Byte Journey

PART 4: Integrate the database with Spring Security.

Ginto Philip — Sat, 25 May 2024 15:09:50 GMT

Up to this point, we have used the default user provided by Spring Security to log in to the application. In the previous sections, we added some sample users to the application_users table. Moving forward, we will use this table for logging in to the application. To achieve this, we need to configure Spring Security to recognize that the details of the application users are stored in the application_users table. This will enable Spring Security to retrieve and verify user credentials during authentication and authorization.

For that let's do the following steps:

Add the password encoder bean
Update the plain text password to encrypted password
Configure user details service
Configure the authentication provider

Add the password encoder bean

In the SecurityConfig class add a bean of type PasswordEncoder

package com.gintophilip.springauth.web;

import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.security.config.Customizer;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
import org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder;
import org.springframework.security.crypto.password.PasswordEncoder;
import org.springframework.security.web.SecurityFilterChain;

@Configuration
@EnableWebSecurity
public class SecurityConfig {

    @Bean
    public SecurityFilterChain securityFilterChain(HttpSecurity securityConfig) throws Exception {
        return securityConfig
                .authorizeHttpRequests(auth->
                        auth.requestMatchers("/api/hello")
                                .permitAll()
                                .requestMatchers("/api/admin").hasRole("ADMIN")
                                .anyRequest().authenticated()
                ).formLogin(Customizer.withDefaults())
                .build();
    }
    @Bean
    public PasswordEncoder passwordEncoder(){
        return new BCryptPasswordEncoder();
    }
}

The BCryptPasswordEncoder is the preferred method for encoding passwords.

Update the plain text password to encrypted password.

While creating the sample users, the passwords were stored as plain text. In this step, let's update the passwords to an encrypted form.

💡

You may wonder why user creation is handled in this manner and not through an API. The reason is, to minimize the overhead of creating APIs for every function. The primary goal of this article is to demonstrate the fundamentals of integrating authentication and authorization mechanisms.

Drop the user_roles table
Drop the roles table
Drop the application_user table
Add the PasswordEncoder class dependency in DataBaseUtilityRunner
Encode the password

Drop theuser_rolestable

spring_access_db=# drop table user_roles;

Drop therolestable

spring_access_db=# drop table roles;

Drop theapplication_usertable

spring_access_db=# drop table application_user;

💡

The drop tables command were executed via psql CLI

And also, do the following in DataBaseUtilityRunner class.

update the lines

user1.setPassword("123456");
adminUser.setPassword("12345");

as follows.

 user1.setPassword(passwordEncoder.encode("123456"));
 adminUser.setPassword(passwordEncoder.encode("12345"));

The DataBaseUtilityRunner after modification is as follows,

package com.gintophilip.springauth;

import com.gintophilip.springauth.entities.ApplicationUser;
import com.gintophilip.springauth.entities.Roles;
import com.gintophilip.springauth.repository.RoleRepository;
import com.gintophilip.springauth.repository.UserRepository;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.boot.CommandLineRunner;
import org.springframework.security.crypto.password.PasswordEncoder;
import org.springframework.stereotype.Component;

@Component
public class DataBaseUtilityRunner implements CommandLineRunner {
    @Autowired
    PasswordEncoder passwordEncoder;
    @Autowired
    UserRepository usersRepository;
    @Autowired
    RoleRepository rolesRepository;
    @Override
    public void run(String... args) throws Exception {
        try {
            Roles userRole = new Roles();
            userRole.setRoleName("USER");
            Roles adminRole = new Roles();
            adminRole.setRoleName("ADMIN");
            rolesRepository.save(userRole);
            rolesRepository.save(adminRole);
            ApplicationUser user1 = new ApplicationUser();
            user1.setFirstName("John");
            user1.setEmail("john@test.com");
            user1.setPassword(passwordEncoder.encode("123456"));
            user1.setRole(userRole);

