{"id":82443,"date":"2018-10-08T10:39:48","date_gmt":"2018-10-08T07:39:48","guid":{"rendered":"http:\/\/www.javacodegeeks.com\/?p=82443"},"modified":"2018-10-15T09:32:30","modified_gmt":"2018-10-15T06:32:30","slug":"build-java-rest-api-java-ee-oidc","status":"publish","type":"post","link":"https:\/\/www.javacodegeeks.com\/2018\/10\/build-java-rest-api-java-ee-oidc.html","title":{"rendered":"Build a Java REST API with Java EE and OIDC"},"content":{"rendered":"

\u201cI love writing authentication and authorization code.\u201d ~ No Java Developer Ever.<\/b> Tired of building the same login screens over and over? Try the Okta API for hosted authentication, authorization, and multi-factor auth.<\/a><\/span><\/p>\n

Java EE allows you to build Java REST API s quickly and easily with JAX-RS and JPA. Java EE is an umbrella standards specification that describes a number of Java technologies, including EJB, JPA, JAX-RS, and many others. It was originally designed to allow portability between Java application servers, and flourished in the early 2000s. Back then, application servers were all the rage and provided by many well-known companies such as IBM, BEA, and Sun. JBoss was a startup that disrupted the status quo and showed it was possible to develop a Java EE application server as an open source project, and give it away for free. JBoss was bought by RedHat in 2006.<\/p>\n

In the early 2000s, Java developers used servlets and EJBs to develop their server applications. Hibernate and Spring came along in 2002 and 2004, respectively. Both technologies had a huge impact on Java developers everywhere, showing them it was possible to write distributed, robust applications without EJBs. Hibernate\u2019s POJO model was eventually adopted as the JPA standard and heavily influenced EJB as well.<\/p>\n

Fast forward to 2018, and Java EE certainly doesn\u2019t look like it used to! Now, it\u2019s mostly POJOs and annotations and far simpler to use.<\/p>\n

Why Build a Java REST API with Java EE and Not Spring Boot?<\/h2>\n

Spring Boot is one of my favorite technologies in the Java ecosystem. It\u2019s drastically reduced the configuration necessary in a Spring application and made it possible to whip up REST APIs in just a few lines of code. However, I\u2019ve had a lot of API security questions lately from developers that\u00a0aren\u2019t<\/em>\u00a0using Spring Boot. Some of them aren\u2019t even using Spring!<\/p>\n

For this reason, I thought it\u2019d be fun to build a Java REST API (using Java EE) that\u2019s the same as a Spring Boot REST API I developed in the past. Namely, the \u201cgood-beers\u201d API from my\u00a0Bootiful Angular<\/a>\u00a0and\u00a0Bootiful React<\/a>\u00a0posts.<\/p>\n

Use Java EE to Build Your Java REST API<\/h2>\n

To begin, I\u00a0asked my network on Twitter<\/a>\u00a0if any quickstarts existed for Java EE like start.spring.io. I received a few suggestions and started doing some research.\u00a0David Blevins<\/a>\u00a0recommended I look at\u00a0tomee-jaxrs-starter-project<\/a>, so I started there. I also looked into the\u00a0TomEE Maven Archetype<\/a>, as recommended by\u00a0Roberto Cortez<\/a>.<\/p>\n

I liked the jaxrs-starter project because it showed how to create a REST API with JAX-RS. The TomEE Maven archetype was helpful too, especially since it showed how to use JPA, H2, and JSF. I combined the two to create my own minimal starter that you can use to implement secure Java EE APIs on TomEE. You don\u2019t have to use TomEE for these examples, but I haven\u2019t tested them on other implementations.<\/p>\n

If you get these examples working on other app servers, please let me know and I\u2019ll update this blog post.<\/em><\/p>\n

