RESTFull webservice facilitating CRUD operations on a Customer datastore Not using Spring REST repositories for this service (even though that would speed things up tremendously) Endpoints require a valid JWT issued by an API-gateway sharing the same secret
- list customers
- create customer
- fetch customer by id
- update customers attribute
- delete specific customer
- fetch customers by name keyword
- authentication
- containerize
Phasing depends on how much time can be made free
- Phase 1: Basic URL mapping docs
- Phase 2: Swagger docs / REST Docs
api prefix and version should be handled by an api gateway
- [x] GET: {domain}/customers - returns al customers
- [x] GET: {domain}/customers/{id} - returns specific customer
- [x] POST {domain}/customers - create new customer
- [x] DELETE: {domain}/customers/{id} - delete specific customer
- [x] PUT: {domain}/customers/{id} - update specific customer
Sample POST/PUT Body
{
"firstName": "fname",
"lastName": "lname",
"lastNamePrefix": null,
"phoneNumber": "0101234567",
"email": "[email protected]",
"street": "teststraat",
"postalCode": "1234AB",
"houseNumber": 123,
"addition": null,
"city": "teststad"
}
- Phase 1: using JWT with using symmetric keys
- Phase 2: using JWT adding refresh token
- Phase 3: using JWT using asymmetric keys
- Phase 4: JWT facilitated by Keycloak
docker run -p 9090:8080 -e KEYCLOAK_USER=admin -e KEYCLOAK_PASSWORD=admin quay.io/keycloak/keycloak:13.0.1
This service shall not support login and generating JWT's that is delegated to another service. This service only needs to be able to validate the token even though a first validation is performed at the system entry point. All endpoints need authentication, so a global filter is used in front of the controllers to check for a valid JWT. User details are not required by this service and can be made available in claims. Spring Security will therefore not be used by this service. The signing secret is shared between services. From a security viewpoint not the most secure if a secret is compromised.
- Adding filter (OncePerRequest)
- Unit Test validation of JWT
- Integration Test application of filter
- Modify already present tests with a mock filter
JWT is evaluated in
a OncePerRequest
filter on signature integrity and on expiration using the Nimbus JOSE
library.
This service runs on port 9092
In development use dev profile:
mvn spring-boot:run -Dspring-boot.run.profiles=dev
When not using an authentication service to create a valid token got to jwt.io set the expiration "exp"
claim
to later then current UTC and use a secret in the dev profile:
JWT payload example
{
"sub": "1234567890",
"name": "Jaap Test",
"exp": 1624003711
}
// current development secret
secret=imasecretimasecretimasecretimasecret