            ApplicationUser adminUser = new ApplicationUser();
            adminUser.setFirstName("sam");
            adminUser.setEmail("sam@test.com");
            adminUser.setPassword(passwordEncoder.encode("12345"));

            adminUser.setRole(adminRole);
            usersRepository.save(user1);
            usersRepository.save(adminUser);
        }catch (Exception exception){

        }

    }
}

Run the application and query the application_user table. You will see the passwords are encoded now instead of plain text.

spring_access_db=# select * from application_user;
 id  |     email     | first_name | last_name |            password                           
-----+---------------+------------+-----------+--------------------------------------------------------------
 102 | john@test.com | John       |           | $2a$10$IBP9g8pOvNCvkEc7/EG6TO3j6gh49QMuO6uuw9Dd/P9dPRi5mxbiAsnG
 103 | sam@test.com  | sam        |           | $2a$10$WxM0l4qnjbYn1Vkgmrbte.hgYqPyHLm/y.9IGvEoiRkrL8.h47QKu
(2 rows)

Configure user details service

For making spring security to use the database for authentication and authorization a user details service needs to be implemented. This is nothing but a class which implements the interface UserDetailsService .

This interface has a method named loadUserByUsername which accepts a string parameter and returns a UserDetails object.

package org.springframework.security.core.userdetails;
public interface UserDetailsService {
    UserDetails loadUserByUsername(String username) throws UsernameNotFoundException;
}

Create a class named DatabaseUserDetailsService.java which implements the UserDetailsService interface.

public class DatabaseUserDetailsService  implements UserDetailsService {
    @Override
    public UserDetails loadUserByUsername(String username) throws UsernameNotFoundException {
       return null;
    }
}

In the overridden method we do the following

Fetch the user from database based on the parameter username.
Retrieve the roles associated with the user
Create an instance of class User with the user details and the associated roles
Return the User object

package com.gintophilip.springauth.service;

import com.gintophilip.springauth.entities.ApplicationUser;
import com.gintophilip.springauth.repository.UserRepository;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.security.core.GrantedAuthority;
import org.springframework.security.core.authority.SimpleGrantedAuthority;
import org.springframework.security.core.userdetails.User;
import org.springframework.security.core.userdetails.UserDetails;
import org.springframework.security.core.userdetails.UserDetailsService;
import org.springframework.security.core.userdetails.UsernameNotFoundException;
import org.springframework.stereotype.Service;

import java.util.Collections;

@Service
public class DatabaseUserDetailsService  implements UserDetailsService {
    @Autowired
    UserRepository userRepository;
    @Override
    public UserDetails loadUserByUsername(String username) throws UsernameNotFoundException {
        ApplicationUser user = userRepository.findByEmail(username); //fetch user from db
        if(user == null){
            throw  new UsernameNotFoundException("User Not found");
        }
        //Retrieve user roles
        GrantedAuthority authority = new SimpleGrantedAuthority("ROLE_"+user.getRole().getRoleName());
        //create User object
        User applicationUser = new User(user.getEmail(),user.getPassword(), Collections.singleton(authority));
        return applicationUser;
    }
}

💡

The User class implements the UserDetails interface. Spring utilizes the UserDetails to generate an Authentication object. This Authentication object indicates whether the user is authenticated.

Next we need to configure an authentication provider.

Configure the authentication provider

For Spring Security to utilize the DatabaseUserDetailsService for retrieving user details, it must be linked with an authentication provider. For that we will create a bean of type DaoAuthenticationProvider in the SecurityConfig and bind it with DatabaseUserDetailsService within the SecurityConfig.

