In this article, we’ll have a look at customizing Security Configuration and when to use HTTPSecurity vs WebSecurity configurations.

Spring Boot has become the de facto standard for developing production ready Java microservices. At some point we need to add security to our microservices and with Spring Boot you do that with the help of the Spring Security library.

At high level Spring Boot Security is a set of servlet filters that help you customize authentication and authorization to your microservices.

Spring Boot Security Auto-Configuration

In order to add security to our Spring Boot application, add the security starter dependency, with gradle we can…


In this article, we’ll have a look at how to disable Security in Spring Boot application and how to customize Security Configuration. For better understanding, first we need to learn how to enable Auto-Configure of Security in the Spring Boot application

Spring Boot Security Auto-Configuration

In order to add security to our Spring Boot application, we need to add the security starter dependency, with gradle we can do that by adding

uber(“org.springframework.boot:spring-boot-starter-security”)

You can find more on this from spring documentation.

Once starter-security is on the classpath, It will include SecurityAutoConfiguration class containing default security configuration. …


API Testing is recognised as being more suitable for test automation and continuous testing than GUI testing [wiki]and OAuth2/OpenID Connect are fundamental for securing APIs. So there is always need to write test automation for APIs which are secured.

Testing of OAuth2/OpenID protected Restful APIs involves getting access token, then use token to call API resources and finally determine whether APIs return the correct response.

Testing secured APIs using Postman is pretty easy, It can be done by selecting Authorization type as OAuth 2.0 and get the Access token after providing required inforation (including proper Grant Type) as shown below…


Robot Framework is language-agnostic open-source test automation framework for test automation and robotic process automation (RPA).
It is operating system and application independent. Several standard libraries are bundled with the framework, and there are separately developed external libraries galore that can be installed based on your needs. Libraries provide the actual automation and testing capabilities to framework by providing keywords. Test cases are written using a keyword-testing methodology written in a tabular format. You get more information about it here

Why ROBOT Framework ?

Might be thinking there are already quite a number of Rest API testing frameworks like Postman, SoapUI, JMeter, Rest-Assured and…


There’s always been discussion about whether we should expose JPA entities in RESTful APIs, or define Data Transfer Objects(DTOs) and map entity classes to the DTOs. We will discuss pros and cons of exposing JPA entities as REST API resources.

We will see how to generate REST API DTOs from Open API Specification using openapi-generator tools and also how to greatly simplify mapping between JPA entities and DTOs using MapStruct code generator.

Why it is tempting to expose entities as REST API resources

  1. Most times entities look the same as RESTful DTO, exposing JPA entities directly reduces code, Controllers, services, and repositories all deal with the same classes.
  2. Reduce code and…


Strategy Design Pattern

Strategy design pattern is a behavioral design pattern that enables selecting an algorithm at run-time.

The intent of the Strategy design pattern is to:
“Define a family of algorithms, encapsulate each one, and make them interchangeable. Strategy lets the algorithm vary independently from clients that use it.” [GoF]

UML class and sequence diagram from wiki

From wiki page https://en.wikipedia.org/wiki/Strategy_pattern
From wiki page https://en.wikipedia.org/wiki/Strategy_pattern

There are quite number of articles explaining Strategy design pattern and
how to implement them in various languages. The intent of this article is to
learn how to implement strategy pattern in a spring boot application.

Spring Boot

Spring Boot has become the de facto standard for Java microservice development. …


Spring Boot Actuator provides number of features to monitor and manage your applications. Actuator includes a number of built-in endpoints to monitor, gather metrics and controls your application. You can use HTTP endpoints to interact with it. For example, the health endpoint provides basic application health information.

In this article, we’ll look into how to extend the httptrace endpoint for capturing content, authenticated user, his roles and tracing of the REST calls. In this article our application is protected by Keycloak.

Keycloak and Spring Boot

Keycloak is an open-source Identity and Access Management (IAM) solution aimed at modern applications and services. Keycloak provides out-of-the-box…


Keycloak is an open-source Identity and Access Management (IAM) solution aimed at modern applications and services. Keycloak provides out-of-the-box authentication and authorization services as well as advanced features like User Federation, Identity Brokering, and Social Login.

We are going to see how Keycloak gives us control, to transfer custom attributes to the applications that receive ID Tokens, Access Tokens. Keycloak provides us lot of control of what exactly goes back to the client. To demonstrate this we will configure custom attribute for an user and map that attribute to the Access Token using Mappers.

Spring Boot and Keycloak

Keycloak Client Adapters makes it really…


Keycloak is an open-source Identity and Access Management (IAM) solution aimed at modern applications and services. Keycloak provides out-of-the-box authentication and authorization services as well as advanced features like User Federation, Identity Brokering, and Social Login.

Keycloak provides fine-grained authorization services as well. This allows you to manage permissions for all your services from the Keycloak admin console and gives you the power to define exactly the policies you need.

We are going to see how to use Keycloak Authorization services to protect REST APIs by using a set of permissions and policies defined in Keycloak. …

Ravinder Thirumala

Java enthusiast and open source contributor

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store