Spring Boot Oauth2 Security

This post is an enhancement for my previous post which talks about how to secure your REST API using Spring security oauth2.
In case if you missed it, here is the place to grab.

Spring boot is one of the new inventions from Spring framework that makes developers' lives easier when building large scale applications. Here is a good place to grab the concepts.

If you check my previous post related to oauth2 security then you know there is a bit of configuration that needs to be done in Spring side. But on the other hand Spring boot will do all the hard work and we just need to tell them what to do by a simple annotation.

So this post is about how to configure Spring boot project with Spring security and Oauth2. Actually we can't really say configure because all most all configurations are done by Spring boot itself.

Source code :

Step 1
For this project I'm using H2 in memory database. Because of that you don't need to create any database and tables as the creation happens at run time. But if you want this project to use MySQL as the data source then first create the database and then create the tables.

 CREATE TABLE user (  
  email VARCHAR(50),  
  password VARCHAR(500),  
  activationkey VARCHAR(50) DEFAULT NULL,  
  resetpasswordkey VARCHAR(50) DEFAULT NULL  
 CREATE TABLE authority (  
 CREATE TABLE user_authority (  
   username VARCHAR(50) NOT NULL,  
   authority VARCHAR(50) NOT NULL,  
   FOREIGN KEY (username) REFERENCES user (username),  
   FOREIGN KEY (authority) REFERENCES authority (name),  
   UNIQUE INDEX user_authority_idx_1 (username, authority)  
 CREATE TABLE oauth_access_token (  
  token_id VARCHAR(256) DEFAULT NULL,  
  token BLOB,  
  authentication_id VARCHAR(256) DEFAULT NULL,  
  user_name VARCHAR(256) DEFAULT NULL,  
  client_id VARCHAR(256) DEFAULT NULL,  
  authentication BLOB,  
  refresh_token VARCHAR(256) DEFAULT NULL  
 CREATE TABLE oauth_refresh_token (  
  token_id VARCHAR(256) DEFAULT NULL,  
  token BLOB,  
  authentication BLOB  

  • user table - system users
  • authority -  roles
  • user_authority - many to many table for user and role
  • oauth_access_token - to hold access_token
  • oauth_refresh_token - to hold refresh_token
Add some seed data.

 INSERT INTO user (username,email, password, activated) VALUES ('admin', '', 'b8f57d6d6ec0a60dfe2e20182d4615b12e321cad9e2979e0b9f81e0d6eda78ad9b6dcfe53e4e22d1', true);  
 INSERT INTO user (username,email, password, activated) VALUES ('user', '', 'd6dfa9ff45e03b161e7f680f35d90d5ef51d243c2a8285aa7e11247bc2c92acde0c2bb626b1fac74', true);  
 INSERT INTO user (username,email, password, activated) VALUES ('rajith', '', 'd6dfa9ff45e03b161e7f680f35d90d5ef51d243c2a8285aa7e11247bc2c92acde0c2bb626b1fac74', true);  
 INSERT INTO authority (name) VALUES ('ROLE_USER');  
 INSERT INTO authority (name) VALUES ('ROLE_ADMIN');  
 INSERT INTO user_authority (username,authority) VALUES ('rajith', 'ROLE_USER');  
 INSERT INTO user_authority (username,authority) VALUES ('user', 'ROLE_USER');  
 INSERT INTO user_authority (username,authority) VALUES ('admin', 'ROLE_USER');  
 INSERT INTO user_authority (username,authority) VALUES ('admin', 'ROLE_ADMIN');  

