security risk management

Treat security as a risk

Security is the poster child of a Non-Functional Requirement: most people don’t care until the proverbial fecal matter hits the rotary propeller. Consequences can range from losing reputation to legal liability to putting the business out. In my post on running unsecured code, I concluded that you should treat security as a risk - and left it at that. I think it warrants a dedicated post. Risk management is pretty much documented. You can find it in many engineering disciplines, if not ev

Security Manager Log4Shell Log4J security

You're running untrusted code!

Last December, Log4Shell shortened the nights of many people in the JVM world. Worse, using the earthquake analogy caused many aftershocks after the initial quake. I immediately made the connection between Log4Shell and the Security Manager. At first, I didn’t want to write about it, but I’ve received requests to do so, and I couldn’t walk away. Hey @nicolas_frankel, isn't the #Log4j-Exploit the perfect argument against deprecation of the Java SecurityManager?!— Joha

Resilience microservices failsafe resilience4j microprofile

A tentative comparison of fault tolerance libraries on the JVM

If you’re implementing microservices or not, the chances are that you’re calling HTTP endpoints. With HTTP calls, a lot of things can go wrong. Experienced developers plan for this and design beyond just the happy path. In general, fault tolerance encompasses the following features: RetryTimeoutCircuit BreakerFallbackRate Limiter to avoid server-side 429 responsesBulkhead: Rate Limiter limits the number of calls in a determined timeframe, while Bulkhead limits the number of concurren

Kotlin API design extension delegation tip

Beautify third-party API with Kotlin

Scala has popularized the 'Pimp my library' pattern: This is just a fancy expression to refer to the ability to supplement a library using implicit conversions. — Pimp My Library Pattern in Scala Kotlin does provide the same capability. However, it achieves it via extension functions. While the generated bytecode is similar to Java’s static methods, the developer experience is the same as adding functions to existing types. This approach has limitations, though. One cannot

graalvm native image quarkus

Native-image with Quarkus

So far, we have looked at how well Spring Boot and Micronaut integrate GraalVM native image extension. In this post, I’ll focus on Quarkus: A Kubernetes Native Java stack tailored for OpenJDK HotSpot and GraalVM, crafted from the best of breed Java libraries and standards. Creating a new project Just as Spring Boot and Micronaut, Quarkus provides options to create new projects: A dedicated quarkus CLIA Web UI Quarkus offers a definite improvement over its competitors. Every

spring boot tip architecture demo

Multiple Spring Boot applications in the same project

I frequently use the Spring Boot framework in my demos. The latest one is no different. It shows how to achieve CQRS using two different code paths: the command part is implemented via Spring Data JPAthe query part via jOOQ My use case is a banking application that offers a REST layer allowing clients to call any parts. Demoing the query part is easy enough with curl as the URL is not complex: curl localhost:8080/balance/123 (1) 1 Query the balance of the account 123 On the

kubernetes apache web server demo

Port management in your local Kubernetes cluster

Most of my talks contain a demo. A fair share of these demos require multiple 'infrastructure' dependencies: a database (or more), Elasticsearch, you name it. To ease my setup and avoid stuffing my machine, I use either Docker Compose or Kubernetes locally on my Mac. Both rely on Docker Desktop. To expose a cluster Service on my host, I use nodePort. Hence, I set a dedicated node port for each service. I need to remember each of them for each demo. Worse, services might be (are) declared across

graalvm native image micronaut

Native-image with Micronaut

Last week, I wrote a native web app that queried the Marvel API using Spring Boot. This week, I want to do the same with the Micronaut framework. Creating a new project Micronaut offers two options to create a new project: A web UI: As for Spring Initializr, it provides several features: Preview the project before you download itShare the configurationAn API I do like that you can check the impact that the added features have on the POM. A Command-Line Interface: In parallel to the web

graalvm native image spring boot

Native-image with Spring Boot

The Cloud has enabled a lot of new usages that were not possible before. Among them stands Serverless: Serverless computing is a cloud computing execution model in which the cloud provider allocates machine resources on demand, taking care of the servers on behalf of their customers. Serverless computing does not hold resources in volatile memory; computing is rather done in short bursts with the results persisted to storage. When an app is not in use, there are no computing resources allocat

extension API

Extending third-party APIs in different languages

The need for shorter and shorter Time-To-Market requires to integrate more and more third-party libraries. There’s no time for the NIH syndrom anymore if it ever was. While most of the time, the library’s API is ready to use, it happens that one needs to 'adapt' it to the codebase sometimes. How easy the adaptation is depends a lot on the language. For example, in the JVM, there are a couple of Reactive-Programming libraries: RxJava, Project Reactor, Mutiny, and coroutines. You migh