Tag Archives: Spring-boot

Design of REST API for web application

One reason I like to build an application in public is that it keeps me accountable. I can’t run away. If I don’t finish something, it’s ok. At least, I will have something done to show to people. Building in public is not a new idea, a lot of people have used it. In this post, I discuss the design of REST API for Social KPI.

In the previous post here, we discussed the architecture of the application we are building.  This will be an ongoing process as we continue to build our application and evolve.

We will follow the following tips to design REST APIs

  1. We will use Resource to represent object for REST APIs
  2. API endpoint will represent a resource object in the plural. Example – companies, users
  3. We will use HTTP status codes for success or failure of the request
  4. We will use JSON object to represent a response
  5. And we will use versioning to represent a version of APIs

As discussed in the previous post application idea, we will have APIs for companies, users of those companies, customers, clicks, engagements data. While concluding this short post, I want to say that the next post will include database design as well as URL design for REST APIs.

We will be using Spring Boot to build REST API.

In conclusion, I discussed the design of the REST API for the web application Social KPI. If you want to follow the progress, subscribe here.

Architecture of the web application

In my last post design, I discussed the idea that we are going to work on building a web application. I detailed the user flow, but I missed out on some points about security and session management. I will add the details of architecture of social KPI web application.

Name of the application

Before we discuss the application, we still haven’t decided on the name for the application. This web application will indicate the performance of a small business in social media. Basically, this is a free tool for marketing and depending on how small businesses use social media, they will be able to build a campaign for their business. If small businesses are not using social media, they are already at a disadvantage. This is just a pie in the big social world. That brings me to the purpose of the application to provide social key performance indicators (social KPIs) to businesses. So the name of the application will be SocialPie.

Security and Session Management

We will use Spring Boot. We will be using spring security elements to build authentication and authorization aspect of the application. I will definitely include the details of this component when we will start working on building the application. In a previous post spring security, I have discussed how to use spring security for authentication.

For managing a session, we will be using spring provided service based on Redis. We will also be using caching considering we will be connecting to Facebook, Twitter, and Instagram APIs, so we can keep the data in cache for pre-decided time. This will be beneficial from a performance perspective. We will be using Redis caching with our own cache manager to handle caching.

I will try to include all these elements in the architecture diagram that we will be building in this post.

Architecture

Architecture of web application Social KPI

 

Conclusion

In this post, we created an architecture for our web application Social KPI. In the next post, I will detail another user flow with some class diagrams and explain each service in detail. The application will be based on microservice architecture.

 

Design and discussion of an idea for Saas Application

In this post of building an application, we discussed what is a saas application and how it can be designed and built. There are possibly a few ideas that I had in my mind or that I came across on the internet. So, I will discuss an idea for the saas application here.

One of the ideas that I have chosen, is to build a web application for small businesses so they can monitor their social media progress. A report that can give details about how the business is performing. From the outside, the whole idea seems very simple – build a report. But there are a lot of complexities involved here if we will be connecting to multiple social media.

We will be discussing the design of this idea and see if we can make progress to build a final design.

Discussion of the idea for the saas application –

  1. A small business can subscribe to this application on two models. One model will be free and others will be paid.
  2. The free model will offer a basic report about the business’ performance in social media.
  3. The paid model will offer a detailed report along with an action plan to improve marketing ratings.
  4. Part of this architecture and development, first we will build a free model only. Depending on how long it is going to take me to build the entire product, we will plan the paid model.
  5. We will use Twitter, Instagram, and Facebook as the three main social media to connect to. All these three social services offer their APIs for developers.

A User flow

  1. If a small business is looking for a marketing tool as part of its social media strategy, they can subscribe to the application that I will be building herewith.
  2. A sign-up page. A user coming across this web application will have to sign up for an account to use the tool.
  3. Sign up will be unique for a business. At least for an alpha version of this tool, only a single user from a business can sign up/login. Maybe next versions or paid versions will give more flexibility to sign up or log in for multiple users from the same business.
    1. A sign-up page will ask for a business name, person’s name, contact number, email address.
    2. A person who is signing up will receive an email for confirmation with login details.
    3. Alpha version will have basic security to login and logout.
  4. Once the business has signed up, that person will access the web application to login.
  5. Alpha version will not deal with security policies at least.
  6. A user once logged into the application will see a dashboard to access the reports.
  7. There will be three reports available for the free subscription model and all three reports will give details about how a business is performing on social media. These three reports will correspond to Facebook, Twitter, and Instagram.
  8. There will be a logout button available for the user to logout. Logout will clear all the session cookies.
  9. Each report will fetch the live data from the respective social media services. Depending on the restrictions for APIs provided by Facebook, Twitter, and Instagram, fetching of new data will be developed.
  10. The report will also show a graphical representation of performance.

