{"id":29973491,"url":"https://github.com/apenlor/spring-boot-security-observability-lab","last_synced_at":"2026-04-09T18:58:31.330Z","repository":{"id":307661988,"uuid":"1029610740","full_name":"apenlor/spring-boot-security-observability-lab","owner":"apenlor","description":"A hands-on lab demonstrating the architectural evolution of a Spring Boot application from a secure monolith to a fully observable, distributed system using modern DevSecOps practices.","archived":false,"fork":false,"pushed_at":"2025-08-01T11:55:10.000Z","size":30,"stargazers_count":0,"open_issues_count":0,"forks_count":0,"subscribers_count":0,"default_branch":"main","last_synced_at":"2025-08-01T13:45:44.810Z","etag":null,"topics":["devsecops","docker","docker-compose","grafana","java","jwt","keycloak","lab","oauth2","observability","opentelemetry","prometheus","proof-of-concept","spring-boot","spring-security"],"latest_commit_sha":null,"homepage":"","language":"Java","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/apenlor.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null}},"created_at":"2025-07-31T09:54:07.000Z","updated_at":"2025-08-01T11:55:10.000Z","dependencies_parsed_at":"2025-08-01T13:45:47.215Z","dependency_job_id":"f22087df-35ee-491a-b296-c84e33791678","html_url":"https://github.com/apenlor/spring-boot-security-observability-lab","commit_stats":null,"previous_names":["apenlor/spring-boot-security-observability-lab"],"tags_count":1,"template":false,"template_full_name":null,"purl":"pkg:github/apenlor/spring-boot-security-observability-lab","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/apenlor%2Fspring-boot-security-observability-lab","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/apenlor%2Fspring-boot-security-observability-lab/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/apenlor%2Fspring-boot-security-observability-lab/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/apenlor%2Fspring-boot-security-observability-lab/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/apenlor","download_url":"https://codeload.github.com/apenlor/spring-boot-security-observability-lab/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/apenlor%2Fspring-boot-security-observability-lab/sbom","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":268660057,"owners_count":24286008,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","status":"online","status_checked_at":"2025-08-04T02:00:09.867Z","response_time":79,"last_error":null,"robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":true,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["devsecops","docker","docker-compose","grafana","java","jwt","keycloak","lab","oauth2","observability","opentelemetry","prometheus","proof-of-concept","spring-boot","spring-security"],"created_at":"2025-08-04T07:00:53.871Z","updated_at":"2026-04-09T18:58:31.324Z","avatar_url":"https://github.com/apenlor.png","language":"Java","funding_links":[],"categories":[],"sub_categories":[],"readme":"# Spring Boot Security \u0026 Observability Lab\n\n[![Codacy Badge](https://app.codacy.com/project/badge/Grade/8132e73dce8a4e74934e4e4a7baffc9a)](https://app.codacy.com/gh/apenlor/spring-boot-security-observability-lab/dashboard?utm_source=gh\u0026utm_medium=referral\u0026utm_content=\u0026utm_campaign=Badge_grade)\n[![CI Build Status](https://github.com/apenlor/spring-boot-security-observability-lab/actions/workflows/ci.yml/badge.svg)](https://github.com/apenlor/spring-boot-security-observability-lab/actions/workflows/ci.yml)\n[![Latest Release](https://img.shields.io/github/v/release/apenlor/spring-boot-security-observability-lab)](https://github.com/apenlor/spring-boot-security-observability-lab/releases/latest)\n[![License](https://img.shields.io/badge/License-MIT-blue.svg)](https://opensource.org/licenses/MIT)\n\nThis is an advanced, hands-on lab demonstrating the architectural evolution of a modern Java application. We will build\na system from the ground up, starting with a secure monolith and progressively refactoring it into a fully observable,\ndistributed system using cloud-native best practices.\n\n---\n\n## Workshop Guide: The Evolutionary Phases\n\nThis lab is structured in distinct, self-contained phases. The `main` branch always represents the latest completed\nphase. To explore a previous phase's code and detailed documentation, use the links below.\n\n| Phase                                    | Description \u0026 Key Concepts                                                                                                                                                                                                                                               | Code \u0026 Docs (at tag)                                                                                                                        | Key Pull Requests                                                                                                                                                                                                                              |\n|:-----------------------------------------|:-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|:--------------------------------------------------------------------------------------------------------------------------------------------|:-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|\n| **1. The Secure Monolith**               | A standalone service that issues and validates its own JWTs. Concepts: `AuthenticationManager`, custom `JwtAuthenticationFilter`, `jjwt` library, and a foundational CI pipeline.                                                                                        | [`v1.0-secure-monolith`](https://github.com/apenlor/spring-boot-security-observability-lab/tree/v1.0-secure-monolith)                       | [#2](https://github.com/apenlor/spring-boot-security-observability-lab/pull/2), [#3](https://github.com/apenlor/spring-boot-security-observability-lab/pull/3), [#4](https://github.com/apenlor/spring-boot-security-observability-lab/pull/4) |\n| **2. Observing the Monolith**            | The service is containerized and orchestrated via `docker-compose`. Concepts: Micrometer, Prometheus, Grafana, custom metrics, and automated dashboard provisioning.                                                                                                     | [`v2.0-observable-monolith`](https://github.com/apenlor/spring-boot-security-observability-lab/tree/v2.0-observable-monolith)               | [#6](https://github.com/apenlor/spring-boot-security-observability-lab/pull/6)                                                                                                                                                                 |\n| **3. Evolving to Federated Identity**    | The system is refactored into a multi-service architecture with an external IdP. Concepts: Keycloak, OIDC, OAuth2 Client (`web-client`) vs. Resource Server, Traefik reverse proxy, service-to-service security.                                                         | [`v3.0-federated-identity`](https://github.com/apenlor/spring-boot-security-observability-lab/tree/v3.0-federated-identity)                 | [#8](https://github.com/apenlor/spring-boot-security-observability-lab/pull/8)                                                                                                                                                                 |\n| **4. Tracing a Distributed System**      | Services are instrumented with the OpenTelemetry agent to generate traces. Concepts: Tempo, agent-based instrumentation, W3C Trace Context, Service Graphs, and a hybrid PUSH/PULL metrics architecture.                                                                 | [`v4.0-distributed-tracing`](https://github.com/apenlor/spring-boot-security-observability-lab/tree/v4.0-distributed-tracing)               | [#10](https://github.com/apenlor/spring-boot-security-observability-lab/pull/10)                                                                                                                                                               |\n| **5. Correlated Logs \u0026 Access Auditing** | The three pillars of observability are complete (metrics, traces, logs). Alloy is the unified collection agent. Concepts: Loki, Grafana Alloy, Docker service discovery, structured JSON logs, AOP-based auditing, trace-to-log correlation, and detailed audit metrics. | [`v5.0-correlated-logs-auditing`](https://github.com/apenlor/spring-boot-security-observability-lab/tree/v5.0-correlated-logs-auditing)     | [#12](https://github.com/apenlor/spring-boot-security-observability-lab/pull/12)                                                                                                                                                               |\n| **6. Proactive Alerting**                | The system transitions from passive to proactive monitoring. Concepts: Alertmanager, declarative PromQL alert rules, alerting on technical vs. security metrics, and a UI-driven test harness.                                                                           | [`v6.0-proactive-alerting`](https://github.com/apenlor/spring-boot-security-observability-lab/tree/v6.0-proactive-alerting)                 | [#14](https://github.com/apenlor/spring-boot-security-observability-lab/pull/14)                                                                                                                                                               |\n| **7. Continuous Security Integration**   | \"Shift left\" security by embedding automated scanning into the CI/CD pipeline. Concepts: SCA (OWASP Dependency-Check), Container Scanning (Trivy), DAST (OWASP ZAP), and automated vulnerability remediation.                                                            | [`v7.0-continuous-security`](https://github.com/apenlor/spring-boot-security-observability-lab/tree/v7.0-continuous-security)               | [#17](https://github.com/apenlor/spring-boot-security-observability-lab/pull/17)                                                                                                                                                               |\n| **8. Advanced Secret Management**        | Enhances security by moving application secrets to HashiCorp Vault. Concepts: Vault as a secrets service, automated init container for population, Spring Cloud Vault (modern config), and robust test isolation.                                                        | [`v8.0-advanced-secret-management`](https://github.com/apenlor/spring-boot-security-observability-lab/tree/v8.0-advanced-secret-management) | [#19](https://github.com/apenlor/spring-boot-security-observability-lab/pull/19)                                                                                                                                                               |\n\n---\n\n\n## How to Follow This Lab\n\n1.  **Start with the `main` branch** to see the final, completed state of the entire lab.\n2.  To explore any specific phase of the lab, use the **\"Code \u0026 Docs (at tag)\" links** in the table above. Each link will take you to the exact repository state at the end of that phase, where you will find its dedicated `README.md` with instructions for running the project in that particular phase.\n3.  To understand the *\"why\"* behind the architectural decisions and evolutionary steps, review the **Key Pull Requests** for each phase.\n\n---\n\n## Running the Project\n\nTo run the application and see usage examples for **any phase**, simply navigate to that phase's Git tag using the links in the \"Workshop Guide\" table above. Each tagged `README.md` file contains detailed, phase-specific instructions for setting up and running the project in that state.\n\n**[\u003e\u003e Instructions for the current main branch state:\n`v8.0-advanced-secret-management` \u003c\u003c](https://github.com/apenlor/spring-boot-security-observability-lab/tree/v8.0-advanced-secret-management?tab=readme-ov-file#spring-boot-security--observability-lab)**\n---","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fapenlor%2Fspring-boot-security-observability-lab","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fapenlor%2Fspring-boot-security-observability-lab","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fapenlor%2Fspring-boot-security-observability-lab/lists"}