Posts Tagged ‘SpringIO2023’
[SpringIO2023] Beyond Routing: Spring Cloud Gateway with Style by Abel Salgado & Marta Medio
At Spring I/O 2023, Abel Salgado and Marta Medio, seasoned engineers from VMware, delivered an engaging session on elevating Spring Cloud Gateway beyond basic routing. Through practical, real-world examples and live demos, they showcased how to customize Spring Cloud Gateway with filters to address complex enterprise needs, such as security integrations and response modifications. Their talk demystified the gateway’s reactive stack, offering tips to avoid pitfalls and encouraging developers to harness its flexibility for performant, modular solutions.
Understanding Spring Cloud Gateway’s Power
Abel and Marta began by positioning Spring Cloud Gateway as a reactive, high-performance component that sits between clients and upstream services, enabling request and response manipulation. Unlike a one-to-one gateway tutorial, their session assumed basic familiarity, focusing on advanced customizations. They highlighted the gateway’s filter-based architecture, where filters operate in a chain, processing requests and responses in a defined order. This modularity allows developers to inject cross-cutting concerns like security or logging without altering upstream services. The duo emphasized the gateway’s potential to modernize legacy systems or split monoliths, making it a strategic tool for enterprise architectures.
Custom Filters for Security Integration
A key demo showcased how to implement OAuth security using Spring Cloud Gateway filters, integrating with Okta for token validation. Abel demonstrated two filters: one validating OAuth tokens using Spring Security’s resource server configuration, and another extracting claims (e.g., username) from the token to forward as HTTP headers to an upstream service unaware of OAuth. This approach isolates security logic in the gateway, sparing upstream services from modification. The demo, scripted with HTTPbin as the upstream service, illustrated a real-world scenario where a client authenticates with Okta, sends a token to the gateway, and receives a response with enriched headers. Abel stressed avoiding manual token validation, leveraging Spring Security’s reactive components to ensure performance and maintainability.
Dynamic Configuration and Response Modification
Marta explored the gateway’s configuration flexibility, demonstrating how to parametrize filters dynamically via YAML. A simple filter adding request headers was enhanced to accept multiple header configurations, reducing the need for multiple filter instances and improving performance. In a more complex example, Marta tackled modifying JSON responses from an upstream service, a common requirement when legacy APIs cannot be altered. Using a custom converter and the ModifyResponseBodyFilter, she transformed JSON fields based on YAML-defined key-value pairs, processing the response once to optimize performance. Marta cautioned about the performance risks of response modification, urging developers to carefully design configurations for scalability.
Best Practices and Community Insights
Abel and Marta concluded with practical advice for Spring Cloud Gateway adoption. They advocated for modular filter design to encapsulate features, enabling easy composition via YAML or actuator endpoints for runtime updates. They warned against reinventing solutions, citing cases where developers manually parsed JWTs instead of using Spring Security. The duo recommended reactive Spring libraries to avoid blocking issues and highlighted the gateway’s testing challenges, pointing to their GitHub repository for code examples. A nod to Spencer Gibb’s announcement about exploring MVC support for Spring Cloud Gateway underscored the project’s evolving potential. Their session inspired attendees to experiment with the gateway’s capabilities, leveraging its documentation and community resources.
Links:
[SpringIO2023] Spring Framework 6.1: Infrastructure Revisited by Juergen Hoeller
At Spring I/O 2023 in Barcelona, Juergen Hoeller, a pivotal figure in the Spring Framework, delivered an insightful session on the upcoming Spring Framework 6.1, focusing on its alignment with cutting-edge JVM innovations. Building on themes introduced in the conference keynote, Juergen explored how Spring Framework 6.1 integrates with OpenJDK’s Project Loom (virtual threads) and CRaC (Checkpoint/Restore), empowering developers to leverage these advancements for scalable, efficient applications. With Spring Framework 6.1 and Spring Boot 3.2 set for release in November 2023, this talk offered a forward-looking perspective on infrastructure enhancements already available in snapshots and slated for the first milestone in June 2023.
