!(short rant)

Look I understand online privacy is a concern and we should really be very much aware about what data we are giving to whom. But when does it turn from being aware to just being paranoid and a maniac about it.? I mean okay, I know facebook has access to your data including your whatsapp chat (presumably), google listens to your conversations and snoops on your mail and shit, amazon advertises that you must have their spy system (read alexa) install in your homes and numerous other cases. But in the end it really boils down to "everyone wants your data but who do you trust your data with?"

For me, facebook and the so-called social media sites are a strict no-no but I use whatsapp as my primary chating application. I like to use google for my searches because yaa it gives me more accurate search results as compared to ddg because it has my search history. I use gmail as my primary as well as work email because it is convinient and an adv here and there doesnt bother me. Their spam filters, the easy accessibility options, the storage they offer everything is much more convinient for me. I use linux for my work related stuff (obviously) but I play my games on windows. Alexa and such type of products are again a big no-no for me but I regularly shop from amazon and unless I am searching for some weird ass shit (which if you want to, do it in some incognito mode) I am fine with coming across some advs about things I searched for. Sometimes it reminds me of things I need to buy which I might have put off and later on forgot. I have an amazon prime account because prime video has some good shows in there. My primary web browser is chrome because I simply love its developer tools and I now have gotten used to it. So unless chrome is very much hogging on my ram, in which case I switch over to firefox for some of my tabs, I am okay with using chrome. I have a motorola phone with stock android which means all google apps pre-installed. I use hangouts, google keep, google map(cannot live without it now), heck even google photos, but I also deny certain accesses to apps which I find fishy like if you are a game, you should not have access to my gps. I live in India where we have aadhar cards(like the social securtiy number in the USA) where the government has our fingerprints and all our data because every damn thing now needs to be linked with your aadhar otherwise your service will be terminated. Like your mobile number, your investment policies, your income tax, heck even your marraige certificates need to be linked with your aadhar card. Here, I dont have any option but to give in because somehow "its in the interest of the nation". Not surprisingly, this thing recently came to light where you can get your hands on anyone's aadhar details including their fingerprints for just ₹50($1). Fuck that shit.

tl;dr
There are and should be always exceptions when it comes to privacy because when you give the other person your data, it sometimes makes your life much easier. On the other hand, people/services asking for your data with the sole purpose of infilterating into your private life and not providing any usefulness should just be boycotted. It all boils down to till what extent you wish to share your data(ranging from literally installing a spying device in your house to them knowing that I want to understand how spring security works) and how much do you trust the service with your data. Example being, I just shared most of my private data in this rant with a group of unknown people and I am okay with it, because I know I can trust dev rant with my posts(unlike facebook).

My biggest challenge has been moving away from an unmaintainable Java/Tomcat/Spring Security application server to a Node.js/Express application server. That handles single sign on and two factor authentication. In 2 weeks.

I'm a front end dev. I'm sure it's fine 😓

For all the hate that Java gets, this *not rant* is to appreciate the Spring Boot/Cloud & Netty for without them I would not be half as productive as I am at my job.

Just to highlight a few of these life savers:
- Spring security: many features but I will just mention robust authorization out of the box
- Netflix Feign & Hystrix: easy circuit breaking & fallback pattern.
- Spring Data: consistent data access patterns & out of the box functionality regardless of the data source: eg relational & document dbs, redis etc with managed offerings integrations as well. The abstraction here is something to marvel at.
- Spring Boot Actuator: Out of the box health checks that check all integrations: Db, Redis, Mail,Disk, RabbitMQ etc which are crucial for Kubernetes readiness/liveness health checks.
- Spring Cloud Stream: Another abstraction for the messaging layer that decouples application logic from the binder ie could be kafka, rabbitmq etc
- SpringFox Swagger - Fantastic swagger documentation integration that allows always up to date API docs via annotations that can be converted to a swagger.yml if need be.
- Last but not least - Netty: Implementing secure non-blocking network applications is not trivial. This framework has made it easier for us to implement a protocol server on top of UDP using Java & all the support that comes with Spring.

For these & many more am grateful for Java & the big big community of devs that love & support it.

I inherited a nextjs project from an unknown guy and am fangirling the codebase

But the deeper I familiarise myself with it, the more the cracks begin to appear:

1) The dude Is incapable of grasping the basics of DRY concept. He actually setup a ton of stuff I may have done poorly if I'd started working straight out of the docs, so I feel like I owe him a shower of praise. I guess being new to nextjs makes it look more impressive than it actually is. He was paid off, yet getting the credit seems unearned to me. I'm just afraid reaching out to him might turn around to bite me in the ass
***

I had the above in my drafts, contemplating sending him a token to show some appreciation for unknowingly showing me the ropes. I was going to find him on LinkedIn using his commit names. But after doing everything I've done, undergoing the anxiety and severe pressure I faced at the hands of the project owners, I'm not sharing a farthing with anybody

Yes, I may not have known about zustand and persist middleware. Yes, he did all the ui. Yes, he created the base components and fancy wrappers around form and button html elements. For those, I'm grateful

But the amount of refactoring I had to do to, for an opportunity to implement my own target features, I'd say I can lay as much claim to the project as he does.

