actually have to go figure out how to clear that out of the browsers a database so if you go here one time and it redirects you from port 80 to 443 the next time you go visit it if you just type the domain name and not the prefix it will start at https so it’s like again i like i say there’s this like tiny window or somebody could stage a man-in-the-middle attack and also i wrote this before they added that feature in the first place and had in my book so okay so we’re going to move on and talk about latest and greatest buzzword microservices unless there’s any other questions alright so what are microservices hey if you look at Martin Fowler’s article on microservices he says microservice architecture style is an approach to developing a single application as a suite of small services each running in its own process and communicating with lightweight mechanisms often an HTTP resource api and that’s a very good article i recommend looking at that if you’re considering utilizing microservice architecture microservice to me is always felt like maybe not the right way to describe this it’s it’s really decomposing a single application into multiple applications and you’re not reducing complexity you’re obviously adding more complexity to your application so you know we we talk about that sometimes there’s a Holy Grail but it really just depends on your application needs as well and one of the things that we wanted to do was with Springer Graham Greg it originally built it as a single application and we demoed this application last year and this year we said hey we’re talking about cloud native everywhere you can’t miss it so let’s break up spring your gram and see what we can do with this because this is going to be the similar challenge that a lot of you are probably going to face with applications you’ve got existing applications how do you start where do you identify things that you can move to a new service or new application and so we we went down this path and tried to do this with Springer Graham as well one of the things yeah another observed buzzword 12 factor apps we throw this around a whole lot these are the actual 12 factors I don’t know that I see people talking our missioning 12 factors all the time but I’m not going to go through all of these currently Springer again we don’t do all of this stuff but we’ve started trying to do a lot of them and because we’ve adhered to a lot of these principles we’ve actually been able to break up the spring gram application and ultimately deploy it to cloud foundry and it turned out not to be too complicated or too painful all of those are at that 12 factor net website as well more information of course you can google all of this and find plenty more information and not to forget matt stein who’s our resident microservice cloud native expert has written a book and if we I believe we have some of them at the pivotal table out there I think there’s a is it a book signing to tomorrow for 30 was that the I heard you go get your copy signed by the man himself so let’s talk about spring cloud and if you guys were in the keynote last night they they talked about some of the stuff we’re going to talk about how we utilized it within spring your gram these are four of the things that that the four of the features that we tried to incorporate one intelligent proxy service discovery excuse me intelligent proxy is using the netflix OSS zool library service discovery is using the netflix eureka library circuit breaker is also using netflix and then we’re using external configuration which is part of spring cloud itself so here’s what the application looks like now that we’ve broken it up and I realize now I should have put a prior slide up here but I don’t have that for you everything used to be in one springer graham application and it was hitting one sequel database and now we’ve broken it up into a back-end application and we have a DB file service and each of these is hitting its own independent datastore so to include spring cloud within your

project you need to replace the spring boot parent with the spring cloud parent another method to do this is to declare it as a bomb separately but I tend to find it easier just simply replace the spring boot parent the spring cloud parent is additive so everything with the within boot is going to be available if you use spring cloud parent the current releases angel sr3 and break stone is in progress right now a number of the dependencies are right here these are the ones that we’re taking advantage of within this application Azul Eureka districts and the config client so let’s look at the code and see how we’ve wired all this up you can just see the run box command for all the elbow tabs that it’s running oh you’re gonna zoom stuff yeah so our spring boot applications right here and we’ve got three new annotations that we’ve added to it one is enabled in preparation view presentation yes one day I’m going to learn to go and view presentation mode and we’ve got enable discovery client which is going to turn on Eureka enables a lil proxy and enable circuit breaker which is going to enable the historic support and its really kind of that easy we we can show you I don’t have to do this in presentation mode Greg I don’t know if that will go to presentation mode if I had Josh long he knows how to jump file size jump font sizes but it shows all four of our processes Roy’s diagram showed