Author Archives: yogesh.mali@gmail.com

Techstack Framework for RentersFeedback

As a developer, we make different choices based on what is available to us and what we know. But are those choices always better? They may not or they may. It really depends. In this post, I describe the techstack framework that I used to build Renters Feedback.

You can read my post, how I came up with an idea to build an application for renters feedback.

I wanted to describe the process of the choices I made to choose a tech stack framework for building the application. Considering my expertise in Spring Boot, it was a default choice to use to build this application. There are other factors I took into account like the ease of coding, ease of deploying as a microservice-based application in the cloud, and docker.

Development Framework For Renters Feedback

For developing the application, my focus was on the re-usability of code. Since I have written few applications as part of this blog using Spring Boot, there was authentication, login forms, sign up forms, most of that code was readily available. One thing I have to think through for RentersFeedback was database modeling.

Database Framework for Renters Feedback

For developing a database based application, I used mysql as a development database. In production, I changed that to postgresql . 

Why database change? 

Heroku support for mysql wasn’t straightforward, so I preferred what was available by default and it was postgresql. I have to do a few changes to mysql scripts. I could have automated these scripts through liquibase, but I preferred not to for the first version of the product. In the future, when I plan to add more changes to the database model, I will add liquibase-based scripts.

Authentication Scheme

There were some questions about why a user needs to login on a RentersFeedback website. Well, someone has to post those reviews before people can browse it. You need to login if you want to post a review.

The easiest choice was to have form-based login even though it is getting old and not safe. I still feel most users would use email to login. User passwords are stored in an encrypted and hashed format in the database.

Another mechanism, I decided to add, was OAuth2 OpenId protocol by using Google API for the same. It was easy to implement and something I have expertise in.

I could add other social logins, but I prefer to keep it simple and if the need arises, I will add those logins in the future.

Using Google API, made me use Redis Cache. I wasn’t planning to use cache since the application is still in nascent stages, but now it is there, so future scaling would be easier from a performance perspective.

User Interface

The user interface was built using Spring Boot provided thymeleaf templates along with Twitter’s Bootstrap CSS library and javascript library. For the search feature, I have used javascript library of Google search APIs.

After deploying the application on Heroku, I came across a few issues about having forms available publicly. To avoid spams, I will be adding Captcha on those forms. I will show how to use reCaptcha APIs in the next post.

To allow users to reset the password, I have used Spring Boot Email system. This was an easy implementation once you know how the forgot your password flow works.

Deployment Environment

I used Heroku to deploy my application. Heroku has great documentation. It’s very easy to sync up with your GitHub repository. So if you push your changes to GitHub, it will sync up to build and deploy on Heroku.

Questions

Choosing the right tech stack framework for your application can be a difficult task if you are a beginner.  Since I have experience in building applications, choosing this techstack framework for Renters Feedback was a straightforward choice. If you have any questions about implementation, why I used certain technology, and how it can be improved, you can post a comment on this blog and I will answer those questions.

 

RentersFeedback.com

RentersFeedback is a brainchild from a tweet that a friend tweeted back in August:

Tweet from a renter

Based on this tweet, I thought it would be nice if renters have some say about landlords. Around the same time, my girlfriend was looking for an apartment/house to rent. Even though we found a place, we were not sure if it’s a good place. And there were no reviews about this place. On the first impression, the house didn’t look like a place where anybody has lived in a long time, but we made our decision and went ahead with it. It would have been nice if there was a review of this place.

I am sure when most people are looking for places to rent, they use services like Padmapper or Zillow which offers the easiest way to find places based on area, requirements, budget, other facilities. But none of these applications offer a review system.

What this will solve?

Renters Feedback will solve the much-needed place to provide reviews about the places that people are renting. This will help future renters to look for good places to rent. This will also make landlords and rental management companies more accountable. I hope Renters Feedback can help renters with reviews for the places they want to rent.

What about Yelp?

Yelp.com has been providing reviews of restaurants, small businesses, and other things, but rarely of a standalone house to be rented or a rental management company. Yelp has done a tremendous job, but it lacks in this one area.

Why an application with a single functionality?

Less is more. Simple functionality matters in long terms than a complicated one. In marketing, there is a term affordance that refers to the perceived and actual properties of the thing, primarily those fundamental properties that determine how the thing could be used. A single functionality of the application will help users to navigate and use the application efficiently.

Techstack

To build RentersFeedback.com, I have used Spring Boot Microservice based architecture. I have implemented the current user interface using Twitter Bootstrap, CSS, Javascript, Google Javascript API, and Thymeleaf. Backend is written using Java and database supported.