Bind the DatabaseUserDetailsService

    @Autowired
    DatabaseUserDetailsService databaseUserDetailsService;

Next, create an instance of DaoAuthenticationProvider which is an implementation of AUthenticationProvider given by Spring security. Then,

Link the databaseUserDetailsService
Link the passwordEncoder

 @Bean
    public DaoAuthenticationProvider daoAuthenticationProvider() {
        DaoAuthenticationProvider authenticationProvider = new DaoAuthenticationProvider();
        //set the user details object        
        authenticationProvider.setUserDetailsService(databaseUserDetailsService);
        //set the password encoder        
        authenticationProvider.setPasswordEncoder(passwordEncoder());
        return authenticationProvider;
    }

After this the SecurityConfig looks like below.

package com.gintophilip.springauth.web;

import com.gintophilip.springauth.service.DatabaseUserDetailsService;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.security.authentication.dao.DaoAuthenticationProvider;
import org.springframework.security.config.Customizer;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
import org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder;
import org.springframework.security.crypto.password.PasswordEncoder;
import org.springframework.security.web.SecurityFilterChain;

@Configuration
@EnableWebSecurity
public class SecurityConfig {
    @Autowired
    DatabaseUserDetailsService databaseUserDetailsService;

    @Bean
    public SecurityFilterChain securityFilterChain(HttpSecurity securityConfig) throws Exception {
        return securityConfig
                .authorizeHttpRequests(auth->
                        auth.requestMatchers("/api/hello")
                                .permitAll()
                                .requestMatchers("/api/admin").hasRole("ADMIN")
                                .anyRequest().authenticated()
                ).formLogin(Customizer.withDefaults())
                .build();
    }
    @Bean
    public PasswordEncoder passwordEncoder(){
        return new BCryptPasswordEncoder();
    }
    @Bean
    public DaoAuthenticationProvider daoAuthenticationProvider() {
        DaoAuthenticationProvider authenticationProvider = new DaoAuthenticationProvider();
        //set the user details object
        authenticationProvider.setUserDetailsService(databaseUserDetailsService);
        //set the password encoder
        authenticationProvider.setPasswordEncoder(passwordEncoder());
        return authenticationProvider;
    }
}

Next, run the application and access the APIs. When the login page appears, use the user details from the application_user table.

You will be successfully authenticated and able to view the response.

The /api/admin is only accessible to the user sam.

PART 3: Configuring security of the API end points

Ginto Philip — Sat, 25 May 2024 15:08:40 GMT

In this section, to configure the security of the API end points a custom security configuration needs to be created. To achieve this let's go through the following steps.

Create the security configuration class
Make all APIs to be accessed only by logged in users
Allow /api/hello to be accessed by anyone
Restrict access to /api/admin to user with ADMIN role only

Access to the end points will be configured as follows.

API	Who can access
api/hello	anyone
api/protected	authenticated users
api/admin	admin user

Create the security configuration class

To implement a custom security configuration by overriding the default one we need to create a configuration class. This can be done with the help of @Configuration annotation.

package com.gintophilip.springauth.web;

import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.security.config.Customizer;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
import org.springframework.security.web.SecurityFilterChain;

@Configuration
@EnableWebSecurity
public class SecurityConfig {

    @Bean
    public SecurityFilterChain securityFilterChain(HttpSecurity securityConfig) throws Exception {
        return securityConfig
                .authorizeHttpRequests(auth->
                        auth.anyRequest().authenticated()
                ).formLogin(Customizer.withDefaults())
                .build();

    }
}

This will serve as our initial configuration. Here, we have mandated that every request must be authenticated. In the coming steps, we will configure the security settings as required.

💡

For logging in use the default user created by the Spring Security.

Make all APIs to be accessed only by logged in users

There is nothing to do. Because the initial configuration we created satisfied the requirement. Hence we don't need to specify any special configuration for the API endpoint /api/protected

Allow `/api/hello` to be accessed by anyone

    @Bean
    public SecurityFilterChain securityFilterChain(HttpSecurity securityConfig) throws Exception {
        return securityConfig
                .authorizeHttpRequests(auth->
                        auth.requestMatchers("/api/hello").permitAll().
                        anyRequest().authenticated()
                ).formLogin(Customizer.withDefaults())
                .build();
    }

Now run the application and attempt to access the APIs. The endpoint /api/hello is now accessible to everyone, while all other endpoints still require users to log in.

