Spring Security Fundamentals for Secure Applications

Spring Boot Filters vs Interceptors — Most developers confuse this 🤯 Let’s simplify 👇 ✅ Filter (Servlet level) - Works BEFORE DispatcherServlet - Used for logging, authentication, request modification ✅ Interceptor (Spring level) - Works AFTER DispatcherServlet - Used for business-level checks 💡 Flow: Request → Filter → DispatcherServlet → Interceptor → Controller ⚡ Real use case: - Filter → JWT validation - Interceptor → role-based access 👉 Choosing wrong = messy architecture Know the difference = cleaner backend 🔥 #SpringBoot #Java #BackendDeveloper

Devlog #12 - PulseNotify Started the user-service today. Two entities: UserAccount and UserPreference (channel specific settings per user) Flyway migration with user_svc schema and index on user_id Named the entity UserAccount instead of User to avoid future classpath if in the future I Implement Spring Security Repo: https://lnkd.in/d4rtYMAa #Java #SpringBoot #Microservices #TechJobs #BuildingInPublic

Looking under the hood of Spring Security 🛡️ I just spent some time getting a "bird’s eye view" of the architecture behind Spring Security, and things are starting to click. It’s one thing to use the defaults, but another entirely to understand how the components actually talk to each other. I’ve been deep-diving into the core authentication flow, specifically: Authentication Filter: The entry point that intercepts the request. Authentication Manager: The coordinator that manages the process. Authentication Provider: Where the actual logic for validating credentials lives. I also spent time exploring the internal classes that tie these together. Seeing how the framework handles the heavy lifting behind the scenes makes you realize just how much thought goes into securing a modern application. #SpringSecurity #SpringBoot #BackendEngineering #Java #LearningInPublic #WebSecurity

Spring Boot Circular Proxy Issue — Advanced trap 🤯 Even if you FIX circular dependency… Spring may still create proxies internally. 👉 This can lead to: ❌ Unexpected behavior ❌ Method not executing correctly 💡 Why? Spring uses AOP proxies (JDK / CGLIB) ⚠️ Problem: Internal method calls bypass proxy Example: Method A → calls Method B internally 👉 AOP (like @Transactional) won’t apply 🔥 Solution: ✔ Move logic to another bean ✔ Avoid internal method calls 👉 This is why some transactions “don’t work” Understanding proxies = senior-level Spring knowledge 💯 #SpringBoot #Java #AOP

#Post7 In the previous post, we saw how to handle exceptions globally using @ControllerAdvice. Now let’s take it one step further 👇 How do we handle specific errors properly? That’s where Custom Exceptions come in 🔥 Instead of using generic exceptions, we can create our own exception based on the use case. Example: public class UserNotFoundException extends RuntimeException { public UserNotFoundException(String message) { super(message); } } 👉 Now we can throw this exception when user is not found Example usage: if(user == null){ throw new UserNotFoundException("User not found"); } 💡 Why use Custom Exceptions? • Better error clarity • Easy debugging • More control over API responses Key takeaway: Use custom exceptions to make your API errors more meaningful and structured 👍 In the next post, we will understand validation using @Valid 🔥 #Java #SpringBoot #BackendDevelopment #RESTAPI #LearnInPublic

One thing that becomes increasingly important as systems grow is structured logging. In smaller applications, simple logs often work fine. But once multiple services start interacting, finding the root cause of an issue can quickly become difficult. In one system I worked on, introducing consistent log formats and correlation IDs across services made a huge difference. It became much easier to trace requests flowing through different components and identify where failures were happening. Logging sometimes feels like a minor detail during development, but in production it often becomes one of the most valuable tools for debugging distributed systems. Spending a little extra effort on logging early can save a lot of time later when something goes wrong. #SoftwareEngineering #Microservices #BackendDevelopment #Java

Dependency Hell: How We Got There and How We Escaped 😨 Version conflicts, transitive dependencies, and hard lessons. We added one small logging library. Nothing special. Just wanted prettier logs. 🚀 Then everything broke. Builds failed randomly. Runtime errors appeared out of nowhere. Two different versions of Guava were fighting each other. A security vulnerability crawled in through a dependency we didn't even know we had. Our simple app turned into a house of cards. We spent couple days just trying to make it compile again. How We Escaped First, we ran dependency:tree (Maven) and faced the horror. Pages of transitive dependencies. Chaos. Then we: 1) Explicitly declared versions for common dependencies 2) Used dependencyManagement to enforce consistency across modules 3) Ran dependency scanning weekly 4) Removed unused dependencies aggressively - if we weren't sure, it went away The Lesson Every dependency is a contract. Every transitive dependency is a stranger you just invited into your home. Know what you're pulling in. Audit regularly. And when in doubt, leave it out. 🗑️ #Java #DependencyManagement #Maven #Gradle #SoftwareEngineering #TechDebt #Security

🛑 STOP WRITING BOILERPLATE Quick Spring Starter v1.2.0 now includes a dedicated JwtService. Instead of manually configuring MACSigners and ClaimsSets every time you build a login or registration flow, you can now inject the service and go. What's new ❓ 1️⃣ Generate a JWT token with one line 🟡 jwtService.generateToken(username, roles) 2️⃣ Default 1h expiration 3️⃣ Automatically uses the secret key already defined in a properties file. Maven Central - https://lnkd.in/gkWJcUmU GitHub - https://lnkd.in/gjijxQfG Maven Repository - https://lnkd.in/gMiiJnep #Java #SpringBoot #SpringSecurity #OpenSource #WebDevelopment #Backend

🚨 Why I stopped using field injection in Spring Boot I used to write this: @Autowired private UserService userService; Looks clean… but caused real issues. ❌ Problems: * Hard to test * Hidden dependencies * NullPointer risks in edge cases ✅ Now I always use constructor injection: public UserController(UserService userService) { this.userService = userService; } 💥 Real benefit: While writing unit tests, I realized I could mock dependencies easily without Spring context. 💡 Takeaway: Field injection is convenient. Constructor injection is production-safe. Small change. Big impact. #Java #SpringBoot #BackendDevelopment #SoftwareEngineering  #Microservices #RESTAPI #SystemDesign  #DeveloperLife #100DaysOfCode

🔍 Filters vs Interceptors in Spring Boot — and why most devs mix them up Both intercept HTTP requests. Both let you run logic before and after your controller. But they live at completely different layers — and choosing the wrong one leads to subtle bugs. Here's the mental model that clears it up: Filter = Servlet Container layer. Runs before DispatcherServlet even knows a request came in. It sees everything — including static resources. Interceptor = Spring MVC layer. Runs after DispatcherServlet, before your controller method. It knows which handler is being called. The one-line rule I use: If it needs to apply to every request, use a Filter. If it needs to know which endpoint is being called, use an Interceptor. This distinction matters for: → Security — JWT pre-checks live in Filters, role validation in Interceptors → Logging — request metadata at filter level, execution time at interceptor level → Clean architecture — putting logic at the right layer keeps things testable Swipe through the full breakdown with code examples and comparison table 👇 💬 Drop a comment: Which one do you use more in production, and for what? #SpringBoot #Java #BackendDevelopment #Microservices #SpringMVC #JavaDeveloper #SoftwareArchitecture #TechInterview #SpringFramework #Programming