In these examples, I\u2019ll be using Java 8 and Java EE 7.0 with TomEE 7.1.0. TomEE 7.x is the EE 7 compatible version; a TomEE 8.x branch exists for EE8 compatibility work, but there are no releases yet. I expect you to have\u00a0Apache Maven<\/a>\u00a0installed too.<\/p>\n

To begin, clone our Java EE REST API repository to your hard drive, and run it:<\/p>\n

git clone https:\/\/github.com\/oktadeveloper\/okta-java-ee-rest-api-example.git javaee-rest-api\r\ncd javaee-rest-api\r\nmvn package tomee:run<\/pre>\n
Navigate to http:\/\/localhost:8080 and add a new beer.<\/p>\n
\"Java<\/a><\/p>\n
Click\u00a0Add<\/strong>\u00a0and you should see a success message.<\/p>\n
\"Java<\/a><\/p>\n
Click\u00a0View beers present<\/strong>\u00a0to see the full list of beers.<\/p>\n
\"Java<\/a>
\nYou can also view the list of good beers in the system at\u00a0http:\/\/localhost:8080\/good-beers<\/code>. Below is the output when using\u00a0HTTPie<\/a>.<\/p>\n
$ http :8080\/good-beers\r\nHTTP\/1.1 200\r\nContent-Type: application\/json\r\nDate: Wed, 29 Aug 2018 21:58:23 GMT\r\nServer: Apache TomEE\r\nTransfer-Encoding: chunked<\/pre>\n
[\r\n    {\r\n        \"id\": 101,\r\n        \"name\": \"Kentucky Brunch Brand Stout\"\r\n    },\r\n    {\r\n        \"id\": 102,\r\n        \"name\": \"Marshmallow Handjee\"\r\n    },\r\n    {\r\n        \"id\": 103,\r\n        \"name\": \"Barrel-Aged Abraxas\"\r\n    },\r\n    {\r\n        \"id\": 104,\r\n        \"name\": \"Heady Topper\"\r\n    },\r\n    {\r\n        \"id\": 108,\r\n        \"name\": \"White Rascal\"\r\n    }\r\n]<\/pre>\n
Build a REST API with Java EE<\/h2>\n
I showed you what this application can do, but I haven\u2019t talked about how it\u2019s built. It has a few XML configuration files, but I\u2019m going to skip over most of those. Here\u2019s what the directory structure looks like:<\/p>\n
$ tree .\r\n.\r\n\u251c\u2500\u2500 LICENSE\r\n\u251c\u2500\u2500 README.md\r\n\u251c\u2500\u2500 pom.xml\r\n\u2514\u2500\u2500 src\r\n    \u251c\u2500\u2500 main\r\n    \u2502   \u251c\u2500\u2500 java\r\n    \u2502   \u2502   \u2514\u2500\u2500 com\r\n    \u2502   \u2502       \u2514\u2500\u2500 okta\r\n    \u2502   \u2502           \u2514\u2500\u2500 developer\r\n    \u2502   \u2502               \u251c\u2500\u2500 Beer.java\r\n    \u2502   \u2502               \u251c\u2500\u2500 BeerBean.java\r\n    \u2502   \u2502               \u251c\u2500\u2500 BeerResource.java\r\n    \u2502   \u2502               \u251c\u2500\u2500 BeerService.java\r\n    \u2502   \u2502               \u2514\u2500\u2500 StartupBean.java\r\n    \u2502   \u251c\u2500\u2500 resources\r\n    \u2502   \u2502   \u2514\u2500\u2500 META-INF\r\n    \u2502   \u2502       \u2514\u2500\u2500 persistence.xml\r\n    \u2502   \u2514\u2500\u2500 webapp\r\n    \u2502       \u251c\u2500\u2500 WEB-INF\r\n    \u2502       \u2502   \u251c\u2500\u2500 beans.xml\r\n    \u2502       \u2502   \u2514\u2500\u2500 faces-config.xml\r\n    \u2502       \u251c\u2500\u2500 beer.xhtml\r\n    \u2502       \u251c\u2500\u2500 index.jsp\r\n    \u2502       \u2514\u2500\u2500 result.xhtml\r\n    \u2514\u2500\u2500 test\r\n        \u2514\u2500\u2500 resources\r\n            \u2514\u2500\u2500 arquillian.xml\r\n\r\n12 directories, 16 files<\/pre>\n