Restrict access to `/api/admin` to user with the ADMIN role only.

    @Bean
    public SecurityFilterChain securityFilterChain(HttpSecurity securityConfig) throws Exception {
        return securityConfig
                .authorizeHttpRequests(auth->
                        auth.requestMatchers("/api/hello")
                                .permitAll()
                                .requestMatchers("/api/admin").hasRole("ADMIN")
                                .anyRequest().authenticated()
                ).formLogin(Customizer.withDefaults())
                .build();
    }

At this point, the only API endpoint accessible to users is /api/hello. All other endpoints are restricted by a login screen.

PART 2: Enable Spring Security

Ginto Philip — Sat, 25 May 2024 15:07:42 GMT

In the previous section, we built a foundational application. In this section, we will enable Spring Security in the application. For that let's do the following steps:

Add the Spring Security dependency
Restart the application
Verify Spring Security is enabled

Add the Spring Security dependency

To Enable spring security the library org.springframework.boot:spring-boot-starter-security must be present in the Classpath. This can be achieved by adding the library as a dependency in the build.gradle file. Note the first item in the dependencies list

dependencies {
    implementation 'org.springframework.boot:spring-boot-starter-security'
    implementation 'org.springframework.boot:spring-boot-starter-data-jpa'
    implementation 'org.springframework.boot:spring-boot-starter-web'
    runtimeOnly 'com.h2database:h2'
    testImplementation 'org.springframework.boot:spring-boot-starter-test'
}

Restart the application

Just restart the application. Then go to the next step.

Verify Spring Security is enabled

Open the browser and attempt to access the API endpoints. If a login page appears for each endpoint you try to access, it confirms that Spring Security is enabled and functioning as expected.

Yeah that's it.

At this point the application is running with the default implementation of Spring Security. You will not able to access the APIs without entering login credentials. In the default implementation, Spring Security provides a default user with username as “user” and a randomly generated password . This generated password can be obtained from the console logs.

Note the line Using generated security password: dd05314d-2856-48b4-9c81-fcc480e0b4bf

The default behavior of Spring Security, unless configured otherwise is as follows:

All end points are protected by default when the library org.springframework.boot:spring-boot-starter-security is present in the Classpath
One cannot access the resources without authentication.
Provides a default user that can be overridden.

In this default setup the APIs can be accessed by entering the username as user and password as the one which is printed in the console. Try accessing the APIs by entering the default credentials.

PART 1: Create the base application

Ginto Philip — Sat, 25 May 2024 15:05:30 GMT

Before proceeding to the implementation of authentication and authorization , let's create a simple application to serve as a foundation. The application will have the following API end points.

GET /api/hello
GET /api/protected
GET /api/admin

Also a database software is required. Here the setup uses PostgreSQL database. You are free to choose yours.

💡

Don't forget to create a database named spring_access_db in your favorite database tool.

Let's go through the following steps to build the foundation.

Create the project
Implement the API end points
Create user and role entities
Create user and role repositories
Configure database connectivity
Populate database with sample users
Run the application
Verify users and roles are created by querying the database
Try accessing the API end points

Create the project

To create the project go to https://start.spring.io/ and create the sample project with the following dependencies.

Spring Web
Spring Data JPA
PostgreSQL Driver

💡

If you are using IntelliJ IDEA Ultimate or Visual Studio Code you can create the project within the IDE.

💡

Create project with IntelliJ IDEA Ultimate : Click here for doc

💡

Create project with Visual Studio Code: Click here for doc

Here I used the Spring initializer and opened the project in IntelliJ IDEA (Community Edition)

Add the dependencies
Fill up the project metadata
Generate the Zip file and extract it.
Then open it in your IDE.

Implement the API end points

Create a class named ApiController and implement the APIs there.

