Identifying, Reporting, and Fixing CVE-2021-22119: DoS Vulnerability in Spring Security OAuth 2.0

In March 2021, I observed troubling behavior in multiple applications I supported that are built using Spring Boot: they would occasionally stop responding. Eventually, I tracked down the root cause to a DoS (Denial of Service) vulnerability in Spring Security OAuth 2.0: a simple shell script could take down any affected web application. Respecting the … Continue reading Identifying, Reporting, and Fixing CVE-2021-22119: DoS Vulnerability in Spring Security OAuth 2.0

Cypress Testing Integrated with Gradle and Spring Boot

Cypress is a great testing framework for “anything that runs in a browser” allowing for clean, maintainable end to end tests. However, these tests can difficult and annoying to for developers to run, especially those who aren’t front end specialists. The following covers getting existing Cypress tests integrated and easily running within the Gradle-based build … Continue reading Cypress Testing Integrated with Gradle and Spring Boot

Lighthouse Performance Testing

Lighthouse is a great way to establish a build-measure-learn feedback loop resulting in continuous value creation by testing ideas in the areas of SEO, performance, accessibility, and more. In this article, I’ll cover what Lighthouse is and how to add it a project with examples covering pure Javascript (node) projects and Gradle projects (with any … Continue reading Lighthouse Performance Testing

Reproducible Builds in Java

Reproducible builds are a set of software development practices that create an independently-verifiable path from source to binary code. https://reproducible-builds.org/ Reproducible builds are important and provide benefits in many areas, including: Security. Because the same input source code always provides the same output binary artifact, you know that no attacker modified the toolchain to inject vulnerabilities … Continue reading Reproducible Builds in Java

Version Controlling Database Schemas and Data with Liquibase

Version controlling database schemas facilitates repeatable deployments and consistent environments. The alternative is have a human manually perform database modifications; since humans are human, we tend to make mistakes especially when performing repetitive tasks, and our time is also very expensive compared to that of machines, so automating database schema changes is superior approach. More … Continue reading Version Controlling Database Schemas and Data with Liquibase

Change the Spring Session JDBC Serialization Method to Improve Performance

Spring Session JDBC is a great way to allow an application to be stateless. By storing the session in the database, a request can be routed to any application server. This approach provides significant advantages such as automatic horizontal scaling, seamless failover, and no need for session affinity. By using JDBC, the database the application … Continue reading Change the Spring Session JDBC Serialization Method to Improve Performance

Spring Boot, HTTPS required, and Elastic Beanstalk health checks

Spring Boot can be very easily configured to require HTTPS for all requests. In application.properties, simply set security.require-ssl=true And that works great – until you’re running the Spring Boot application on AWS Elastic Beanstalk with both HTTP and HTTPS listeners: In that case, Elastic Beanstalk’s health check is always done over HTTP. The configuration page … Continue reading Spring Boot, HTTPS required, and Elastic Beanstalk health checks