How will this help?

What’s the value of this application for small businesses? Of course, this is the basic question. I had to think about the answer if I had to design this application. That is going to be a unique selling point (USP) of this app.

  1. The tool will provide fact-based data about how the business is doing.
  2. It will provide strategies to improve social media presence.
  3. In turn, this will give an idea to small businesses to market themselves and improve customer satisfaction.

Technology Stack

we will be using Java, Spring Boot, MySQL, Github, and AngularJS.

References

The idea for this saas application was borrowed from here.

 

How to use Spring Security in web application – Part VIII

In this post, we will show how to use Spring Boot Security to login, authorization based on user role, log out, and error handling.

We will be discussing the following use case

  1. A user accesses a home page for an application.
  2. A user enters credentials
  3. If correct credentials, we create a session and verifies the user role. User with USER role sees the user profile page. User with ADMIN role sees the list of users page.
  4. Incorrect credentials, the user will see the login screen once again to enter credentials.
  5. A user clicks on logout, the session is deleted and the user is redirected to the login page.
  6. If a user (of any role) tries to login after logout, the user should be redirected to the appropriate page
  7. In a scenario where a user is neither USER nor ADMIN, he is redirected to the error page
  8. Handling of CSRF token

To completely understand this post, make sure you have gone through my other posts on the Spring Boot series.

  1. Spring Boot REST CRUD API
  2. Swagger Documentation
  3. User Interface using AngularJS

 

Database changes

Since this post involves authorization for users, we have to do some database changes. We will add a couple of tables and respective model classes in our REST API modification.

  • Table role
  • Table user_role

create table role (id int(11) auto_increment primary key not null, role varchar(255) )

create table user_role (user_id int(11) primary key not null, role_id int(11) primary key not null))

user_role the table helps to maintain a many-to-many relationship between the user and role table. We will have only two roles for demo purposes, USER and ADMIN.

Another change we have done in table user is that we have added a field called password_hash to store password set by user/administrator for a user to login. We will be storing a hash password value of the original password that the user will set.

Dependencies

Since we will be using Spring-security for authentication and authorization purposes, we will add the dependency for spring security as follows:

<dependency>   

<groupId>org.springframework.boot</groupId>   

<artifactId>spring-boot-starter-security</artifactId>

</dependency>

Controllers and Web Layer

Other than those changes mentioned, we will demonstrate this post in top-down fashion rather than bottom-up fashion.

So for the web layer, we will define a new controller LoginController and modify our existing MainController.

package com.betterjavacode.benefits.controller;

import org.apache.logging.log4j.LogManager;
import org.apache.logging.log4j.Logger;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.security.core.Authentication;
import org.springframework.security.core.context.SecurityContextHolder;
import org.springframework.stereotype.Controller;
import org.springframework.ui.Model;
import org.springframework.web.bind.annotation.RequestMapping;
import org.springframework.web.bind.annotation.RequestMethod;

import com.betterjavacode.benefits.entities.User;
import com.betterjavacode.benefits.interfaces.UserManager;

/**
*
* @author Yogesh Mali
*
*/
@Controller
public class LoginController {

public static final Logger LOGGER = LogManager.getLogger(LoginController.class);

@Autowired
UserManager userManager;

/**
*
* @param model
* @return
*/
@RequestMapping(value = "/user", method = RequestMethod.GET)
public String userpage(Model model) 
{
  LOGGER.info(" Enter >> userpage() ");
  Authentication auth = SecurityContextHolder.getContext().getAuthentication();
  String name = auth.getName();
  User user = userManager.findUserByEmail(name);
  model.addAttribute("name", user.getFirstname());
  model.addAttribute("userid", user.getId());
  LOGGER.info(" Exit << userpage() ");
  return "user";
}

/**
*
* @return
*/
@RequestMapping(value = { "/login" })
public String login() {
  return "login";
}

/**
*
* @return
*/
@RequestMapping(value = "/403", method = RequestMethod.GET)
public String Error403() {
  return "403";
}
}

As shown in this controller, we have defined a user page, a login page, and an error page (403). A user with the role of either USER or ADMIN or both can access a user page which shows that logged in user’s profile.