ApiController.java

  package com.gintophilip.springauth.controller;

  import org.springframework.http.ResponseEntity;
  import org.springframework.web.bind.annotation.GetMapping;
  import org.springframework.web.bind.annotation.RequestMapping;
  import org.springframework.web.bind.annotation.RestController;

  @RestController
  @RequestMapping("/api")
  public class ApiController {
      @GetMapping("/hello")
      public ResponseEntity hello() {
          return ResponseEntity.ok("Hello");
      }

      @GetMapping("/protected")
      public ResponseEntity protectedResource() {
          String message = """
                  This is a protected resource 

                  You are seeing this because you are an authenticated user
                  """;
          return ResponseEntity.ok(message);
      }

      @GetMapping("/admin")
      public ResponseEntity admin() {
          String message = "Hello Admin";
          return ResponseEntity.ok(message);
      }
  }

Create user and role entities

Create two classes for modeling the user and role entities.

ApplicationUser.java

package com.gintophilip.springauth.entities;

import jakarta.persistence.*;

@Entity
public class ApplicationUser {

    @Id
    @GeneratedValue(strategy = GenerationType.AUTO)
    private Long id;
    private String firstName;
    private String lastName;
    @Column(unique = true)
    private String email;
    private String password;
    @ManyToOne
    @JoinTable(name = "user_roles")
    private Roles role;

    public Long getId() {
        return id;
    }

    public void setId(Long id) {
        this.id = id;
    }

    public String getFirstName() {
        return firstName;
    }

    public void setFirstName(String firstName) {
        this.firstName = firstName;
    }

    public String getLastName() {
        return lastName;
    }

    public void setLastName(String lastName) {
        this.lastName = lastName;
    }

    public String getEmail() {
        return email;
    }

    public void setEmail(String email) {
        this.email = email;
    }

    public String getPassword() {
        return password;
    }

    public void setPassword(String password) {
        this.password = password;
    }

    public Roles getRole() {
        return role;
    }

    public void setRole(Roles role) {
        this.role = role;
    }
}

Roles.java

package com.gintophilip.springauth.entities;

import jakarta.persistence.*;

@Entity
public class Roles {
    @Id
    @GeneratedValue(strategy = GenerationType.AUTO)
    private Long id;
    @Column(unique = true)
    private String roleName;

    public Long getId() {
        return id;
    }

    public void setId(Long id) {
        this.id = id;
    }

    public String getRoleName() {
        return roleName;
    }

    public void setRoleName(String roleName) {
        this.roleName = roleName;
    }
}

Create user and role repositories

UserRepository.java

package com.gintophilip.springauth.repository;

import com.gintophilip.springauth.entities.ApplicationUser;
import org.springframework.data.jpa.repository.JpaRepository;

public interface UserRepository  extends JpaRepository<ApplicationUser,Long> {

    ApplicationUser findByEmail(String email);
}

RoleRepository.java

package com.gintophilip.springauth.repository;

import com.gintophilip.springauth.entities.Roles;
import org.springframework.data.jpa.repository.JpaRepository;

public interface RoleRepository extends JpaRepository<Roles,Long> {

}

Configure database connectivity

Let's configure the connection to the database named spring_access_db with the following settings:

username: postgres

password: 12345

For configuring the database connectivity update the application.properties file as follows.

spring.datasource.url=jdbc:postgresql://localhost:5432/spring_access_db
spring.datasource.username=postgres
spring.datasource.password=12345
spring.jpa.properties.hibernate.dialect = org.hibernate.dialect.PostgreSQLDialect
spring.jpa.hibernate.ddl-auto = update

💡

If you are using a different database, please ensure that the connection URL is updated to correspond with your specific database. also the hibernate dialect

Populate database with sample users

Let's Create a class which implements the CommandLineRunner interface. The method run will be executed once the application is ready.