Using Redis for caching, Google for OAuth2 authentication along with regular authentication.

Heroku.com is my choice of the cloud platform to launch the application. It offers an easy way to assemble all the needed services like database, Redis, and the server itself.

One future change for this might be to move the user interface to reactjs. Something that is currently I am working on.

Feedback

I would love it if you could use the application and would appreciate any feedback.  Subscribe to my blog to find out more about renters’ feedback.

 

Deploying Spring Boot Application to Heroku

Heroku is a platform as a service (PAAS) that helps developers to build, deploy, and run applications on a cloud platform. Deploying Spring Boot application to Heroku is a straight forward process. I will describe this process in this post. There are actually multiple ways to deploy a spring boot application. The simplest way to deploy the application is to use maven built jar file and run that jar file on Heroku server.

In my previous post, I showed how to use Spring session in your Spring Boot application.

Before I show one of these two methods to deploy the application, we assume that you have created an account on Heroku.com, if not first please create an account and download Heroku-CLI (Command Line Interface). I also assume that you have git downloaded and installed.

Initial Deployment with Heroku

Once you have Heroku account and Command Line Interface downloaded, let’s start deploying the Spring Boot app with repository.

Create an application directory on your development environment.


git init
git add .
git commit -m "first commit"

Now you can either create an app in Heroku through web-interface OR through Heroku CLI.

heroku create rentersfeedback would create the application in Heroku.

As part of this post, I am deploying an alpha version of my application rentersfeedback.com

Once you add the source code to the directory, we can push the repository to heroku.  Every time you push the repository to Heroku, Heroku’s builder will build the application and launch it.

git push heroku master

Despite this initial push, we don’t have the application ready to use yet.

Database Configuration

For this application, I will be using Postgres database. Heroku offers a couple of ways to add database as an add-on.

Once Postgres database is added, go to settings -> view credentials  this will provide us database credentials.

Now we can access the database server through pgAdmin Postgres Administration and create database and database tables for our application.

Back in Heroku web-interface, if you go to the application settings page, click on reveal Config Vars and set up the following variables


SPRING_DATASOURCE_URL= 
SPRING_DATASOURCE_USERNAME= 
SPRING_DATASOURCE_PASSWORD= 
SPRING_DATASOURCE_DRIVER-CLASS-NAME=org.postgresql.Driver 
SPRING_DATASOURCE_TYPE=org.apache.tomcat.jdbc.pool.DataSource 
SPRING_JPA_DATABASE-PLATFORM=org.hibernate.dialect.PostgreSQLDialect

As you can see that we are using datasource type as tomcat jdbc pool and not the standard hikariCP which Spring boot provides. To make sure to work this, we have to add a dependency of tomcat-jdbc as follows:


compile('org.apache.tomcat:tomcat-jdbc:9.0.29') 
compile('org.postgresql:postgresql:42.2.8')

If you don’t specify data source type as tomcat-jdbc, Heroku throws an error for Postgres database as below:

Caused by: java.lang.RuntimeException: Driver org.postgresql.Driver claims to not accept jdbcUrl

This will get our Spring Boot app to work with the Postgres database while deploying on Heroku.

Configuration of Gradle to build a jar file

So by default, Heroku supports maven. If you want to use Gradle to build your application, you can use the following guidelines.

Now if you push these changes to heroku and build the application, the application will throw the following error while starting up



2019-11-30T17:05:46.096985+00:00 heroku[api]: Deploy 291326d by xxx@gmail.com 
2019-11-30T17:05:46.097021+00:00 heroku[api]: Release v9 created by xxx@gmail.com 
2019-11-30T17:05:46.378258+00:00 heroku[slug-compiler]: Slug compilation started 
2019-11-30T17:05:46.378269+00:00 heroku[slug-compiler]: Slug compilation finished 
2019-11-30T17:05:46.755655+00:00 heroku[web.1]: State changed from crashed to starting 
2019-11-30T17:05:53.121398+00:00 heroku[web.1]: Starting process with command `java -Dserver.port=5000 -jar build/libs/myapp.jar` 
2019-11-30T17:05:54.260741+00:00 app[web.1]: Error: Unable to access jarfile build/libs/myapp.jar 
2019-11-30T17:05:54.784064+00:00 heroku[web.1]: State changed from starting to crashed 
2019-11-30T17:05:54.773714+00:00 heroku[web.1]: Process exited with status 1

To resolve this issue, I will add a task in my gradle script that will build a jar file when I deploy the application.