Side note #1: I have some newfound respect for front end devs. We used to discriminate against them for doing just css but that was only relevant in the jquery days. Now, they have to use cryptic css frameworks (sass, less, tailwind), they have to learn esoteric syntax of some js framework and write controllers/components as the case may be. They have to (the worst part), bind this data to an API, which would never make sense to me coming from a php ssr-natural world

Back rewarding the guy, some of the challenges I came back from were:

1) Next server outages: I still don't know the workaround this. The app terminates, browser giving an error about using up memory. I have to wait for about 10 minutes before I can access the app again

2) spring Webflux authentication not hydrating: I was unexpectedly asked to work on the back end too, where I got tortured with this horrifying condition. The most poorly documented framework for the Web has no upto date guide on how to implement jwt security measures. I opened a question on stackoverflow. A day later, both my question and the helpful answer got downvoted

3) Zustand not retrieving any data from localstorage once page reloads, until I miraculously stumbled on a hack: there's a config callback for reading state after rehydration or thereabout. So I interact with the state there. That's the only way content clearly in localstorage can get transmuted into dynamic format accessible by the code

4) Mongo database suddenly disconnecting: for no apparent reason, this bailed. Accessible on compass. This was even when I realised it was responsible for front end requests not going through. Eventually created a new database and requests surprisingly began connecting again. Thankfully, my laravel background taught me about seeders so I had them on standby from the onset. Wasn't difficult to just port to a fresh database after confirming the first one was inaccessible to the app

After this painful odyssey and the time constraints, threats of moving forward with someone else, I deserve every dime they deem me worthy of and more

My workplace is still using xml based configuration, and non-spring boot projects.

So every spring boot tutorial I find feels like "Look at how easy you can get this running" and then it's just actually a toy you can't get into production.

Also it kind of bugs me that you need to be online to actually be able to initialize/create a spring boot project and every single tutorial says so.
You can make a local network m2 repository, but can one make a spring initializer service?

Either way, migrating every single project to Spring boot is a no-no,

And I'm stuck with like 5 prototypes of SSO integration from which only 2 work, and the other 3 have their own problems.

One does redirect to the login and all, but the SAML endpoint gets 404 on response when you log in.

One is on OpenID Connect, but I would need to update the project from Spring 3 to Spring 5 to get it working, which upon attempting to do seems to break everything else.

One has an external library handling the security context just the way we are accustomed to, but it only does a 401 forbidden when you go without logging in and I'm starting to think it is actually one of those that require you to extract the token or something manual like that, which wouldn't work for us

The other two are spring boot tutorials that worked out of the box, both SAML and OpenID, still can't use those for the main projects.

I'm tired of dealing with this configuration hell, been two months at this, I want to get features done as usual, not be stuck configuring stuff that might or might not work.

Rant aside, I think I figured I need to use a different Security adapter, but I needed to vent.

I am working on spring boot jwt project. Ive encoutered a UserDetails class name.
Why is it named UserDetails?? Where the fuck are those details??!! COZ I CANT SEE THEM

Those kind of methods can be found also in other various Services for example LocationService or UserService but none of them is called by developers for example LocationDetailsService. WHAT THE FUCK. Wouldnt it be better to name it UserSecurity????

Joined a startup, pretty happy with the company over-all so far truthfully. Secured a large project yesterday with higher billables so job security wise things are good. However... The project I've been working on is a mix of a Spring boot webapp and a game. Two separate applications that interact with each other.

Two teams. A home team, and an away team, plus.... 2 "AI's" to play against... Well.... whoever designed this "AI" designed it so they can only ever play as the away team. Why... every function, every method, every bit of logic is coded around what "Half" of the inning it is.... Now I had the bright idea of picking up the hardest task on the ticket list, of making these AI's be able to play as the home team.

WHAT A TASK, and to make things worse. Instead of using some kind of proper inheritance with actual structure, we have TWO COPY AND PASTED AIs where the other has more hard-coded team sided logic that needs to ALSO be adapted.

17 points my ass.

I do love my job though.

OAuth/Spring Security/Spring Boot
WAY over-complicated to implement.

Spring sessions and spring security, fuck you

Just be more beginner friendly

!rant

Can anyone recommend me a good book or course to start learning spring framework 4??

Am tired of struggling with it, I have to
Work with the thing and I barely know what am doing most of time.

I managed to resolve a couple
Of spring security issues we had at
Work but that was through sheer dogged googling around, I want to spend some
Time learning it from Bottoms up...

I know its quite vast but what am going for is trying to learn the basics and a few of the most commonly used bits of the advanced portions then expanding my knowledge.

So any suggestions?

I hear spring in action 4 by craig wells
is nice but some reviews criticises it about not being appropriate for newbies like me.

So damn tired of silently screaming
"what the F*** is all this shit?!?" when am given spring related stuff to work on 😔

When Spring Security protects exactly the opposite of what you think you asked ... But you don't know why...

I don't get keycloak. Anyone who has experience with it, please help.

We have what I would think is a common setup: a kubernetes cluster with a Spring boot api-gateway and keycloak as oauth2-provider.

The api-gateway needs an issuer-uri to keycloak for endpoint discovery, i.e. to configure a bunch of endpoints to keykloak for different purposes.

The two main purposes are: 1. to redirect the user to keycloak (must be an url reachable from outside the cluster, i.e. ingress) 2. to authenticate tokens directly with keycloak from within the cluster.

Keycloak can be configured to set some of these discovery endpoints to different values. Specifically it makes a separation between backfacing (system calls in cluster) and frontfacing (user call from browser) urls All seems good.

However, when using this setup, each time spring security authenticates a token against keycloak it says the "issuer" is invalid. This is because the issuer is the host on which the token was generated. This host was the one in the url which the user was redirected to i.e. the ingress.

It feels like there is no way around this except running keycloak outside the Kubernetes cluster, but surely there must be a way to run keycloak in the same cluster. What else is the purpose of keycloak having the concept of back- and frontfacing urls?