Secure Coding in Spring Boot: Real-World Coding Guide

• Introduction to OAuth and JWT

• How OAuth and JWT works

• How JWT are signed and verified

• What is an Identity Provider

• OAuth VS OAuth 2.0

• What is an OpenID Connect

• OIDC VS OAuth

• Identity Provider & User Management

• Introduction of Auth0

• Configuration plan overview

• Live demo

  • Create an Auth0 account and tenant

  • Register a new application

  • Configure the application settings

  • Grant Types

  • Open ID Connect settings

  • Configure test users

  • Configure API permissions

• Setting up a Spring Boot project

• Adding OAuth2 dependencies

• Spring Boot Starters

  • spring-boot-starter-oauth2-client

  • spring-boot-starter-oauth2-resource-server

• Demo of OpenID connect client flow

• Logout from the app and identity provider

• Demo of machine to machine flow

• Configuration of the OAuth server

• Spring Boot configurations and properties

• Testing of Spring Boot Endpoints, OAuth/OpenID Connect, and Configuration

• spring-boot-starter-test

• How to test a @Controller

• @SpringBootTest

• @AutoConfigureMockMvc

• MockMvc

• Naming conventions, coding style recommendations

• PropertyOverrideInitializer and ApplicationContextInitializer

• @WebMvcTest

• @MockitoBean

• RestTemplateBuilder

• @LocalServerPort

• SpringBootTest.WebEnvironment.RANDOM_PORT

• TestRestTemplate

• Integration test with Spring Boot

• @DynamicPropertySource

• Understanding Brute-Force Attacks

• What Is a Denial of Service (DoS) Attack

• Why Spring Security Doesn’t Protect Against DoS and Brute-Force by Default

• Understanding Rate Limiting and Its Real-World Applications

• Approaches to Rate Limiting: Strategies and Algorithms

• Overview of Popular Java Libraries for Rate Limiting

• Demo: real-life code examples

• Best Practices for Rate Limiting: Protecting Against DDoS and Brute Force Attacks

• What is Resilience and Why It Matters

• Real-Life Failures & Why Resilience Is Needed

• Introduce Common Resilience Patterns

• Circuit Breaker Pattern Explained

• Introducing Resilience4j: Practical Fault Tolerance for Modern Java

• Practical Demo - Code Examples

• Configure Resilience4j Library in Sprig Boot project

• Circuit Breaker Pattern - Implementation & Demo

• What the Retry pattern is and why it’s important in resilient systems

• Common scenarios where retries are useful, especially in distributed applications

• A clear explanation of the Retry mechanism, using real-life analogies

• Smart Retry Strategies: Backoff, Limits, and Exception Filtering

• Live code walkthrough and demo of the retry pattern in action

• RetryEventListener

• How to use Circuit Breaker together with Retry

• What is the Time Limiter Pattern and Why It Matters

• Real-World Scenarios Where Time Limits Prevent Failures

• Introduction to Resilience4j TimeLimiter Module

• Using CompletableFuture with TimeLimiter

• Live Code Demo and Testing the Time Limiter in Action

• Rate Limiting Recap: Why It Matters and What It Solves

• Why Use Resilience4j for Rate Limiting in Modern Applications

• Differences Between Bucket4j and Resilience4j: When and Why to Use Each

• How Token-Based Limiting Works in Resilience4j

• Live Demo: Rate Limiting in Action with Real API Endpoints

• Introduction to the Bulkhead Pattern: What It Is and Why It Matters

• Real-World Scenarios Where Bulkheads Prevent Cascading Failures

• Types of Bulkheads: Thread Pool vs. Semaphore Isolation

• How Resilience4j Implements Bulkhead Control

• Live Code Walkthrough and Demo

• Best Practices for Applying Bulkheads in Microservices

• Introduction to Microservice Architectural Patterns

• Overview of the following patterns: API Gateway, Service Discovery, Strangler Fig, Sidecar, Saga, CQRS, Event Sourcing, Backend for Frontend

• Overview of API Gateway Pattern: What, Why, and When to Use

• API Gateway: Key Advantages

• API Gateway: Common Limitations

• Typical Use Cases and Scenarios for API Gateway

• How API Gateway Enhances Security

• How API Gateway Enhances System Resilience

• Creating a Project with Spring Cloud Gateway

• Configuring Routing and Request Forwarding

• Code Examples: Live Demonstration

• What is Load Balancing: Definition and Purpose

• Why Load Balancers Matter in Distributed Systems

• When to Use a Load Balancer and Typical Scenarios

• Relationship Between Load Balancer and API Gateway

• Core Load Balancing Strategies Explained (Round Robin, Random, Least Connections, Weighted, Sticky Sessions, etc.)

