The final OAuth secured Java API code sample:
- The API has a fictional business area of
investments
, but simply returns hard coded data - The API takes finer control over OAuth and claims to enable the best security with good manageability
- The API uses structured logging and log aggregation, for the best supportability
The API can run as part of an OAuth end-to-end setup, to serve my blog's UI code samples.
Running the API in this manner forces it to be consumer focused to its clients:
The API's clients are UIs, which get user level access tokens by running an OpenID Connect code flow.
For productive test driven development, the API instead mocks the Authorization Server:
A basic load test uses Completable Futures to fire 5 parallel requests at a time at the API.
This ensures no concurrency problems, and error rehearsal is used to ensure useful error responses:
API logs can be analysed in use case based manner by running Elasticsearch SQL and Lucene queries.
Follow the Technical Support Queries for some people friendly examples:
- Ensure that a Java 21+ SDK is installed
- Integration tests run Wiremock in Docker, so ensure that Docker is installed
Then run the API in isolation with this command:
./start.sh
Configure DNS by adding these domains to your hosts file:
127.0.0.1 localhost api.authsamples-dev.com login.authsamples-dev.com
Then call an endpoint over port 446:
curl -k https://api.authsamples-dev.com:446/investments/companies
Then configure SSL trust by running this command:
sudo "$JAVA_HOME/bin/keytool" -import -alias authsamples.ca -cacerts -file ./certs/authsamples-dev.ca.pem -storepass changeit -noprompt
Clean up after testing with this command:
sudo "$JAVA_HOME/bin/keytool" -delete -alias authsamples.ca -cacerts -storepass changeit -noprompt
Stop the API, then re-run it with a test configuration:
./testsetup.sh
Then run integration tests and a load test:
./gradlew test
./gradlew loadtest
- See the API Journey - Server Side for further information on the API behaviour
- See the Overview Page for further details on running the API
- See the OAuth Integration Page for the security implementation
- Java 21 and Spring Boot 3 are used to implement the REST API
- The Tomcat web server hosts the API over SSL
- AWS Cognito is used as the default Authorization Server
- The jose4j library is used to manage in memory validation of JWTs
- The project includes API deployment resources for Docker and Kubernetes