three but we have to run one extra process our Eureka server that they mentioned the areca last night at the keynote that’s why we have four and really did was he killed the front end part that we had the front end where the UI is and then the back-end service is where the spring day to rest parts are so he killed the front end and now we’re looking at Eureka and maybe a little hard to read but it says not found spring a gram front end biological name yeah so using Eureka we’re able to do service discovery we’re able to talk to the different services and note there’s no hard coded URLs within any of these services so when you enable that service discovery using that annotation it’s going to go register itself with Eureka if Eureka is not in a known location than you do have to configure that location it has to know where your egos and it’s going to register itself with a name that you’ve defined within the configuration in this case it’s bring your gram that you see down here spring ground front end and then Eureka is going to keep a registry of all of these services and anytime one of the services wants to talk to the other one it asks Eureka how do I find it and it tells it Roy can we really trust Eureka I mean this is just a piece of software i mean how dependable is Eureka well as I’m injured Eureka was an OSS project from netflix and if you guys are familiar with netflix they’ve run it pretty high scale and so this is something that they use and i expect that it’s more scale more traffic than most the rest of our websites are running so if we start up the front end application again what we can see is the switch it back over to eureka now when I went down you may not been able to see it was very quick at you know detecting that there was no heartbeat anymore and dropping it here it’s taking a little longer to get back up up you can see so the front end application you can see discovery clients bring your gram front end right there so it’s now registered with Eureka and you look over on there the Eureka log you can see that it’s registered a

new instance springer grand front in so that service is successfully registered with Eureka and everything is happy there let’s take a look at how we’re using history so actually it was just a flip over to the demo close that guy we’re still running okay we’re running if we come over to again IntelliJ and we shut down the back-end service so the back end is where spring day to rest component is and it’s where we get that how record that says here’s the items here’s the URL link to where the image is located so it’s telling us where in the system that that’s located so yeah that’s right so if that’s if that goes down we don’t want the whole front end you I to just suddenly you know look like it exploded and blow up so we want to see something that still resembles the correct you I in this case what’s going on is the circuit breaker kicked in and we’re getting a default image now which is the spring logo so instead of saying the bazinga t-shirt we’re seeing this spring logo and see when we I’ll show you how this is running on spring cloud foundry in just a minute and I can show you the history x desc forward dashboard running there I actually don’t have it running locally right now if we go back and we restart that back end it’s going to reregister with your Eureka and the front end will once again know how to communicate with it well it’s doing that we can look at this this image or yeah image via link I I tried it and Greg doesn’t have it turned on because I have that enabled on mine and the perils of using somebody else’s laptop so this image via link the way this is working is we’ve got a component which is a helper class where we’re calling a method get image resource be a link and this component used to command be to open to navigate to that method if you want to stay in mode so here’s our component class application controller helper and you mean you can see here where we’ve annotated this with history command and we’ve got a fallback method get fallback image resource and in this case we’re creating a resource item and statically populating it with some stuff we’ve got a default image URL up here and that’s actually a spring environment variable that’s being pulled in by external configuration and jumping changing subjects just briefly right there but we’ve got external configuration right now enabled to a third party or excuse me to a github repository right now and there’s a URL and a gamma file in that repository the spring cloud is pulling in and using those values so this this history command if something happens or fails within this get image resource be a link then it’s going to use the fallback method that’s defined up here so in this case it’s just going to simply return that resource item and the we’re going to the reason that the fallback works in this case is because this breast exchange method down here it’s going to throw an exception because it can’t reach the back end service and so this is a somewhat typical scenario that you’d want to use a circuit breaker on Amazon and Netflix both use this this pattern for their home pages for example amazon has a list of recommended items