Every user irrespective of roles will see the login page for authentication. If there are any errors during authentication or authorization, the user will see an error page displaying access denied page (403).

Source code for login page is as below:

<!DOCTYPE html><!DOCTYPE html><html xmlns="http://www.w3.org/1999/xhtml" xmlns:th="http://www.thymeleaf.org">
<head> <title>Benefits Application</title>
<link rel="stylesheet" href="https://maxcdn.bootstrapcdn.com/bootstrap/3.3.7/css/bootstrap.min.css" /> <link rel="stylesheet" type="text/css" th:href="@{/css/login.css}" />  <script src="https://ajax.googleapis.com/ajax/libs/jquery/3.1.1/jquery.min.js"></script>  <script src="https://maxcdn.bootstrapcdn.com/bootstrap/3.3.7/js/bootstrap.min.js"></script></head>
<body>
<div class="container"> <form th:action="@{/login}" method="POST" class="form-signin">
<h3 class="form-signin-heading" th:text="Welcome"></h3>
<input type="text" id="email" name="username"  th:placeholder="Email" class="form-control" style="width:350px"/>
<input type="password"  th:placeholder="Password" id="password" name="password" class="form-control" style="width:350px"/>
<div align="center" th:if="${param.error}">
<p style="font-size: 20; color: #FF1C19;">Email or Password invalid, please verify</p>

</div>
<button class="btn btn-lg btn-primary btn-block" name="Submit" value="Login" type="Submit" th:text="Login" style="width:350px"></button> </form></div>
</body></html>

This login page shows a simple form to input username (email) and password and process that authentication using spring-security database authentication method.

@RequestMapping(value = "/home", method = RequestMethod.GET)
public String homepage(Model model) 
{
  LOGGER.info(" Enter >> homepage() ");
  Authentication auth = SecurityContextHolder.getContext().getAuthentication();
  String name = auth.getName();
  User user = userManager.findUserByEmail(name);
  model.addAttribute("name", user.getFirstname());
  LOGGER.info(" Exit << homepage() ");
  return "index";
}

Changes in MainController are about an authenticated user and passing that user’s first name to model to display in HTML page. UserManager in the service layer has been enhanced to return a user based on username (which is email). We have also added an email to be unique as a constraint in the database.

User page for a user with role USER is nothing but a user profile information that he can edit and update any time.

<html ng-app="benefitApp"><html ng-app="benefitApp"><head><meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1" />
<title>Benefit Application</title><script>document.write('<base href="' + document.location + '" />');</script> <link rel="stylesheet" href="/css/bootstrap.css" /><script src="https://code.angularjs.org/1.6.1/angular.js"></script><script src="https://cdnjs.cloudflare.com/ajax/libs/angular.js/1.6.1/angular-route.js"></script><script src="https://cdnjs.cloudflare.com/ajax/libs/angular.js/1.6.1/angular-resource.js"></script><script type="text/javascript" src="./js/app.js"></script></head><body ng-controller="UserCtrl">Hello
<p th:text="${name}"></p>

<div>
<ul class="menu">
<li><a th:href="@{'userProfile/' + ${userid}}">Profile</a></li>
</ul>
<div ng-view="ng-view"></div>
</div>
<div class="input-group">
<div class="controls">    <a ng-click="logout()" class="btn btn-small">Logout</a></div>
</div>
</body></html>

Authentication

Now we have the application ready with all the required backend details for adding the authentication part. Remember we are using spring-security for authentication and authorization of an application.

package com.betterjavacode.benefits;

import javax.sql.DataSource;

import org.apache.logging.log4j.LogManager;
import org.apache.logging.log4j.Logger;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.beans.factory.annotation.Value;
import org.springframework.boot.autoconfigure.security.SecurityProperties;
import org.springframework.context.annotation.ComponentScan;
import org.springframework.context.annotation.Configuration;
import org.springframework.core.annotation.Order;
import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.builders.WebSecurity;
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
import org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder;