The most important XML files is the\u00a0pom.xml<\/code>\u00a0that defines dependencies and allows you to run the TomEE Maven Plugin. It\u2019s pretty short and sweet, with only one dependency and one plugin.<\/p>\n
<?xml version=\"1.0\" encoding=\"UTF-8\"?>\r\n<project xmlns=\"http:\/\/maven.apache.org\/POM\/4.0.0\" xmlns:xsi=\"http:\/\/www.w3.org\/2001\/XMLSchema-instance\"\r\n         xsi:schemaLocation=\"http:\/\/maven.apache.org\/POM\/4.0.0 http:\/\/maven.apache.org\/maven-v4_0_0.xsd\">\r\n    <modelVersion>4.0.0<\/modelVersion>\r\n\r\n    <groupId>com.okta.developer<\/groupId>\r\n    <artifactId>java-ee-rest-api<\/artifactId>\r\n    <version>1.0-SNAPSHOT<\/version>\r\n    <packaging>war<\/packaging>\r\n    <name>Java EE Webapp with JAX-RS API<\/name>\r\n    <url>http:\/\/developer.okta.com<\/url>\r\n\r\n    <properties>\r\n        <project.build.sourceEncoding>UTF-8<\/project.build.sourceEncoding>\r\n        <project.reporting.outputEncoding>UTF-8<\/project.reporting.outputEncoding>\r\n        <maven.compiler.target>1.8<\/maven.compiler.target>\r\n        <maven.compiler.source>1.8<\/maven.compiler.source>\r\n        <failOnMissingWebXml>false<\/failOnMissingWebXml>\r\n        <javaee-api.version>7.0<\/javaee-api.version>\r\n        <tomee.version>7.1.0<\/tomee.version>\r\n    <\/properties>\r\n\r\n    <dependencies>\r\n        <dependency>\r\n            <groupId>javax<\/groupId>\r\n            <artifactId>javaee-api<\/artifactId>\r\n            <version>${javaee-api.version}<\/version>\r\n            <scope>provided<\/scope>\r\n        <\/dependency>\r\n    <\/dependencies>\r\n\r\n    <build>\r\n        <plugins>\r\n            <plugin>\r\n                <groupId>org.apache.tomee.maven<\/groupId>\r\n                <artifactId>tomee-maven-plugin<\/artifactId>\r\n                <version>${tomee.version}<\/version>\r\n                <configuration>\r\n                    <context>ROOT<\/context>\r\n                <\/configuration>\r\n            <\/plugin>\r\n        <\/plugins>\r\n    <\/build>\r\n<\/project><\/pre>\n
The main entity is\u00a0Beer.java<\/code>.<\/p>\n
package com.okta.developer;\r\n\r\nimport javax.persistence.Entity;\r\nimport javax.persistence.GeneratedValue;\r\nimport javax.persistence.GenerationType;\r\nimport javax.persistence.Id;\r\n\r\n@Entity\r\npublic class Beer {\r\n    @Id\r\n    @GeneratedValue(strategy = GenerationType.AUTO)\r\n    private int id;\r\n    private String name;\r\n\r\n    public Beer() {}\r\n\r\n    public Beer(String name) {\r\n        this.name = name;\r\n    }\r\n\r\n    public int getId() {\r\n        return id;\r\n    }\r\n\r\n    public void setId(int id) {\r\n        this.id = id;\r\n    }\r\n\r\n    public String getName() {\r\n        return name;\r\n    }\r\n\r\n    public void setName(String beerName) {\r\n        this.name = beerName;\r\n    }\r\n\r\n    @Override\r\n    public String toString() {\r\n        return \"Beer{\" +\r\n                \"id=\" + id +\r\n                \", name='\" + name + '\\'' +\r\n                '}';\r\n    }\r\n}<\/pre>\n
The database (a.k.a., datasource) is configured in\u00a0src\/main\/resources\/META-INF\/persistence.xml<\/code>.<\/p>\n
