RESTFull webservice facilitating CRUD operations on a Customer datastore Not using Spring REST repositories for this service (even though that would speed things up tremendously) Endpoints require a valid JWT issued by an API-gateway sharing the same secret

• list customers
• create customer
• fetch customer by id
• update customers attribute
• delete specific customer
• fetch customers by name keyword
• authentication
• containerize

Phasing depends on how much time can be made free

• Phase 1: Basic URL mapping docs
• Phase 2: Swagger docs / REST Docs

api prefix and version should be handled by an api gateway
- [x] GET:    {domain}/customers          - returns al customers
- [x] GET:    {domain}/customers/{id}     - returns specific customer
- [x] POST    {domain}/customers          - create new customer
- [x] DELETE: {domain}/customers/{id}     - delete specific customer
- [x] PUT:    {domain}/customers/{id}     - update specific customer

Sample POST/PUT Body

{
  "firstName": "fname",
  "lastName": "lname",
  "lastNamePrefix": null,
  "phoneNumber": "0101234567",
  "email": "[email protected]",
  "street": "teststraat",
  "postalCode": "1234AB",
  "houseNumber": 123,
  "addition": null,
  "city": "teststad"
}

• Phase 1: using JWT with using symmetric keys
• Phase 2: using JWT adding refresh token
• Phase 3: using JWT using asymmetric keys
• Phase 4: JWT facilitated by Keycloak

docker run -p 9090:8080 -e KEYCLOAK_USER=admin -e KEYCLOAK_PASSWORD=admin quay.io/keycloak/keycloak:13.0.1

This service shall not support login and generating JWT's that is delegated to another service. This service only needs to be able to validate the token even though a first validation is performed at the system entry point. All endpoints need authentication, so a global filter is used in front of the controllers to check for a valid JWT. User details are not required by this service and can be made available in claims. Spring Security will therefore not be used by this service. The signing secret is shared between services. From a security viewpoint not the most secure if a secret is compromised.

• Adding filter (OncePerRequest)
• Unit Test validation of JWT
• Integration Test application of filter
• Modify already present tests with a mock filter

JWT is evaluated in a OncePerRequest filter on signature integrity and on expiration using the Nimbus JOSE library.

This service runs on port 9092

In development use dev profile:

mvn spring-boot:run -Dspring-boot.run.profiles=dev

When not using an authentication service to create a valid token got to jwt.io set the expiration "exp" claim to later then current UTC and use a secret in the dev profile:

JWT payload example

{
  "sub": "1234567890",
  "name": "Jaap Test",
  "exp": 1624003711
}

// current development secret
secret=imasecretimasecretimasecretimasecret

docs