and a lot of us may not even realize it but sometimes that service request might fail and instead of getting items that are specifically tailored to your buying history you might get more generic items over there but the page looks like it still works and the same thing goes for Netflix you would see a recommended list of TV shows or movies that tailored based on your viewing history if that fails for whatever reason you might get a more generic list of recommendations there and you don’t know as a user you don’t recognize that I mean maybe it’s things that aren’t as familiar to you but nevertheless the UI looks normal it doesn’t just blow up because it can’t reach this back-end service so that’s the the same approach that we took here is if your image obviously in this case you’ve uploaded an image and you’re more familiar with your images so you’re not expecting a spring logo but at the same time we’ve got it supported where the UI doesn’t blow up you don’t get a 500-page because there’s something not running in the background okay and I mentioned external configuration if I go look at this repository spring garam config we’ve got spring Graham hashtag and fall back image URL have this enabled on the deployed version of cloud foundry but wanted because I mentioned that I want to go ahead and show it to you these environment variables these properties are getting pulled into your application via spring cloud config okay sides oh yeah before before we move on yep just wanted to show you we’ve got these things are all broken down into these separate projects now we’ve got a spring around back back in we’ve got a Eureka server which is the standalone spring cloud OSS Eureka server we’ve got front end we’ve got a standalone hystrix dashboard that gets wired in and then we’ve got two different file services we support and we can enable or disable them based on spring profiles one is the DB file service and one is the spring or Graham s3 file service and we’ve been showing you the the MongoDB one and if we have time we’ll switch over to the s3 one and take a look at though this where I start going can we go to production can we go to production like Josh did it’s right it’s magic how does that work so this brings me to the next component that we’ve taken advantage of and as spring cloud services Scott Frederick’s talked about this yesterday in the keynote we’ve been able a lot of the spring open source spring cloud components to be available within cloud foundry and it just as simple tiles that you can add on to your existing applications in the case of springer game we’re using the circuit breaker service registry and config client so let’s take a look in a perfect world we’d be like let’s do a maven package job let’s do a CF push job but when you’re demoing at conferences you don’t gamble on things like that so we have it pretty staged at pivotal web services AKA p dubs yep that’s right though the last time I deployed it it took several minutes to deploy it so that’s kind of boring presentation time watching things get pushed out that is perfectly cool stuff to go to your CI solution and configure that to push to your PC f’s system you know every time you have a successful emerged master or something like that this is also why we waited to do this to the end because the network’s kind of slow okay so right here you can see we’ve got the Springer Graham front-end deployed as a single application we’ve got the backend and we’ve got DB file service and we’ve also got the s3

deployed as well but again we you can enable disable those through spring profiles and if we go this is a shared org within our pws group we’ve created a Springer Graham service registry we’ve also created a Springer Graham circuit breaker dashboard and these things are as easy as going to marketplace and Scott showed this again in the keynote last night but you just simply click this and you can add these features to your cloud foundry org and utilize them within your application so I’m gonna go back to look at those services real quick and first one is if we look at the service registry thank you lass pass yes I don’t know Greg’s password you can see the Springer Graham is up and running so this is the service registry dashboard that we’ve created or the PCF spring cloud services functionality you can see the spring go client Springer Graham said San Joaquin is in that a little bit maybe it’s not zooming Springer Graham is up and running the back end is running the DB is running these are all registered with in Eureka and these are the Eureka IDs and there’s some other information down here to metadata about the services that are running if we we could increase the instances on the backend for example very simply going into that application and bumping it up and then Eureka is going to show once the application to started is going to show a to there or whatever the number of instances that we have running this is where if you invest in like these 12 factor style processes then it pays off like the MongoDB sir the num MongoDB portion delegates to a MongoDB instance that we have bound to it so you can spin up 10 copies of that service and they’re all talking to a shared instance a MongoDB so I don’t have to lift a finger once i get to cloud to go to scale yep that’s exactly right so if i go back up here and we take a look at the springer graham application it’s it’s your snapshot from earlier at the bottom yep there is so this is running on Cloud Foundry now and we’ve got the history / board running here and you can see that the you’re getting some data coming back on that little chart and we can reload this a