<?xml version=\"1.0\" encoding=\"UTF-8\"?>\r\n<persistence version=\"2.0\" xmlns=\"http:\/\/java.sun.com\/xml\/ns\/persistence\"\r\n             xmlns:xsi=\"http:\/\/www.w3.org\/2001\/XMLSchema-instance\"\r\n             xsi:schemaLocation=\"http:\/\/java.sun.com\/xml\/ns\/persistence http:\/\/java.sun.com\/xml\/ns\/persistence\/persistence_2_0.xsd\">\r\n    <persistence-unit name=\"beer-pu\" transaction-type=\"JTA\">\r\n        <jta-data-source>beerDatabase<\/jta-data-source>\r\n        <class>com.okta.developer.Beer<\/class>\r\n        <properties>\r\n            <property name=\"openjpa.jdbc.SynchronizeMappings\" value=\"buildSchema(ForeignKeys=true)\"\/>\r\n        <\/properties>\r\n    <\/persistence-unit>\r\n<\/persistence><\/pre>\n
The\u00a0BeerService.java<\/code>\u00a0class handles reading and saving this entity to the database using JPA\u2019s\u00a0EntityManager<\/code>.<\/p>\n
package com.okta.developer;\r\n\r\nimport javax.ejb.Stateless;\r\nimport javax.persistence.EntityManager;\r\nimport javax.persistence.PersistenceContext;\r\nimport javax.persistence.Query;\r\nimport javax.persistence.criteria.CriteriaQuery;\r\nimport java.util.List;\r\n\r\n@Stateless\r\npublic class BeerService {\r\n\r\n    @PersistenceContext(unitName = \"beer-pu\")\r\n    private EntityManager entityManager;\r\n\r\n    public void addBeer(Beer beer) {\r\n        entityManager.persist(beer);\r\n    }\r\n\r\n    public List<Beer> getAllBeers() {\r\n        CriteriaQuery<Beer> cq = entityManager.getCriteriaBuilder().createQuery(Beer.class);\r\n        cq.select(cq.from(Beer.class));\r\n        return entityManager.createQuery(cq).getResultList();\r\n    }\r\n\r\n    public void clear() {\r\n        Query removeAll = entityManager.createQuery(\"delete from Beer\");\r\n        removeAll.executeUpdate();\r\n    }\r\n}<\/pre>\n
There\u2019s a\u00a0StartupBean.java<\/code>\u00a0that handles populating the database on startup, and clearing it on shutdown.<\/p>\n
package com.okta.developer;\r\n\r\nimport javax.annotation.PostConstruct;\r\nimport javax.annotation.PreDestroy;\r\nimport javax.ejb.Singleton;\r\nimport javax.ejb.Startup;\r\nimport javax.inject.Inject;\r\nimport java.util.stream.Stream;\r\n\r\n@Singleton\r\n@Startup\r\npublic class StartupBean {\r\n    private final BeerService beerService;\r\n\r\n    @Inject\r\n    public StartupBean(BeerService beerService) {\r\n        this.beerService = beerService;\r\n    }\r\n\r\n    @PostConstruct\r\n    private void startup() {\r\n        \/\/ Top beers from https:\/\/www.beeradvocate.com\/lists\/top\/\r\n        Stream.of(\"Kentucky Brunch Brand Stout\", \"Marshmallow Handjee\", \r\n                \"Barrel-Aged Abraxas\", \"Heady Topper\",\r\n                \"Budweiser\", \"Coors Light\", \"PBR\").forEach(name ->\r\n                beerService.addBeer(new Beer(name))\r\n        );\r\n        beerService.getAllBeers().forEach(System.out::println);\r\n    }\r\n\r\n    @PreDestroy\r\n    private void shutdown() {\r\n        beerService.clear();\r\n    }\r\n}<\/pre>\n