Modern Java and Jakarta EE Context
Juergen set the stage by outlining the Java and Jakarta EE landscape that Spring Framework 6.1 inhabits. Spring Framework 6.0 established a JDK 17 baseline, introducing language innovations like record types, sealed classes, and pattern matching, which provide a robust foundation for modern Java development. JDK 21, a long-term support release arriving in September 2023, builds on this with further enhancements, including sequence collections and virtual threads exiting preview. Spring Framework 6.1 aligns with JDK 21, enabling developers to adopt these features seamlessly. On the Jakarta EE front, Spring Framework 6.1 supports Jakarta EE 10, with plans to align with Jakarta EE 11’s anticipated JDK 21 requirement in 2024. This ensures compatibility with evolving servlet, JPA, and bean validation APIs, positioning Spring as a bridge to future Java ecosystems.
Virtual Threads: Scalability with Simplicity
A cornerstone of Juergen’s talk was Spring Framework 6.1’s integration with virtual threads, a transformative JVM feature in JDK 21. Virtual threads, lightweight and JVM-managed, allow blocking operations without tying up platform threads, enabling massive scalability with minimal resource overhead. Juergen explained that Spring’s task executor facilities, like SimpleAsyncTaskExecutor and a dedicated VirtualThreadTaskExecutor, are now virtual thread-ready. These allow developers to replace traditional thread pool configurations with virtual thread setups, requiring minimal code changes. In Spring MVC, virtual threads are configured at the servlet container level (e.g., Tomcat or Jetty), with upcoming Tomcat releases offering first-class support. For reactive stacks like Spring WebFlux, virtual threads serve as an escape hatch for integrating blocking operations, complementing the reactive model’s efficiency. Juergen emphasized that existing Spring MVC applications can achieve higher scalability or reduced memory footprints by adopting virtual threads, with no application code changes in ideal scenarios.
Checkpoint/Restore: Revolutionizing Startup Time
Juergen also delved into Spring Framework 6.1’s support for Project CRaC, which dramatically accelerates application startup through JVM snapshotting. By capturing a fully bootstrapped application state—potentially after warmup—and restoring it on demand, CRaC reduces startup times by a factor of at least 20 compared to traditional JVM bootstrapping. Spring Framework 6.1 integrates CRaC via its lifecycle model, using the 14-year-old Lifecycle interface to manage component stop and restart signals during checkpoint and restore phases. This ensures that embedded servers, message listeners, and other components pause cleanly and resume seamlessly. Juergen noted that most Spring applications are CRaC-compatible out of the box, though some components, like Tomcat adapters, require updates. Spring Boot 3.2 may introduce standard checkpoint options post-bootstrap, simplifying adoption. Currently supported by Azul’s OpenJDK and AWS Lambda SnapStart, CRaC promises significant benefits for dynamic scaling in Linux container deployments.
Practical Adoption and Future Outlook
Juergen underscored the practical readiness of these features, with Spring Framework 6.1 M1 slated for mid-June 2023 and Spring Boot 3.2 M1 for mid-July. Release candidates are planned for October, aligning with JDK 21’s September release, ensuring developers can adopt virtual threads and CRaC promptly. He encouraged experimentation, noting that benchmarking virtual threads or CRaC with existing applications is the best way to quantify benefits like scalability or reduced startup times. Looking ahead, Juergen highlighted a Spring.Next Buff session at Spring I/O for deeper discussions on these innovations. By aligning with JDK 21 and Jakarta EE 11, Spring Framework 6.1 positions developers to embrace the Java ecosystem’s future, delivering performance and efficiency without sacrificing Spring’s hallmark simplicity.
Links:
[SpringIO2023] Managing Spring Boot Application Secrets: Badr Nass Lahsen
In a compelling session at Spring I/O 2023, Badr Nass Lahsen, a DevSecOps expert at CyberArk, tackled the critical challenge of securing secrets in Spring Boot applications. With the rise of cloud-native architectures and Kubernetes, secrets like database credentials or API keys have become prime targets for attackers. Badr’s talk, enriched with demos and real-world insights, introduced CyberArk’s Conjur solution and various patterns to eliminate hard-coded credentials, enhance authentication, and streamline secrets management, fostering collaboration between developers and security teams.