• Pros and Cons of Each Strategy

• Overview of Spring Cloud LoadBalancer

• Health Checks and Resilience: Avoiding faulty instances, retries, circuit breakers

• Common Pitfalls and Anti-patterns: What to avoid when implementing load balancing

• Adding Spring Cloud LoadBalancer dependency in pom.xml

• Configuring LoadBalancer via application.properties

• Implementing different load balancing strategies

• Random load balancing strategy in action

• Creating and applying a custom load balancing strategy

• Enabling and demonstrating load balancing with health checks

• Introduction and overview

• Authentication

• Authorization

• Authentication VS Authorization

• Technologies that support Spring Security Integration

• Advantages

• Spring Security Features

• Spring Security Modules

• High level Spring Security Authentication & Authorization architecture

• First Spring Security Project

• Spring Security Dependencies

• Spring Security Configuration

• InMemoryUserDetailsManager bean

• PasswordEncoder bean

• SecurityFilterChain bean

• CSRF

• anonymous() VS permitAll()

• AuthenticationFailureHandler

• LogoutSuccessHandler

• Login with the custom login form in Spring Security

• Login with the default login form

• First Spring Security Project

• Spring Security Dependencies

• Spring Security Configuration

• InMemoryUserDetailsManager bean

• PasswordEncoder bean

• SecurityFilterChain bean

• CSRF

• anonymous() VS permitAll()

• AuthenticationFailureHandler

• LogoutSuccessHandler

• Login with the custom login form in Spring Security

• Login with the default login form

• Remember Me feature in Spring Security

• RememberMeConfigurer Overview

• Coding exercise with Remember Me

• Security at method level

• Spring Expression Language

• @PreAuthorize

• @PostAuthorize

• @Secured

• @EnableMethodSecurity

• Spring Security Architecture

• Authentication Filter

• Spring Security Context

• Authentication Manager

• Authentication Provider

• User Details Service

• Password Encoder

• Business need in implementing custom Authentication Provider

• Code examples of custom Authentication Provider

• Where start learning

• Spring Framework VS Spring Boot

• What is Spring Boot

• Features of Spring Boot

• Opinionated development approach

• When to use Spring Boot

• When not to use Spring Boot

• Advantages & Disadvantages

• Spring Initializr Web Tool

• Spring Boot project generation

• Spring Tools for Eclipse IDE

• Simple MVC controller in Spring Boot

• Practical exercise

• What are starters

• Why do we need starters

• Advantages of using starters

• List of spring boot starters

• Practical exercises

• How to add spring boot starter

• Web starter

• REST API Development in Spring Boot

• Test starter

• Data JPA Starter

• Configuration of H2 Database in Spring Boot

• Configuration of MySQL Database in Spring Boot

• Security starter

• Application properties: Overview

• Precedence order of properties

• Overriding properties

• Default Spring Boot properties

• List of Spring Boot properties

• Practical examples

• Changing the port number

• SSL/TLS configuration in Spring Boot

• Generation of self-signed certificate for TLS

• Changing of context path of the application

• Configuration of logging level

• @ConfigurationProperties annotation

• What is Spring Boot Actuator

• JMX Beans

• Features and benefits of Spring Boot Actuator

• Predefined endpoints

• Adding dependency for Spring Boot Starter Actuator

• How to expose all available endpoints

• How to exclude specific endpoints

• Change base path

• Fetch application metrics

• Best practices of working with Actuator

• Implement InMemoryTodoService: Create a simple in-memory storage using Map<Long, Todo>. Implement methods: create, findAll, findById, update, delete.

• Implement GET /todos: Add a controller method that returns the full list of todos as JSON.

• Implement GET /todos/{id}: Add a controller method that returns a todo by id, or 404 if not found.

• Implement PUT /todos/{id}: Add a controller method that updates an existing todo. Return 404 if not found.

• Implement POST /todos: Add a controller method that accepts JSON payload {title} and creates a new todo.

• Implement DELETE /todos/{id}: Add a controller method that deletes a todo by id. Return 204 on success, 404 if not found.

• Implement UserValidator: Add isValid(User) to enforce age >= 18 and a basic email regex; return true only when both checks pass.

• Implement readUsers: In UserJsonProcessor.readUsers(Path input), parse a JSON array into List<User> using Jackson; throw an IOException if the file is missing.

• Implement splitValidInvalid: In UserJsonProcessor.splitValidInvalid(List<User>), partition users into valid and invalid lists using UserValidator; return a ValidationSplit(valid, invalid).

• Implement writeUsers: In UserJsonProcessor.writeUsers(List<User>, Path output), ensure the parent directory exists and write the list as a JSON array (pretty-printed).