Step 2
Configure WebSecurityAdapter

 public class SecurityConfiguration extends WebSecurityConfigurerAdapter {  
   private UserDetailsService userDetailsService;  
   public PasswordEncoder passwordEncoder() {  
     return new StandardPasswordEncoder();  
   public void configureGlobal(AuthenticationManagerBuilder auth) throws Exception {  
   public void configure(WebSecurity web) throws Exception {  
   public AuthenticationManager authenticationManagerBean() throws Exception {  
     return super.authenticationManagerBean();  
   @EnableGlobalMethodSecurity(prePostEnabled = true, jsr250Enabled = true)  
   private static class GlobalSecurityConfiguration extends GlobalMethodSecurityConfiguration {  
     protected MethodSecurityExpressionHandler createExpressionHandler() {  
       return new OAuth2MethodSecurityExpressionHandler();  

Step 3
Configuration for Oauth2

 public class OAuth2Configuration {  
   protected static class ResourceServerConfiguration extends ResourceServerConfigurerAdapter {  
     private CustomAuthenticationEntryPoint customAuthenticationEntryPoint;  
     private CustomLogoutSuccessHandler customLogoutSuccessHandler;  
     public void configure(HttpSecurity http) throws Exception {  
           .requireCsrfProtectionMatcher(new AntPathRequestMatcher("/oauth/authorize"))  
   protected static class AuthorizationServerConfiguration extends AuthorizationServerConfigurerAdapter implements EnvironmentAware {  
     private static final String ENV_OAUTH = "authentication.oauth.";  
     private static final String PROP_CLIENTID = "clientid";  
     private static final String PROP_SECRET = "secret";  
     private static final String PROP_TOKEN_VALIDITY_SECONDS = "tokenValidityInSeconds";  
     private RelaxedPropertyResolver propertyResolver;  
     private DataSource dataSource;  
     public TokenStore tokenStore() {  
       return new JdbcTokenStore(dataSource);  
     private AuthenticationManager authenticationManager;  
     public void configure(AuthorizationServerEndpointsConfigurer endpoints)  
         throws Exception {  
     public void configure(ClientDetailsServiceConfigurer clients) throws Exception {  
           .scopes("read", "write")  
           .authorizedGrantTypes("password", "refresh_token")  
           .accessTokenValiditySeconds(propertyResolver.getProperty(PROP_TOKEN_VALIDITY_SECONDS, Integer.class, 1800));  
     public void setEnvironment(Environment environment) {  
       this.propertyResolver = new RelaxedPropertyResolver(environment, ENV_OAUTH);  

This is it. Try running Spring boot application by
mvn spring-boot:run

Then check your oauth2 security by executing following curls. 

Debugging Application Performance With Perf4j

Performance is one of the main aspect that we all need to consider when implementing systems. Today's world of Service Oriented Architectures and distributed applications, detecting performance bottleneck is really a difficult task.

If someone asked "Why is my web app slow ?"  this requires investigation multiple components and execution paths, and it requires detailed performance data from all of the application components.

In order to get the performance data one of the most common practice is to get the execution time for given path. System.currentTime() is one approach to do this. But we need to have some custom mechanism to aggregate these results to analyze further.

Perf4j is an open source performance logging framework that specially design to solve the above scenario. Its a,

  • Simple stop watch mechanism to time statements.
  • Command line tool to generate aggregate statistics 
  • Can integrate with log4j
  • Provides @Profile annotation to use it with Aspects.
You can find more details explanation in here and here.

But here I will drive through with some detailed example to understand,
  • How to integrate perf4j with log4j
  • How to configure log4j.xml to use separate log file for performance results
  • Commands to aggregate performance log data
As usual you can find the sample code here.

First we will create a sample maven project and then create a class called PerformanceMonitor to hold the stop watch.
Add per4j and log4j dependencies to pom.xml
     <!-- Logging -->  
 public class PerformanceMonitor {  
   private static final ThreadLocal<StopWatch> WATCH = new ThreadLocal<StopWatch>() {  
     protected StopWatch initialValue() {  
       return new Log4JStopWatch(Logger.getLogger(""));  
   public static void start(String tag) {  
   public static void stop(String tag) {  

As you can clearly see I used this as a ThreadLocal instance because I'm expecting to run this application in multi-threaded environment.