DatabaseUtilityRunner.java

package com.gintophilip.springauth;

import com.gintophilip.springauth.entities.ApplicationUser;
import com.gintophilip.springauth.entities.Roles;
import com.gintophilip.springauth.repository.RoleRepository;
import com.gintophilip.springauth.repository.UserRepository;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.boot.CommandLineRunner;
import org.springframework.stereotype.Component;

@Component
public class DataBaseUtilityRunner implements CommandLineRunner {
    @Autowired
    UserRepository usersRepository;
    @Autowired
    RoleRepository rolesRepository;
    @Override
    public void run(String... args) throws Exception {
        try {
            Roles userRole = new Roles();
            userRole.setRoleName("USER");
            Roles adminRole = new Roles();
            adminRole.setRoleName("ADMIN");
            rolesRepository.save(userRole);
            rolesRepository.save(adminRole);
            ApplicationUser user1 = new ApplicationUser();
            user1.setFirstName("John");
            user1.setEmail("john@test.com");
            user1.setPassword("123456");
            user1.setRole(userRole);

            ApplicationUser adminUser = new ApplicationUser();
            adminUser.setFirstName("sam");
            adminUser.setEmail("sam@test.com");
            adminUser.setPassword("12345");

            adminUser.setRole(adminRole);
            usersRepository.save(user1);
            usersRepository.save(adminUser);
        }catch (Exception exception){

        }

    }
}

Verify users and roles are created by querying the database

As a result of the previous step three tables will be created with the provided data in the database spring_access_db;

Here I use the psql CLI client to view and query the database.

List of tables

spring_access_db-# \dt
              List of relations
 Schema |       Name       | Type  |  Owner   
--------+------------------+-------+----------
 public | application_user | table | postgres
 public | roles            | table | postgres
 public | user_roles       | table | postgres
(3 rows)

Table: application_user

Query: select * from application_user;

spring_access_db=# select * from application_user;
 id |     email     | first_name | last_name | password 
----+---------------+------------+-----------+----------
  1 | john@test.com | John       |           | 123456
  2 | sam@test.com  | sam        |           | 12345
(2 rows)

In this example, the password is stored in clear text. In a real-world scenario, it is essential to store passwords in an encrypted form rather than as plain text. We'll do this later.

Table: roles

Query:select * from roles;

spring_access_db=# select * from roles;
 id  | role_name 
-----+-----------
 802 | USER
 803 | ADMIN
(2 rows)

Table: user_roles

Query:select * from user_roles;

spring_access_db=# select * from user_roles;
 role_id | id 
---------+----
     802 |  1
     803 |  2
(2 rows)

Run the application

Now run the application. Once it is up and running, open the browser and try to access the API endpoints.

You will be able to access all the APIs without any restrictions. This completes the setup of base application.

In the comings steps we'll see how to protect these end points by integrating authentication and authorization mechanisms using Spring Security.

Introduction

Ginto Philip — Sat, 25 May 2024 15:04:05 GMT

Hello everyone, this document will guide you through the process of integrating authentication and authorization mechanisms into a Spring Boot web application using Spring Security. The following topics will be covered:.

PART 1: Create the base application.
1. Create the project.
2. Implement the API end points.
3. Create user and role entities.
4. Create user and role repositories.
5. Configure database connectivity.
6. Populate database with sample users.
7. Verify users and roles are created by querying the database.
8. Run the application.
PART 2: Enable Spring Security
1. Add the Spring Security dependency
2. Restart the application
3. Verify Spring Security is enabled
PART 3: Configuring security of the API end points
1. Create the security configuration class
2. Make all APIs to be accessed only by logged in users
3. Allow /api/hello to be accessed by anyone
4. Restrict access to /api/admin to user with ADMIN role only
PART 4: Integrate the database with Spring Security.
1. Add the password encoder bean.
2. Update the plain text password to encrypted password.
3. Configure user details service.
4. Configure the authentication provider.

Before going in let's see what is,

Authentication
Authorization
User details service
Authentication provider

Authentication

Authentication is the process of proving that someone is who they claim to be. The authentication can be done via certain ways such as Username and password, fingerprint. token etc...

To authenticate against an application, a user must have valid credentials. When these credentials are provided to the application for access, the application verifies them against the database where the credentials are stored. If the credentials match, the authentication is successful and the user can proceed to use the application.