@Configuration
@ComponentScan("com.betterjavacode.benefits.services")
@EnableWebSecurity
@Order(SecurityProperties.ACCESS_OVERRIDE_ORDER)
public class SecurityConfig extends WebSecurityConfigurerAdapter {

public static final Logger LOGGER = LogManager.getLogger(SecurityConfig.class);

@Autowired
private SimpleAuthenticationSuccessHandler loginSuccess;

@Autowired
private LogoutSuccess logoutSuccess;

@Autowired
private BCryptPasswordEncoder bCryptPasswordEncoder;

@Autowired
private DataSource dataSource;

@Value("${spring.queries.users-query}")
private String usersQuery;

@Value("${spring.queries.roles-query}")
private String rolesQuery;

@Autowired
protected void configureGlobal(AuthenticationManagerBuilder auth) throws Exception {
LOGGER.info(" Enter >> configureGlobal() ");
auth.jdbcAuthentication()
.usersByUsernameQuery("select email,password_hash,enabled from user where email=?")
.authoritiesByUsernameQuery("select u.email,r.role from user u inner join user_role ur on(u.id=ur.user_id) inner join role r on(r.id=ur.role_id) where u.email=?")
.dataSource(dataSource)
.passwordEncoder(bCryptPasswordEncoder);
LOGGER.info(" Exit << configureGlobal() ");
}

/**
* Handle Login - Authentication and Redirection
*/
@Override
protected void configure(HttpSecurity http) throws Exception {
http.csrf()
.disable()
.authorizeRequests()
.antMatchers("/home")
.hasAuthority("ADMIN")
.antMatchers("/user")
.hasAnyAuthority("USER", "ADMIN")
.and()
.formLogin()
.loginPage("/login")
.successHandler(loginSuccess)
.permitAll()
.and()
.logout()
.logoutSuccessHandler(logoutSuccess)
.deleteCookies("JSESSIONID")
.invalidateHttpSession(false)
.permitAll()
.and()
.exceptionHandling()
.accessDeniedPage("/403");

}

/**
* Exclude resources from user-access
*/
@Override
public void configure(WebSecurity web) throws Exception {
web.ignoring()
.antMatchers("/resources/**", "/static/**", "/css/**", "/js/**", "/images/**");
}
}

What’s happening in this code?

  • When a user with role ADMIN or USER calls either /home or /user pages respectively, the user will need to log in.
  • Once the user inputs credentials, validation of credentials happens against the JDBC database authentication mechanism provided by spring-security.
  • If a user of the role USER tries to access the ADMIN home page, the user sees an error 403 page. Authentication Success Handler handles the redirection strategy.
  • If the user clicks the LOGOUT button on the page he is on, the session gets deleted and the user logs out of the application. The user will see the login page. All the cookies will be deleted. Logout Success Handler handles the redirection.

 

Changes in AngularJS User Interface Controller

As shown in user.html page, once the user with role USER is logged in, he sees URL for his profile information. If a user clicks this URL, the user sees his or her profile information. This page has a controller called UserCtrl which basically handles the logout on this initial page. User Profile is shown on userprofile.html page which has singleusercontroller. This angular js controller handles updating user profile information or logout. The github repository contains the rest of the code.

Handling CSRF Token

There are two ways we can handle Cross-Site Request Forgery token in the Spring application. The first way is by disabling this token generation. This is not a recommended approach as this put your application to possible CSRF security attacks for hackers. If you are just doing this for demo purposes, you can disable this in SecurityConfig.java by calling http.csrf().disable().

As Spring points out, a request coming through browsers should contain CSRF Protection.

We will be using spring security to handle CSRF token on the server-side rather than on the client-side.  So every request that comes to the server, we will add a CSRF token and then verified. Angular JS verifies the cookie for the CSRF token before a user can post any request.