Then configure log4j.xml
 <?xml version="1.0" encoding="UTF-8" ?>  
 <!DOCTYPE log4j:configuration SYSTEM  
 <log4j:configuration xmlns:log4j="">  
   <appender name="console" class="org.apache.log4j.ConsoleAppender">  
     <layout class="org.apache.log4j.PatternLayout">  
       <param name="ConversionPattern" value="%d{yyyy-MM-dd HH:mm:ss} %-5p %t %c{1}:%L - %m%n"/>  
   <appender name="trace" class="org.apache.log4j.DailyRollingFileAppender">  
     <param name="File" value="trace.log"/>  
     <param name="Threshold" value="debug"/>  
     <param name="DatePattern" value="'.'yyyy-MM-dd"/>  
     <layout class="org.apache.log4j.PatternLayout">  
       <param name="ConversionPattern" value="%d{yyyy-MM-dd HH:mm:ss} %-5p %t %c{1}:%L - %m%n"/>  
   <appender name="error" class="org.apache.log4j.DailyRollingFileAppender">  
     <param name="File" value="logs/vetstoria-oltp-error.log"/>  
     <param name="Threshold" value="error"/>  
     <param name="DatePattern" value="'.'yyyy-MM-dd"/>  
     <layout class="org.apache.log4j.PatternLayout">  
       <param name="ConversionPattern" value="%d{yyyy-MM-dd HH:mm:ss} %-5p %t %c{1}:%L - %m%n"/>  
   <appender name="statistics" class="org.apache.log4j.FileAppender">  
     <param name="File" value="perf.log"/>  
     <param name="Append" value="false"/>  
     <layout class="org.apache.log4j.PatternLayout">  
       <param name="ConversionPattern" value="%m%n"/>  
   <logger name="org.perf4j.TimingLogger">  
     <level value="info"/>  
     <appender-ref ref="statistics"/>  
   <logger name="com.rd">  
     <level value="debug"/>  
     <appender-ref ref="console"/>  
     <appender-ref ref="trace"/>  
     <appender-ref ref="error"/>  
   <logger name="instrument">  
     <level value="info"/>  
     <appender-ref ref="console"/>  
     <appender-ref ref="statistics"/>  

Check the "org.per4j.TimingLogger" and "instrument" loggers carefully.  You can see the relevant appender called "statistics"  that will redirect output to a file called perf.log is pretty straightforward.

 public class App {  
   private static final Logger LOGGER = Logger.getLogger(App.class);  
   public static void main(String[] args) throws InterruptedException {"Starting .....");  
     PerformanceMonitor.stop("METHOD2");"Completed. Please check the perf.log file for time logging");  
   private static void method1() throws InterruptedException {  
   private static void method2() throws InterruptedException {  

Then run the main method and this will create two log files in same hierarchy. All the performance related logs populate into a file called perf.log.

When you inspect the perf.log file you can see the following output.
 start[1444722158471] time[5000] tag[METHOD1]  
 start[1444722163472] time[2000] tag[METHOD2]  

To get aggregate results,

  1. Download per4j jar. (
  2. Run following command
 java -jar <perf4j.location>/perf4j-0.9.16.jar --timeslice 3000000000 --format csv perf.log -o output.csv  

Open up the output.csv and you can see the aggregated performance results.

Running Selenium Cucumber Tests in Jenkins

This article shows how to configure and run Selenium (+ Cucumber) Tests in Jenkins. Before we dive into more details we have to have Jenkins installed in a server. Here is a quick way to setup Jenkins in a linux server.