• Wire the pipeline (optional run): In Application.main, read src/test/resources/users.json, split valid/invalid, and write outputs to data/valid.json and data/errors.json; print a short summary.

• Make the tests pass: Run UserJsonProcessorTest; ensure counts match (valid=2, invalid=2 for the sample), files are created and non-empty, and edge cases (blank/null email, age < 18) are handled.

• Implement PasswordHasher: Add SHA-256 hashing that returns a hex string; never store raw passwords.

• Implement InMemoryUserStore: Use Map<Long,User> and Map<String,User> to store users; implement findByEmail and saveNew with auto-incremented IDs.

• Implement InMemoryTokenStore: Issue random UUID tokens, map token → userId, implement resolveUserId and revoke.

• Implement POST /register: Accept {email, password, displayName}; create user with hashed password; on success return 201 Created with Location: /users/{id} and safe user JSON; if email exists return 409 Conflict.

• Implement POST /login: Accept {email, password}; on valid credentials return 200 OK with {"token":"..."}; on failure return 401 Unauthorized.

• Implement GET /profile: Require header Authorization: Bearer <token>; return 200 OK with safe user JSON; if token missing/invalid return 401 Unauthorized.

• Implement POST /logout: Accept bearer token; revoke it and return 204 No Content (idempotent).

In this lab, you will design and implement a simple relational database for managing users and their orders.

You’ll start by creating the core tables, establish one-to-many relationships, and then write SQL queries to explore and analyze the data.

By the end of this lab, you’ll have practiced key relational database concepts: primary keys, foreign keys, joins, filtering, and aggregate functions.

This lab simulates a real-world business scenario where each user can have multiple orders, and we need to analyze their purchase activity efficiently.

• Create Database and Tables

  • Create a new database named user_orders_lab.

  • Create users and orders tables with proper primary and foreign keys.

• Insert Initial Data

  • Populate both tables with at least 3–4 users and 5–6 orders.

  • Ensure that at least one user has multiple orders.

• Display and Inspect Data

  • Run SELECT * queries to verify that data has been inserted correctly.

• Join Data Across Tables

  • Write a JOIN query to display each order along with the corresponding user name.

• Aggregation Analysis

  • Calculate total spending per user using SUM and GROUP BY.

  • Order the results by total amount descending.

• Advanced Querying

  • Find users with more than one order (HAVING COUNT > 1).

  • Identify the most expensive order using a subquery.

In this lab, you will analyze a dataset of users and their orders to uncover meaningful business insights using SQL aggregate functions and subqueries.

You’ll calculate totals, averages, and counts, identify top customers, and use nested SELECT statements to compare individual data points to group-wide metrics.

By the end of this lab, you’ll be confident in using COUNT, SUM, AVG, MIN, MAX, GROUP BY, HAVING, and subqueries — all essential tools for data-driven decision-making in real-world projects.

• Explore the Dataset: Display all records from both tables using SELECT *.

• Basic Aggregations: Use COUNT, AVG, MIN, MAX to get overall order statistics.

• User-Level Analysis: Calculate total and average spending per user using GROUP BY.

• Country-Level Report: Group by country to see total orders and revenue per region.

• Filtering with HAVING: Show only users whose total spending is above 500.

• Subqueries for Comparison: Find users whose average order value is greater than the overall average order value.

• Nested Subqueries: Find the largest order per country using a correlated subquery.

In this lab, you’ll work with a company database that includes employees, departments, and salaries.

You will learn how to filter and sort records using various SQL clauses (WHERE, LIKE, BETWEEN, IN, ORDER BY, LIMIT) and explore different types of joins (INNER, LEFT, RIGHT, CROSS) to connect related tables.

By the end of this lab, you’ll know how to query complex datasets effectively, extract relevant information, and analyze relationships between employees and their departments.

These are real-world skills used daily by data analysts, engineers, and backend developers working with relational databases.

• Filter by Salary and Hire Date: Display employees earning more than 80,000 who were hired before 2021.

• Pattern Matching with LIKE: Find employees whose last name starts with “W” or whose position contains the word “Engineer”.

• Filtering with IN and BETWEEN: Show employees from Engineering or Finance earning between 75,000 and 125,000.

• Sorting and Limiting Results: List the top 3 highest-paid employees.

• INNER JOIN Practice: Display all employees with their department names using INNER JOIN.

• LEFT and RIGHT JOIN Comparison: Compare LEFT JOIN and RIGHT JOIN results — notice the difference in unmatched records.

• CROSS JOIN Exploration: Generate all combinations of employees and departments, limited to 10 rows for readability.