The Growing Threat to Application Secrets
Badr opened with alarming statistics: in 2021, software supply chain attacks surged by 650%, with 71% of organizations experiencing such breaches. He cited the 2022 Uber attack, where a PowerShell script with hard-coded credentials enabled attackers to escalate privileges across AWS, Google Suite, and other systems. Using the SALSA threat model, Badr highlighted vulnerabilities like compromised source code (e.g., Okta’s leaked access token) and build processes (e.g., SolarWinds). These examples underscored the need to eliminate hard-coded secrets, which are difficult to rotate, track, or audit, and often exposed inadvertently. Badr advocated for “shifting security left,” integrating security from the design phase to mitigate risks early.
Introducing Application Identity Security
Badr introduced the concept of non-human identities, noting that machine identities (e.g., SSH keys, database credentials) outnumber human identities 45 to 1 in enterprises. These secrets, if compromised, grant attackers access to critical resources. To address this, Badr presented CyberArk’s Conjur, an open-source secrets management solution that authenticates workloads, enforces policies, and rotates credentials. He emphasized the “secret zero problem”—the initial secret needed at application startup—and proposed authenticators like JWT or certificate-based authentication to solve it. Conjur’s attribute-based access control (ABAC) ensures least privilege, enabling scalable, auditable workflows that balance developer autonomy and security requirements.
Patterns for Securing Spring Boot Applications
Through a series of demos using the Spring Pet Clinic application, Badr showcased five patterns for secrets management in Kubernetes. The API pattern integrates Conjur’s SDK, using Spring’s @Value annotations to inject secrets without changing developer workflows. The Secrets Provider pattern updates Kubernetes secrets from Conjur, minimizing code changes but offering less security. The Push-to-File pattern stores secrets in shared memory, updating application YAML files securely. The Summon pattern uses a process wrapper to inject secrets as environment variables, ideal for apps relying on such variables. Finally, the Secretless Broker pattern proxies connections to resources like MySQL, hiding secrets entirely from applications and developers. Badr demonstrated credential rotation with zero downtime using Spring Cloud Kubernetes, ensuring resilience for critical applications.
Enhancing Kubernetes Security and Auditing
Badr cautioned that Kubernetes secrets, being base64-encoded and unencrypted by default, are insecure without etcd encryption. He introduced KubeScan, an open-source tool to identify risky roles and permissions in clusters. His demos highlighted Conjur’s auditing capabilities, logging access to secrets and enabling security teams to track usage. By centralizing secrets management, Conjur eliminates “security islands” created by disparate tools like AWS Secrets Manager or Azure Key Vault, ensuring compliance and visibility. Badr stressed the need for a federated governance model to manage secrets across diverse technologies, empowering developers while maintaining robust security controls.
Links:
[SpringIO2023] Going Native: Fast and Lightweight Spring Boot Applications with GraalVM
At Spring I/O 2023 in Barcelona, Alina Yurenko, a developer advocate at Oracle Labs, captivated the audience with her deep dive into GraalVM Native Image support for Spring Boot 3.0. Her session, a blend of technical insights, live demos, and community engagement, showcased how GraalVM transforms Spring Boot applications into fast-starting, lightweight native executables that eliminate the need for a JVM. By leveraging GraalVM’s ahead-of-time (AOT) compilation, developers can achieve significant performance gains, reduced memory usage, and enhanced security, making it a game-changer for cloud-native deployments.
GraalVM: Beyond a Traditional JDK
Alina began by demystifying GraalVM, a versatile platform that extends beyond a standard JDK. While it can run Java applications using the OpenJDK HotSpot VM with an optimized Graal compiler, the spotlight was on its Native Image feature. This AOT compilation process converts a Spring Boot application into a standalone native executable, stripping away runtime code loading and compilation. The result? Applications that start in fractions of a second and consume minimal memory. Alina emphasized that GraalVM’s ability to include only reachable code—application logic, dependencies, and necessary JDK classes—reduces binary size and enhances efficiency, a critical advantage for cloud environments where resources are costly.