Authorization.

While authentication verifies the identity of a user in an application, authorization determines what actions the user is permitted to perform. This means it addresses the permissions assigned to a user.

In an application, there may be multiple users, each with different levels of operational rights. For example, an ADMIN user may have the right to delete a user, whereas a regular user will not have this capability.

A basic flow of user authentication and authorization

Authentication

User submits the credentials to the application.
The application verifies the credentials by checking in the database.
If the credentials are valid allow access to the application.

Authorization

User requests a resource.
The authorization module checks if the user has rights to access the resource.
If user has rights the resource is given to the user.
Else the access to resource is denied.

User details service

This service provides the necessary data, such as username, password, or other details required for authentication. In Spring Security, we configure a UserDetailsService object, which instructs Spring Security on where to load the required data for authentication. For example, when a username is provided as "test@test.com," Spring Security needs to look up the user data where the username is "test@test.com." This lookup is typically performed on a database. The database required for this lookup is configured using the user details service.

In essence, the user details service is a service that retrieves user data from the database based on a given key.

Authentication provider

The authentication provider is responsible for authenticating users based on the provided credentials.

The authentication provider requests the user's details from the user details service using the received username. The user details service fetches and returns the user information if a user with the requested name is found. Then, it proceeds to compare the password.

The authentication provider and the user details service collaborate to authenticate a user effectively.

Executing background tasks using @Async annotation in Spring Boot

Ginto Philip — Fri, 08 Sep 2023 20:46:47 GMT

When developing an application we will encounter scenarios where some operations require more time to finish.

For example, consider the scenario where an application provides an option for its users to download all their data. When a download request is received, the application will start to collect all the data of the user. Then make a compressed file of this data and send it to the user. This will take a minimum of 5 minutes to complete.

If this operation is executing in the main thread of the request, then we will be blocked until the task is finished. So, How can we solve this? This long-running task needs to be moved to another thread.

The Spring boot framework provides a feature to execute tasks in a background thread using the @Async annotation. Let's see how to execute background tasks in Spring Boot using the @Async annotation.

I've created a sample project named asyncDemo using the spring initializer with the following structure

GitHub Link: spring-boot-async-demo

The REST Endpoints

/execute:- This will simulate a time-consuming task by introducing a 3-minute delay and writing a random number to a test database. Returns a taskId
/fetch/{taskId}:- retrieves the generated random number

Steps to make a method asynchronous

Create a thread pool executor configuration
Enable asynchronous method execution capability using @EnableAsync annotation
Annotate the required method with @Async

Add the following items to the project

Rest controller class
Entity class
Service class
Repository class

AsyncController.java (Rest API Controller)

package com.gintophilip.asyncDemo.controller;

import com.gintophilip.asyncDemo.entities.RandomUUID;
import com.gintophilip.asyncDemo.service.RandomUUIDService;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.http.ResponseEntity;
import org.springframework.web.bind.annotation.*;

import java.util.Optional;
import java.util.Random;

@RestController
@RequestMapping("/api/")
public class AsyncController {
    @Autowired
    RandomUUIDService userService;
    @PostMapping("/execute")
    ResponseEntity timeConsumingTask(){
        Long taskId = new Random().nextLong(900) + 100;
        userService.timeConsumingTask(taskId);
        return ResponseEntity.ok(taskId);
    }
    @GetMapping("/fetch/{taskId}")
    ResponseEntity> fetchResult(@PathVariable Long taskId){
        return ResponseEntity.ok(userService.fetchResult(taskId));
    }
}

RandomUUIDService.java (Service)

package com.gintophilip.asyncDemo.service;

import com.gintophilip.asyncDemo.entities.RandomUUID;
import com.gintophilip.asyncDemo.repositories.RandomUUIDRepository;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.scheduling.annotation.Async;
import org.springframework.stereotype.Service;

import java.util.Optional;
import java.util.UUID;