These three classes make up the foundation of the app, plus there\u2019s a\u00a0BeerResource.java<\/code>\u00a0class that uses JAX-RS to expose the\u00a0\/good-beers<\/code>\u00a0endpoint.<\/p>\n
package com.okta.developer;\r\n\r\nimport javax.ejb.Lock;\r\nimport javax.ejb.Singleton;\r\nimport javax.inject.Inject;\r\nimport javax.ws.rs.GET;\r\nimport javax.ws.rs.Path;\r\nimport javax.ws.rs.Produces;\r\nimport java.util.List;\r\nimport java.util.stream.Collectors;\r\n\r\nimport static javax.ejb.LockType.READ;\r\nimport static javax.ws.rs.core.MediaType.APPLICATION_JSON;\r\n\r\n@Lock(READ)\r\n@Singleton\r\n@Path(\"\/good-beers\")\r\npublic class BeerResource {\r\n    private final BeerService beerService;\r\n\r\n    @Inject\r\n    public BeerResource(BeerService beerService) {\r\n        this.beerService = beerService;\r\n    }\r\n\r\n    @GET\r\n    @Produces({APPLICATION_JSON})\r\n    public List<Beer> getGoodBeers() {\r\n        return beerService.getAllBeers().stream()\r\n                .filter(this::isGreat)\r\n                .collect(Collectors.toList());\r\n    }\r\n\r\n    private boolean isGreat(Beer beer) {\r\n        return !beer.getName().equals(\"Budweiser\") &&\r\n                !beer.getName().equals(\"Coors Light\") &&\r\n                !beer.getName().equals(\"PBR\");\r\n    }\r\n}<\/pre>\n
Lastly, there\u2019s a\u00a0BeerBean.java<\/code>\u00a0class is used as a managed bean for JSF.<\/p>\n
package com.okta.developer;\r\n\r\nimport javax.enterprise.context.RequestScoped;\r\nimport javax.inject.Inject;\r\nimport javax.inject.Named;\r\nimport java.util.List;\r\n\r\n@Named\r\n@RequestScoped\r\npublic class BeerBean {\r\n\r\n    @Inject\r\n    private BeerService beerService;\r\n    private List<Beer> beersAvailable;\r\n    private String name;\r\n\r\n    public String getName() {\r\n        return name;\r\n    }\r\n\r\n    public void setName(String name) {\r\n        this.name = name;\r\n    }\r\n\r\n    public List<Beer> getBeersAvailable() {\r\n        return beersAvailable;\r\n    }\r\n\r\n    public void setBeersAvailable(List<Beer> beersAvailable) {\r\n        this.beersAvailable = beersAvailable;\r\n    }\r\n\r\n    public String fetchBeers() {\r\n        beersAvailable = beerService.getAllBeers();\r\n        return \"success\";\r\n    }\r\n\r\n    public String add() {\r\n        Beer beer = new Beer();\r\n        beer.setName(name);\r\n        beerService.addBeer(beer);\r\n        return \"success\";\r\n    }\r\n}<\/pre>\n
You now have a REST API built with Java EE! However, it\u2019s not secure. In the following sections, I\u2019ll show you how to secure it using Okta\u2019s JWT Verifier for Java, Spring Security, and Pac4j.<\/p>\n
Add OIDC Security with Okta to Your Java REST API<\/h2>\n
You will need to create an OIDC Application in Okta to verify the security configurations you\u2019re about to implement work. To make this effortless, you can use Okta\u2019s API for OIDC. At Okta, our goal is to make\u00a0identity management<\/a>\u00a0a lot easier, more secure, and more scalable than what you\u2019re used to. Okta is a cloud service that allows developers to create, edit, and securely store user accounts and user account data, and connect them with one or multiple applications. Our API enables you to:<\/p>\n