Performance and Resource Efficiency in Action
Through live demos, Alina illustrated GraalVM’s impact using the Spring Pet Clinic application. On her laptop, the JVM version took 1.5 seconds to start, while the native executable launched in just 0.3 seconds—a fivefold improvement. The native version was also significantly smaller, at roughly 50 MB without compression, compared to the JVM’s bulkier footprint. To stress-test performance, Alina ran a million requests against a simple Spring Boot app, comparing JVM and native modes. The JVM achieved 80k requests per second, while the native image hit 67k. However, with profile-guided optimizations (PGO), which mimic JVM’s runtime profiling at build time, the optimized native version reached 81k requests per second, rivaling JVM peak throughput. These demos underscored GraalVM’s ability to balance startup speed, low memory usage, and competitive throughput.
Security and Compact Packaging
Alina highlighted GraalVM’s security benefits, noting that native images eliminate runtime code loading, reducing attack vectors like those targeting just-in-time compilation. Only reachable code is included, minimizing the risk of unused dependencies introducing vulnerabilities. Dynamic features like reflection require explicit configuration, ensuring deliberate control over runtime behavior. On packaging, Alina showcased how native images can be compressed using tools like UPX, achieving sizes as low as a few megabytes, though she cautioned about potential runtime decompression trade-offs. These features make GraalVM ideal for deploying compact, secure applications in constrained environments like Kubernetes or serverless platforms.
Practical Integration with Spring Boot
The session also covered GraalVM’s seamless integration with Spring Boot 3.0, which graduated Native Image support from the experimental Spring Native project to general availability in November 2022. Spring Boot’s AOT processing step optimizes applications for native compilation, reducing reflective calls and generating configuration files for GraalVM. Alina demonstrated how Maven and Gradle plugins, along with the GraalVM Reachability Metadata Repository, simplify builds by automatically handling library configurations. For developers, this means minimal changes to existing workflows, with tools like the tracing agent and Spring’s runtime hints easing the handling of dynamic features. Alina’s practical advice—develop on the JVM for fast feedback, then compile to native in CI/CD pipelines—resonated with attendees aiming to adopt GraalVM.
Links:
[SpringIO2023] Anatomy of a Spring Boot App with Clean Architecture: Steve Pember
In a thought-provoking session at Spring I/O 2023, Steve Pember, a seasoned developer from Boston-based startup Stavi, explored the principles of Clean Architecture and their application within Spring Boot applications. Drawing from Robert Martin’s influential book, Steve demonstrated how Clean Architecture, inspired by patterns like Ports and Adapters and Hexagonal Architecture, fosters readable, flexible, and maintainable codebases. Through a reference application and practical insights, he provided a roadmap for developers to structure Spring Boot apps that remain resilient to change and scalable for large teams.
The Case for Software Architecture
Steve began by addressing the often-misunderstood role of software architecture, challenging the stereotype of architects as mere whiteboard enthusiasts. He likened software architects to their building counterparts, who design every detail from high-level structures to minute specifics. Without proper architecture, Steve warned, systems devolve into unmaintainable “big balls of mud,” slowing development and hindering competitiveness. He highlighted the benefits of well-architected systems—separation of concerns, modularity, testability, and maintainability—arguing that these guardrails enable teams to maintain velocity over time, even if they initially slow development.
Principles of Clean Architecture
Delving into Clean Architecture, Steve outlined its core concepts: SOLID principles, component design, boundaries, and dependency rules. He clarified SOLID principles, such as single responsibility (supporting one user type per class) and dependency inversion (using interfaces), as foundational to clean code. Components, he explained, should be independently developable and loosely coupled, aligning with domain-driven design or microservices. The defining feature of Clean Architecture is its layered structure, where dependencies point inward to a core of business logic, encapsulated by interfaces that shield it from external details like databases or third-party services. This ensures the core remains agnostic, enhancing flexibility and testability.