@Service
public class RandomUUIDService {
    @Autowired
    RandomUUIDRepository randomUUIDRepository;
    Logger logger = LoggerFactory.getLogger(RandomUUIDService.class);
    public void timeConsumingTask(Long taskId) {
        try {
            String id = String.valueOf(UUID.randomUUID());
            Thread.sleep(1000);
            RandomUUID uuid = new RandomUUID();
            uuid.setId(taskId);
            uuid.setUUID(id);
            randomUUIDRepository.save(uuid);
        } catch (InterruptedException e) {
            throw new RuntimeException(e);
        }
    }

    public Optional fetchResult(Long taskId) {
        return randomUUIDRepository.findById(taskId);
    }
}

RandomUUID.java (Entity)

package com.gintophilip.asyncDemo.entities;

import jakarta.persistence.Entity;
import jakarta.persistence.Id;

@Entity
public class RandomUUID {
    @Id
    private Long id;
    private String UUID;

    public RandomUUID() {
    }

    public Long getId() {
        return id;
    }

    public void setId(Long id) {
        this.id = id;
    }

    public String getUUID() {
        return UUID;
    }

    public void setUUID(String UUID) {
        this.UUID = UUID;
    }
}

RandomUUIDRepository.java (Repository)

package com.gintophilip.asyncDemo.repositories;

import com.gintophilip.asyncDemo.entities.RandomUUID;
import org.springframework.data.jpa.repository.JpaRepository;

public interface RandomUUIDRepository extends JpaRepository<RandomUUID,Long> {
}

Now run the application and call the /execute endpoint. You will see that to receive the response it took 3 minutes.

Let's solve this problem by using the @Async annotation

Adding asynchronous method execution capability

Add @EnableAsync at AsyncDemoApplication class

@SpringBootApplication
@EnableAsync
public class AsyncDemoApplication {

    public static void main(String[] args) {
        SpringApplication.run(AsyncDemoApplication.class, args);
    }

}

Create the thread pool executor configuration

ThreadPoolConfig.java

Let's give an initial thread pool size of 5 and the name for the thread as async_thread

package com.gintophilip.asyncDemo.configurations;

import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.scheduling.concurrent.ThreadPoolTaskExecutor;

@Configuration
public class ThreadPoolConfig {
    @Bean("asyncExecutor")
    public ThreadPoolTaskExecutor executor() {
        ThreadPoolTaskExecutor executor = new ThreadPoolTaskExecutor();
        executor.setCorePoolSize(5);
        executor.setMaxPoolSize(5);
        executor.setThreadNamePrefix("async_thread");
        executor.initialize();
        return executor;
    }
}

Configure the method to run as an asynchronous task

Annotate the method timeConsumingTask inside the RandomUUIDService.java class with @Async("asyncExecutor")

We can specify which task executor to use by including the bean name if we have multiple task executor configurations. Here we use the "asyncExecutor" bean.

    @Async("asyncExecutor")
    public void timeConsumingTask(Long taskId) {
        logger.info("Thread name :{}",Thread.currentThread().getName());
        try {
            String id = String.valueOf(UUID.randomUUID());
            //simulate task by sleeping for 3 minute
            Thread.sleep(180000);
            RandomUUID uuid = new RandomUUID();
            uuid.setId(taskId);
            uuid.setUUID(id);
            randomUUIDRepository.save(uuid);
            logger.info("task completed");
        } catch (InterruptedException e) {
            throw new RuntimeException(e);
        }
    }

We also added a log message to show the thread name of the running async task

The async method only supports Future and void as return type

Now run the application and call the /execute endpoint. You will notice that it returned a task ID as a response.

After returning the response the timeConsumingTask method will execute on the thread named async_thread

Check the log. You will see the thread name we logged from the timeConsumingTask method

[  async_thread1] c.g.asyncDemo.service.RandomUUIDService  : Thread name :async_thread1
[  async_thread1] c.g.asyncDemo.service.RandomUUIDService  : task completed

After the completion of the task, we can get the result by calling /fetch/{taskId}