Encryption as a Service using Vault with Spring Boot

Database columns can be encrypted multiple ways. Most of the databases have built-in support to encrypt the values. For example, in Postgres we can use the function pgp_sym_encrypt and pgp_sym_decrypt. It has some disadvantages like every read/write operation will have some operation overhead and slow down the DB servers. Most of the database providers give an option to encrypt the values. Moreover, keys used for the encryption should be properly managed. And it is complicated to do within the realms of the database servers. In a distributed system, the computing costs should be kept minimal and databases have a very high i/o. And cryptographic functions use a big chunk of resources and it is a well-known fact. Most of the industries have regulatory requirements and protect sensitive data in an effective way. Finally, a common concern for engineers and security teams alike is to protect the data in transit and avoid eavesdropping. Encryption as a Service (EaaS) solves this problem and Hashicorp’s Vault has a transit engine which takes out the burden of encrypting the data in transit. Vault is already a default key management and secret management solution in most of the organizations and has been integration with popular

Continue reading

Changing HttpClient in Spring RestTemplate

If you’re a Spring boot user, you might have definitely used RestTemplate. If you read the official documentation carefully, you might read that RestTemplate will be deprecated in the future and we must use WebClient which offers Synchronous, Asynchronous and Streaming scenarios such as Server-Sent Events, WebSockets, etc. Majority of the applications in production uses RestTemplates and will be practically a long way before it is completely replaced with Reactive WebFlux. It is important to know how we can customize the RestTemplate changing different Http clients. The default HttpClient used in the RestTemplate is provided by the JDK. It is developed on top of the HttpURLConnection. There is a new module added in Java 9 in incubation status and standardized in Java 11 called java.net.http.HttpClient. We can use this to make a client connection as well without needing third-party libraries. It is still unclear whether this will be used in Spring clients. Let’s get back to the business. In Spring, the default HTTP client can be changed to Apache’s HttpClient or Square’s OkHttpClient. We can configure the RestTemplate to use the HttpClient of our choice. We can do this either directly or by using Spring Cloud Commons org.springframework.cloud.commons.httpclient which provides

Continue reading

Introduction to Micrometer with Springboot

Springboot and Springcloud has made it easier to develop Microservices in the past couple of years and its usage has increased tremendously. Springboot without Micrometer is like riding a Tesla X without the instrument cluster. Alternatively there are plenty of other tools available to instrument your code to collect metrics and some of them supplied by the metrics aggregators, some are provided by APM vendors and then there is a big gamut of open source projects. When we think about it at the enterprise scale questions like below may arise before choosing the right tool. Where should I place my instrumentation code? How to instrument uniformly across systems with the least possible overhead? What is the impact if we need to change the metrics aggregator? How to collect multi-dimensional metrics? Micrometer is one such amazing library which provides out of the box instrumentation for JVM applications and it addresses some of the common problems that we face while instrumenting and collecting metrics. It has first-class support for most of the metrics collectors and new ones getting added at a rapid pace. Let’s see how it works with an example. We will be using spring-boot in our example application and use

Continue reading

Distributed Tracing using Zipkin and Spring Cloud Sleuth

There is a growing trend in organizations to solve everything with Microservices. For a lot of modern-day applications still, a single node monolith is enough and a better choice. Microservices are not a silver bullet which will solve all our technical problems. It comes with its own baggage which has to be taken into consideration and is neatly explained by Martin Fowler here. Increased operational complexity in using Microservices is certainly an area of concern but it is a solvable problem. In order to handle the operational complexity one of the major concern while doing microservices, we need to get more insights about services, the time taken to complete a request, how they communicate with each other and so on. Importance of tracing in distributed systems have produced a lot of thought process among the development teams and Google’s Dapper paper has influenced one such amazing tracing library called Zipkin. Zipkin library has support for most of the widely used programming languages and is one of the most actively contributed open source projects. I happened to meet Adrian Cole one of the Zipkin’s core contributor who has shed more light on the importance of the tracing even though I have

Continue reading

Reactive Springboot with Spring Cloud Vault

In the previous post, we saw how we can create reactive Microservices using Spring-boot and Kotlin. I want to write this as a series of articles to address various cross-cutting concerns when we encounter during the implementation of Microservices architecture. In this post, we will see about securing our Microservices using Spring Cloud Security and storing the credentials of the service and MongoDB in the Hashicorp Vault and then retrieve them using Spring Cloud Vault. In addition to providing a secure means of storing the credential and tokens in the vault, it gives us the advantage of dynamically serving them for your Microservices. We will be using the Hashicorp vault for our demo and use the Azure Vault in the next series. To begin with download the vaultproject from here according to you operating system. Create a vault config like below and the additional properties of the vault can be checked here. We are using the in-memory vault so the tokens will be persisted anywhere and disable_mlock prevents the memory being swapped to the disk. It is OK to use it for development/testing. Since I am using a MacOS for development mlock is not supported by the system. backend "inmem"

Continue reading

Developing reactive microservice using Springboot 2

Reactive Spring is based on the project reactor for building non-blocking applications using the spring platform and spring cloud frameworks. Three important interfaces available in Reactor are Publisher, Subscriber, and Processor. Publisher – source of the data Subscriber – One which receives data asynchronously Processor – nothing but a publisher which is also a subscriber (most of the time we won’t need this) Reactor introduces reactive types which implement the Publisher interface namely Flux and Mono. Flux – represents multiple sequences of a result 0…N (many items) which suggests Flux is a standard publisher Mono – As the name suggests, represents single sequence of a result either an empty result or one result 0…1 which suggests Mono will emit at most one item Starting from Spring 5 and Spring Boot 2 reactive core is completely supported and provides an excellent long-awaited alternative to Akka Streams. If you are coming from a spring background and uses it extensively there is no reason why you shouldn’t try this. However, it is great for people who begin with Spring platform as well. This post is hugely inspired by Josh Long’s webinar on Reactive streams which you can find here. We are going to

Continue reading