Implementing Clean Architecture in Spring Boot
Steve demonstrated how to apply Clean Architecture in Spring Boot using a reference shoe store application. He proposed a multi-module structure with three components: core (housing business logic, entities, and services), details (containing database and third-party integrations), and app (where Spring configuration and integration occur). By using interfaces for repositories and gateways, the core remains independent of external systems, allowing seamless swaps, such as replacing a PostgreSQL repository with DynamoDB. Steve emphasized minimal controllers and service classes, advocating for specific, single-responsibility services like CustomerOrderQueryService. He also highlighted the importance of integration tests, using tools like Testcontainers to validate interactions with external systems.
Treating Details as Deferrable
A key takeaway was Steve’s mantra that “everything not in core is a detail.” Databases, environments, input mechanisms, and even Spring itself should be treated as implementation details, deferrable until necessary. He cautioned against premature database schema design, urging developers to prioritize business logic over storage concerns. By encapsulating details behind interfaces, applications become adaptable to changes, such as switching databases or input methods (e.g., HTTP to Kafka). Steve’s demo showcased this flexibility, swapping a PostgreSQL order repository for DynamoDB with minimal code changes, proving the power of Clean Architecture’s plug-in approach.
Links:
[SpringIO2023] Spring is Bootiful but So is Your Domain: Michael Plöd’s Call to Action
At Spring I/O 2023 in Barcelona, Michael Plöd delivered an engaging and unconventional talk that urged developers to step beyond their technical comfort zones and dive into the business domains they serve. Departing from the typical code-heavy sessions of the conference, Michael, a fellow at InnoQ and a long-time Spring user, emphasized the transformative power of understanding business contexts. Through interactive polls, real-world anecdotes, and practical strategies, he inspired attendees to become more valuable developers by aligning their technical expertise with business needs, ultimately enhancing code quality, team collaboration, and product impact.
The Value of Domain Knowledge
Michael opened by challenging the audience to reflect on their motivations for becoming software engineers, humorously acknowledging the allure of financial rewards but quickly pivoting to a deeper point: developers who grasp their business domain become significantly more valuable. He argued that domain knowledge enables better design choices, from writing maintainable code to making informed modularization decisions. By understanding the business, developers can create software that aligns with organizational goals, reducing friction and enhancing agility. Michael’s interactive poll revealed that many attendees had only a partial understanding of their business models, underscoring the need for greater curiosity about customer segments, value propositions, and revenue streams.
Writing Maintainable Code Through Domain Alignment
A standout moment was Michael’s recounting of a formative experience as a young developer at a bank, tasked with building a mortgage loan scoring engine. Initially, he relied on a detailed 50-page specification, structuring the code around assumed rules for points and no-go criteria. However, during acceptance testing, discrepancies emerged, revealing a mismatch between his mental model and the risk managers’ perspective. By directly engaging with the risk managers and refactoring the code to reflect their clustered rule structure, Michael transformed a complex change into a straightforward task. This story highlighted the importance of understanding the business’s mental model, reducing implicit assumptions, and structuring code to mirror domain logic, resulting in more maintainable and adaptable software.
Improving Modularization and Communication
Michael emphasized that domain knowledge informs better modularization decisions, particularly in architectures like microservices or serverless systems. He cited the Accelerate book, which links loosely coupled architectures to high-performing IT organizations, suggesting that aligning modules with business domains enhances team autonomy and delivery speed. Another poll showed strong audience agreement that modularization impacts value propositions, reinforcing the need to consider business goals when defining module boundaries. On communication, Michael cautioned against using technical jargon that alienates business stakeholders, advocating for empathy and clear language. He shared an amusing example of a fashion retailer where database table names leaked into sales floor terminology, illustrating the pitfalls of disconnected communication.
Influencing Product Design
The talk culminated in a call to influence product design through domain expertise. Michael argued that developers who understand business problems can propose solutions that enhance user experiences or create new business models. He referenced Marty Cagan’s research, which identifies direct customer feedback as a top source for product ideas, suggesting developers contribute more than just code. A final poll on digitalization revealed varied interpretations, from paperless processes to business model innovation, prompting Michael to stress that both improving existing models and creating new ones require close collaboration between technology and business teams. By fostering curiosity and asking questions, developers can bridge this gap, driving meaningful digital transformation.