couple times and what these are showing you can see the image resource be a link that’s that method that we’ve annotated with the historic sanitation with the fallback method and these are other ones our ribbon commands and those are in this case what this is showing is that the zool route which we actually haven’t looked at yet are also being reported within history so if the zool routes are failing for whatever reason and hysterics will report those within this dashboard as well right now we’re using zool to basically redirect request to an API endpoint from the front end and it goes and hits the Springer gram back in which is where the spring data rest application was running so you can see that we’ve had we have more things popping up on that graph if I come over here to the back-end service and disable that now when I reload the application we can see that the fallback method is kicking in actually I go to the apartment link so we can see right here a hundred percent of the requests or failing right now and this red dot will get bigger and

bigger the more times you make requests and that’s simply showing that the circuit is is not working it’s failing for the between the front end and the back end so all of the stuff is the history stash board is part of the the open-source spring cloud library you can run it locally but as I’ve shown you on spring pws bring cloud foundry you’re able to drop it in with spring cloud services as just a simply installing a tile into your application and we’ve handled all the heavy lifting on that side of things so if we restart this back into application I’ll take a second you might be an invalid you are I to maybe an invalid permalink to waiting out to restart hopefully it will restart okay there it is now right so the idea the idea that we had created in that permanently because is not valid that’s why Greg was mentioning so I’m trying to refresh a URL that’s actually not valid up still not coming back up unfortunately oh now you can see actually now you can see that the this other one is starting to fail over here that first one on the left and that’s the jewelry oh so this this screen is trying to hit there goes trying to hit the API so now the that first one is turned back to green the circuit is working in production yes so one last thing that I wanted to show you was looking at the front end was the zool routes and the configuration for that and if you come down here we’ve got two different profiles to find one is for presentation so I’ve got two routes excuse me two profiles two different zool configurations both of these one is the API and saying send everything that’s requested through that API endpoint to the spring or grin back in and this is where the combination of using these services really makes things interesting because this is the eureka service ID so we don’t have a hard-coded URL in here where to zool is now asking eureka how to find the spring or grin back in and it doesn’t know specifically what the real URL is because that’s not configured and the same thing applies for the springer grand DB file service that’s the eureka ID there alternatively you could put a hard-coded URL in here if you didn’t want to use eureka for example if you wanted to use zool without Eureka’s support and then we add an s3 profile down here where we’re using us three instead of the DB so that was an easy way to switch back and forth between MongoDB and s3 and think we’re about out of time so put the slides back up for using spring cloud services we do have another parent palm that just builds on top of spring cloud makes it very easy to enable an application to run on there this some simple dependencies to include our self-descriptive additional sessions so I mentioned Rob winches two sessions one of them is right after this one the state of securing restful api is with spring and then he’s got another one tomorrow morning hands-on spring security so if you’re concerned about doing any of that stuff i highly recommend going to one of those sessions and cloud native java whispering cloud services if the spring cloud services stuff is interesting to you craig and scott are going to spend an entire session going over all of that stuff that’s been the the last 15 minutes in much more detail how to enable that

within your applications and securing microservices with spring cloud security there’s another project that’s part of spring cloud and will is going to go over he’s going to spend the session talking about how to enable more security between your micro services that are deployed to cloud foundry and that’s something that we didn’t address within Springer Graham this time we’re just using spring securities method level security so if you want to know more about how to secure the actual communication between those different micro services as they’re deployed to cloud foundry I recommend going to that session as well and we’ve got a little bit more information Greg’s got all of the code for Springer Graham is deployed to his github URL I’ve got a very basic rest service that’s using OAuth and we have 0 auth enabled in the app that was a that was out of scope for this talk but if you’re interested in having OAuth enabled for a rest service that’s a good example for that and spring I go for all the other resources and that’s about it so have any other questions if not we’ve reached in the part time alright thanks for coming you