apply plugin: 'java' 

task stage(type: Copy, dependsOn: [clean, build]) { 
    from jar.archivePath into project.rootDir rename { 'app.jar' } 
} 

stage.mustRunAfter(clean) 

clean.doLast { 
   project.file('app.jar').delete() 
}

Setting up application.properties

We have deployed our application, configured database, and build script. Usually when spring boot application starts, it will access all the required variables from application.properties. So I will set up that file as follows:



# ==================================================================================== 
# = DATASOURCE 
# ==================================================================================== 
spring.datasource.url=${SPRING_DATASOURCE_URL} 
spring.datasource.username = ${SPRING_DATASOURCE_USERNAME} 
spring.datasource.password=${SPRING_DATASOURCE_PASSWORD} 
spring.datasource.driver-class-name=${SPRING_DATASOURCE_DRIVER-CLASS-NAME} 
spring.jpa.show-sql=true spring.jpa.properties.hibernate.dialect = ${SPRING_JPA_DATABASE-PLATFORM} 
spring.datasource.type=${SPRING_DATASOURCE_TYPE} 
spring.jpa.properties.hibernate.jdbc.lob.non_contextual_creation=true 
# ==================================================================================== 
# = Server SSL 
# ==================================================================================== 
server.port = 7443 
security.require-ssl=true

Setting up a custom domain

Heroku offers an easy option with SSL, so if you choose that, it is a straightforward approach with Let’s Encrypt to automatically manage the SSL certificate.

Now to set up the custom domain, add your domain and heroku will provide the target DNS server. For your corresponding domain provider, you will add DNS setting for CNAME(for www) and ANAME (root domain). Wait for a few hours for this setting to take place.

Access the application

We are ready to access the application now. Once you have pushed all the required changes to Heroku repository, heroku will build the application and launch it.

Now if we access rentersfeedback.com, we will be able to see the application as follows:

Renters Feedback

References

  1. Deploying Spring boot application to Heroku – deploy spring boot app
  2. Deploying Gradle application to Heroku – Gradle applications to Heroku
  3. Custom domains in Heroku – Custom domains in Heroku

 

 

Session Management with Spring-Session and JDBC

User session management is vital to keep user state in an application. The session helps to keep track of where the user is currently and if he comes back to check the application, it can be retrieved in a similar state. In this post, I will show how to use the Spring session with the database to maintain session data.

Spring Session

Spring session offers APIs to manage user sessions. This gives the flexibility to build an enterprise-level application using Spring Boot and still segregating with Spring Session. Another advantage of using Spring session is that it offers different storage options. You can store the session data in redis, database using JDBC or in-memory. Since we are able to store the session data in database, session data is not lost if application shuts down or crashes. This helps to manage user session iteratively.

In this post, I will show how I have used Spring session in my application Renters Feedback.

Create a Spring Boot based application

I will not be showing how to create a spring boot based application. The assumption is you know the basics of Spring Boot. Once you create a maven-based or Gradle-based Spring boot application, you can include a dependency for Spring session.

org.springframework.session:spring-session-jdbc:2.1.6.RELEASE

Configure Storage Type

With the Spring session, you have multiple options to configure the storage type. For this post, I will be showing how to use a database with JDBC to store user session data. With setting application.properties you can create required session tables on the fly OR you can create them before starting your application, so you don’t have to create them always.

From a production system perspective, I prefer to create tables while setting up an application once and never worry about it.

So before we can use the spring session, create the required database tables in your choice of database. In this post, I will be using mysql for database.

Create the following two database tables in your application database

create table SPRING_SESSION (
primary_id CHAR(36) NOT NULL,
session_id CHAR(36) NOT NULL,
creation_time BIGINT NOT NULL,
last_access_time BIGINT NOT NULL,
max_inactive_interval INT NOT NULL,
expiry_time BIGINT NOT NULL,
principal_name VARCHAR(100),
CONSTRAINT spring_session_pk PRIMARY KEY (primary_id)
);

create table SPRING_SESSION_ATTRIBUTES (
session_primary_id CHAR(36) NOT NULL,
attribute_name VARCHAR(200) NOT NULL,
attribute_bytes BLOB NOT NULL,
CONSTRAINT spring_session_attributes_pk PRIMARY KEY (session_primary_id, attribute_name),
CONSTRAINT spring_session_attributes_fk FOREIGN KEY (session_primary_id) REFERENCES SPRING_SESSION(primary_id) ON DELETE CASCADE
);

 

Configuring your application.properties  as follows:

spring.datasource.url=jdbc:mysql://127.0.0.1/sampledb?autoReconnect=true&useSSL=true
spring.datasource.username = sa
spring.datasource.password=*********
spring.datasource.driver-class-name=com.mysql.jdbc.Driver
spring.session.store-type=jdbc
spring.session.jdbc.initialize-schema=never
spring.session.jdbc.table-name=spring_session

One reason we specified spring.session.jdbc.initialize-schema=never is because we are manually creating the database tables.