OK all done, lets go though with the steps,

Step 1
First you need to install google chrome. This is called as chrome in headless mode. Because you really can't see the chrome window when you are running tests in Jenkins.

 wget -qO - | sudo apt-key add -  
 sudo sh -c 'echo "deb stable main" >> /etc/apt/sources.list.d/google.list'  
 sudo apt-get update  
 sudo apt-get install google-chrome-stable  

Step 2
Then install xvfb. OK what is this xvfb ?
Based on Wikipedia,

Xvfb or X virtual framebuffer is a display server implementing the X11 display server protocol. In contrast to other display servers, Xvfb performs all graphical operations in memory without showing any screen output. From the point of view of the client, it acts exactly like any other X display server, serving requests and sending events and errors as appropriate. However, no output is shown. This virtual server does not require the computer it is running on to have a screen or any input device. Only a network layer is necessary.

 sudo apt-get install xvfb  

Then start xvfb
 Xvfb :1 -screen 5 1024x768x8 &  

Step 3
OK , server changes are done. Now its time to move into Jenkins configurations.

First Install this plugin, (Jenkins -> Manage Jenkins --> Manage Plugins)

Why do you we need this ?
This plugin allows Jenkins to show Selenium + cucumber results as a graph with screenshots.

So in order to generate graphs this plugin need the report.json file that generated from Selenium + cucumber.

 @Cucumber.Options(glue = {"classpath:com/rd/uat"}, strict = true, format = {  
     "pretty", "html:target/cukes", "json:target/cukes/report.json", "junit:target/cukes/junit.xml"})  
 public class RunCukes {  

Here is the plugin configuration in Jenkins.
Create Jenkins Job --> Then add this as "Post build Step"

Step 4
Add following environment variable to Jenkins. (Jenkins --> Manage Jenkins --> Configure System)


OK We just configure Jenkins to run selenium and Cucumber Tests.
Now run the Jenkins job and check the cucumber reports. :)
Here are some sample reports,

Secure your REST API using Spring Security Oauth2

This tutorial shows how to secure your REST API using spring security oauth2. If you don't know anything about oauth2 please followup the below tutorials,

Hold on, if you really don't know the basic concepts of spring please look at it first.

OK, we are fine now. No more prerequisites.

Not like other tutorials this implementation is using custom JDBCTokenStore to store client id/secrets and user authentication details in MySQL DB.
Source code :

Here I'm going to implement 3-legged oauth flow and please check the below diagram in order to understand this.

Lets start,

Step 1
Create database as oauth and then use import.sql file to create tables and add some seed data.
Before running make sure to change the db properties located in resources folder. (

 create database oauth;  
 use oauth;  
 source <path/to/resorce/folder>/import.sql;  

Step 2
Build the project using maven

 mvn clean install -DskipTests  

Step 3
copy the war file into tomcat/webapps then start the tomcat

Fetch request_token


  access_token: "f833a754-0d6c-4595-92c8-99b202ea6dd4"  
  token_type: "bearer"  
  refresh_token: "967068eb-13d1-4d18-8dd8-b89b2124d5d6"  
  expires_in: 4  
  scope: "read trust write"  

Fetch access_token by submitting request_token



 access_token: "d78dd4c7-41c3-443d-a85e-3716ceefc66f"  
 token_type: "bearer"  
 refresh_token: "967068eb-13d1-4d18-8dd8-b89b2124d5d6"  
 expires_in: 4  
 scope: "read trust write"  

Accessing protected resource


You can use Authorization header to send the access token for protected resources.

 Authorization Bearer d78dd4c7-41c3-443d-a85e-3716ceefc66f  

Main configuration file is located in under webapps (spring-security.xml)