Add a CSRF Filter Class

We will add a filter that will handle setting of CSRF token in a cookie. Angular JS expects a cookie name to be as XSRF-TOKEN. This class will look like below:

public class CSRFHeaderFilter extends OncePerRequestFilter {

@Override
protected void doFilterInternal(HttpServletRequest request, HttpServletResponse response, FilterChain filterChain) throws ServletException, IOException 
{
  CsrfToken csrf = (CsrfToken) request.getAttribute(CsrfToken.class.getName());
  if (csrf != null) 
  {
    Cookie cookie = WebUtils.getCookie(request, "XSRF-TOKEN");
    String token = csrf.getToken();
    if (cookie == null || token != null && !token.equals(cookie.getValue())) 
    {
      cookie = new Cookie("XSRF-TOKEN", token);
      cookie.setPath("/");
      response.addCookie(cookie);
    }
  }
  filterChain.doFilter(request, response);
}

}

Now we will enable csrf token in SecurityConfig as shown below

.and()
.csrf()
.csrfTokenRepository(csrfTokenRepository())
.and()
.addFilterAfter(new CSRFHeaderFilter(), CsrfFilter.class);

What is csrfTokenRepository?

We tell spring-security to expect CSRF token in the format that Angular wants to send it back , a header called X-XSRF-TOKEN instead of default X-CSRF-TOKEN. With these changes, we don’t have to do anything on client side.

private CsrfTokenRepository csrfTokenRepository() 
{
  HttpSessionCsrfTokenRepository repository = new HttpSessionCsrfTokenRepository();
  repository.setHeaderName("X-XSRF-TOKEN");
  return repository;
}

Demo

In this post, we showed how to use spring security for authentication and authorization. Now we will show how to run the application. Once the application is built and run from eclipse, access the page https://localhost:8443/home , we will see below screen:

Using Spring Security in web application - login screenIt will be the same screen if you access https://localhost:8443/user. Now if we enter credentials of an admin user, we will see below screen:

Using Spring Security in web application - admin screen

User screen will be as below:

Using Spring Security - User Screen

If you click logout, it will log the user out and show login screen again. In this way, we showed how we can use spring security for authentication and authorization. Code for this is available at Github repository.

References

  1. Spring Boot Security
  2. Login Page Angular JS and Spring Security

 

Swagger Documentation for Spring Boot REST API – Part II

In this post, we will show how to add swagger documentation to Spring Boot rest API. We learned how to create a Spring Boot REST API. In Microservices’ world, these days documenting your API is a standard norm. Swagger provides a handy interface and a simple way to build these documentations that any client can test at any moment. They don’t need to have all the services in their environment.

What is Swagger?

Swagger was intended to provide a standard, language-agnostic interface to REST APIs which allow anyone to understand the capabilities of a service without any source code, documentation of source code. You can find more details about Swagger here.

How to add swagger documentation?

In our previous post, we added Spring boot REST API. We will add swagger to the same REST API.

  1. Add Maven dependencies

To start with, let’s add maven dependencies for swagger jars.

<dependency>
<groupId>io.springfox</groupId>
<artifactId>springfox-swagger2</artifactId>
<version>2.6.1</version>
<scope>compile</scope>
</dependency>
<dependency>
<groupId>io.springfox</groupId>
<artifactId>springfox-swagger-ui</artifactId>
<version>2.6.1</version>
<scope>compile</scope>
</dependency>

2. Add Swagger bean in configuration

In our main starting Application class, we will add a few configurations for setting up a bean that will handle swagger. In the below code, I show what I have added in Application.java the file. Basically, we have created a new bean of the type Docket which takes care of the swagger configuration.

@EnableSwagger2
@SpringBootApplication(scanBasePackages = { "com.betterjavacode.benefits" })
public class Application {

public static void main(String[] args) {
 SpringApplication.run(Application.class, args);

}

@Bean
 public Docket benefitsApi() {
 return new Docket(DocumentationType.SWAGGER_2).groupName("Benefits")
 .apiInfo(apiInfo())
 .select()
 .apis(RequestHandlerSelectors.any())
 .paths(PathSelectors.any())
 .build()
 .pathMapping("/");

}

private ApiInfo apiInfo() {
 return new ApiInfoBuilder().title("Benefits REST Service")
 .description(" A simple REST service for Benefits software ")
 .contact(new Contact("Yogesh Mali", "https://betterjavacode.com/", ""))
 .version("1.0")
 .build();
 }
}

3. Show Swagger documentation

Now once we have added the configuration, we can build our project with maven clean install. After a successful build, run the project from eclipse as a Java application. We will access swagger documentation from URL http://localhost:8080/swagger-ui.html. This will look like below :

Swagger Spring Boot Microservice

Source code for this post is available at Spring-boot-rest-api-with-swagger.

Conclusion

In this post, I showed how you can add Swagger Documentation for your Spring Boot based REST API .