Now to use Spring session in our application, we will configure Spring security and enable @EnableWebSecurity . Basically this will allow us to have a form-based authentication and on authentication, we can have a valid session created and stored in the database for logged in user.

I will not be showing how to enable Spring Security, you can read my old post about Using Spring Security in Spring Boot application.

Configuring JDBC HTTP Session

One key thing to do as part of this implementation is to enable Spring Session in the application by using annotation @EnableJdbcHttpSession as shown below:

@SpringBootApplication
@EnableJdbcHttpSession
public class HomeApplication extends SpringBootServletInitializer
{
	public static void main(String[] args)
	{
		SpringApplication.run(HomeApplication.class, args);
	}

}

As per Spring documentation here Spring Session, the annotation @EnableJdbcHttpSesion adds a bean with the name of springSessionRepositoryFilter . This filter handles replacing HTTP session implementation with Spring Session.

Running the application

Now to see the entire application, we can see the following recording to see how spring boot based application creates the session and stores in the database.

In conclusion, we showed how to implement session management using the Spring Session.

References

  1. Spring Session – Spring Session
  2. Spring Session with JDBC – Spring Session with JDBC

 

Json Web Token (JWT) – Introduction

If you have worked in OAuth or OpenID or authorization part of security, you must have across a term called JSON Web Token – JWT (Pronounced as JOT).

In this post, I will explain its components and a few tips and tricks. In previous securing spring boot rest api post, I showed how to use JWT to secure a REST API.

JSON Web Token (JWT) is a JSON object defined in a way where participating parties agree with a certain norm. This object contains information that can identify a user or a participating party.

JWT is encrypted and signed, so it is used securely. Even if a third party gets access to JWT, that party will ever be able to decrypt it if it has a public key with which it was signed. Also usually JWT is valid for a limited time, so a hacker will not be able to use JWT if it has expired and the hacker was able to decrypt JWT.

There are a few use cases when you can use JWT.

  1. Single Sign-On – In some authorization scenarios, JWT is used to encrypt user information in a token for authentication purposes.
  2. JWT offers a lot of security, so it helps to exchange information between parties secretly.

 

Components

JSON Web Token consists of three parts – header, payload, and signature. Once you create a JWT using these three parts, you compact that JWT. So every JWT is in a compact form.

hhhhhh.pppppppp.ssssss

Header of JSON Web Token

Every Json Web Token contains header, payload and signature part. In header part, you will have two important elements – algorithm type as alg and key id as kid , but instead of these two elements, it can also contain alg and type to indicate what type of the token this is.

{
   "alg":"HS256",
   "kid": "NHAS42KWE49825JADTWWQRWR"
}

Payload

The payload is the part that contains actual data in JWT. Basically this data is in the form of claims. Claims are identifying information about the user or entity. But other than user information (sub), it also contains some important information at what time the token was issued – iat, who is the issuer – iss, what is the expiration time exp , what is the not before used time nbf .

Example of JWT payload will look like below:

{
  "sub": "betterjavacode\\userabc",
  "created": 1571755568798,
  "iss": "betterjavacode.com",
  "client_id": "randomclient",
  "nbf": 1571755569,
  "scope": "[Email]",
  "exp": 1571759169,
  "expires_in": "3600",
  "iat": 1571755569,
  "jti": "qqwrwe-wewewt-34343re-343gtrtr-323222"
}

Signature

Signature to sign JWT is created by Base64 URL encoding of header + Base64 URL encoding of body and a secret key and all this will be signed by using a signature algorithm of server choice, for this example it is HMACSHA256. The server which is creating JWT, will not share a secret key with anyone and will have its own policies to create that secret key. It can make the public key available to requested clients.

When to use JWT?

The usual use case for JWT is for authentication purposes since it can contain user data. Tokens are valid for a short duration, so they can’t be compromised. When the user accesses a protected resource, the user agent sends JWT in authorization header using Bearer schema. As a precaution, a token should not contain any secret information. In that case, even if a JWT is stolen, nobody can use JWT data for any other purposes.

JWT is a more compact version of token which was usually exchanged through Security Assertion Markup Language (SAML).

Conclusion

In this post, we discussed the details of JWT and when to use it.

References

  1. Specification of JSON Web Token – Specifications
  2. JSON Web Token – Open Id Specifications