 <?xml version="1.0" encoding="UTF-8" ?>  
 <beans xmlns=""  
   <http pattern="/oauth/token" create-session="stateless" authentication-manager-ref="clientAuthenticationManager"  
     <intercept-url pattern="/oauth/token" access="IS_AUTHENTICATED_FULLY"/>  
     <anonymous enabled="false"/>  
     <http-basic entry-point-ref="clientAuthenticationEntryPoint"/>  
     <!-- include this only if you need to authenticate clients via request parameters -->  
     <custom-filter ref="clientCredentialsTokenEndpointFilter" after="BASIC_AUTH_FILTER"/>  
     <access-denied-handler ref="oauthAccessDeniedHandler"/>  
   <!-- The OAuth2 protected resources are separated out into their own block so we can deal with authorization and error handling  
     separately. This isn't mandatory, but it makes it easier to control the behaviour. -->  
   <http pattern="/test/*" create-session="never" entry-point-ref="oauthAuthenticationEntryPoint"  
      access-decision-manager-ref="accessDecisionManager" xmlns="">  
     <anonymous enabled="false"/>  
     <intercept-url pattern="/test/*" access="ROLE_USER"/>  
     <custom-filter ref="resourceServerFilter" before="PRE_AUTH_FILTER"/>  
     <access-denied-handler ref="oauthAccessDeniedHandler"/>  
   <bean id="oauthAuthenticationEntryPoint"  
     <property name="realmName" value="test"/>  
   <bean id="clientAuthenticationEntryPoint"  
     <property name="realmName" value="test/client"/>  
     <property name="typeName" value="Basic"/>  
   <bean id="oauthAccessDeniedHandler"  
   <bean id="clientCredentialsTokenEndpointFilter"  
     <property name="authenticationManager" ref="clientAuthenticationManager"/>  
   <bean id="accessDecisionManager" class=""  
         <bean class=""/>  
         <bean class=""/>  
         <bean class=""/>  
   <authentication-manager id="clientAuthenticationManager" xmlns="">  
     <authentication-provider user-service-ref="clientDetailsUserService"/>  
   <bean id="passwordEncoder"  
     <constructor-arg name="strength" value="11"/>  
   <authentication-manager alias="authenticationManager" xmlns="">  
     <authentication-provider user-service-ref="userService">  
       <password-encoder ref="passwordEncoder"/>  
   <bean id="clientDetailsUserService"  
     <constructor-arg ref="clientDetails"/>  
   <!-- Used for the persistenceof tokens (currently an in memory implementation) -->  
   <bean id="tokenStore" class="">  
     <constructor-arg ref="dataSource"/>  
   <bean id="tokenServices" class="">  
     <property name="tokenStore" ref="tokenStore"/>  
     <property name="supportRefreshToken" value="true"/>  
     <property name="clientDetailsService" ref="clientDetails"/>  
   <bean id="oAuth2RequestFactory"  
     <constructor-arg ref="clientDetails"/>  
   <bean id="userApprovalHandler"  
     <property name="tokenStore" ref="tokenStore"/>  
     <property name="requestFactory" ref="oAuth2RequestFactory"/>  
   <!-- authorization-server aka AuthorizationServerTokenServices is an interface that defines everything necessary for token management -->  
   <oauth:authorization-server client-details-service-ref="clientDetails" token-services-ref="tokenServices"  
   <oauth:resource-server id="resourceServerFilter" resource-id="test" token-services-ref="tokenServices"/>  
   <bean id="clientDetails"  
   <sec:global-method-security pre-post-annotations="enabled" proxy-target-class="true">  
     <!--you could also wire in the expression handler up at the layer of the http filters. See -->  
     <sec:expression-handler ref="oauthExpressionHandler"/>  
   <oauth:expression-handler id="oauthExpressionHandler"/>  
   <oauth:web-expression-handler id="oauthWebExpressionHandler"/>  

Clone the repo and change it accordingly for your needs. Happy coding!

Install JDK1.8 in AWS Linux

Steps to install oracle JDK 1.8 in Amazon Linux

 #Download JDK1.8.0_45  
 wget --no-cookies --no-check-certificate --header "Cookie:; oraclelicense=accept-securebackup-cookie" ""  
 # Install Java  
 sudo rpm -i jdk-8u45-linux-x64.rpm  
 # Check if the default java version is set to oracle jdk  
 java -version  
 # If not then lets create one more alternative for Java for Sun JDK  
 sudo /usr/sbin/alternatives --install /usr/bin/java java /usr/java/jdk1.8.0_45/bin/java 20000  
 # Set the SUN JDK as the default java  
 sudo /usr/sbin/alternatives --config java  
 #Then check java version  
 java -version  

Enable Tomcat Debug with Intellij Idea

Nutshell guide to enable tomcat debug.

1. Java & Tomcat

Step 1
Navigate to Tomcat Home directory bin folder

Step 2
Check is exists , if not create a file called and add following line.

 CATALINA_OPTS="-Xdebug -Xrunjdwp:transport=dt_socket,address=8000,server=y,suspend=n"  

Step 3
Start tomcat. Your tomcat debug port is not 8000.

Step 4
Open up Intellij Idea.
Run --> Edit Configuration --> select + --> Select Remote
Change port to 8000 and save.

Setup Jenkins with Nginx reverse proxy

Setting up jenkins is something pretty straight forward. But configuring with Nginx is not that easy. So in this post I'm trying to ease this up for you.

Before setting up jenkins I would recommend oracle java installation. So here how it begins.

Step 1
1.Download and install java.

 sudo wget --no-cookies --no-check-certificate --header "Cookie:; oraclelicense=accept-securebackup-cookie" ""  

2.untar jdk and create JAVA_HOME in ~/.bashrc

Step 2
Jenkins setup
 wget -q -O - | sudo apt-key add -  
 sudo sh -c 'echo deb binary/ > /etc/apt/sources.list.d/jenkins.list'  
 sudo apt-get update  
 sudo apt-get install jenkins  

To start jenkins fire up following command.

 sudo /etc/init.d/jenkins start  

To check logs

 tail -f /var/log/jenkins/jenkins.log  

To check your jenkins is up and running.

Step 3
In order to config nginx with jenkins we have do some customization.
1. Stop jenkins

 sudo /etc/init.d/jenkins stop  

2. Open jenkins script and add --prefix=/jenkins into JENKINS_ARGS

 JENKINS_ARGS="--webroot=/var/cache/jenkins/war --httpPort=$HTTP_PORT --ajp13Port=$AJP_PORT --prefix=/jenkins"  

3. Install nginx

 sudo aptitude -y install nginx  

4. Remove default config and add following configuration

 cd /etc/nginx/sites-available  
 sudo rm default ../sites-enabled/default  

 server {  
  listen     80;    # Listen on port 80 for IPv4 requests  
  location ~ "^/static/[0-9a-fA-F]{8}\/(.*)$" {  
   #rewrite all static files into requests to the root  
   #E.g /static/12345678/css/something.css will become /css/something.css  
   rewrite "^/static/[0-9a-fA-F]{8}\/(.*)" /$1 last;  
  location /userContent {  
     #have nginx handle all the static requests to the userContent folder files  
     #note : This is the $JENKINS_HOME dir  
     root /var/lib/jenkins/;  
     if (!-f $request_filename){  
       #this file does not exist, might be a directory or a /**view** url  
       rewrite (.*) /$1 last;  
     sendfile on;  
  location /jenkins {  
    sendfile off;  
    proxy_redirect   default;  
    proxy_set_header  Host       $host;  
    proxy_set_header  X-Real-IP    $remote_addr;  
    proxy_set_header  X-Forwarded-For $proxy_add_x_forwarded_for;  
    proxy_max_temp_file_size 0;  
    #this is the maximum upload size  
    client_max_body_size    10m;  
    client_body_buffer_size  128k;  
    proxy_connect_timeout   90;  
    proxy_send_timeout     90;  
    proxy_read_timeout     90;  
    proxy_buffer_size     4k;  
    proxy_buffers       4 32k;  
    proxy_busy_buffers_size  64k;  
    proxy_temp_file_write_size 64k;  

5. http://<host>/jenkins