An open API service indexing awesome lists of open source software.

https://github.com/apenlor/spring-boot-security-observability-lab

A hands-on lab demonstrating the architectural evolution of a Spring Boot application from a secure monolith to a fully observable, distributed system using modern DevSecOps practices.
https://github.com/apenlor/spring-boot-security-observability-lab

devsecops docker docker-compose grafana java jwt keycloak lab oauth2 observability opentelemetry prometheus proof-of-concept spring-boot spring-security

Last synced: 3 months ago
JSON representation

A hands-on lab demonstrating the architectural evolution of a Spring Boot application from a secure monolith to a fully observable, distributed system using modern DevSecOps practices.

Awesome Lists containing this project

README

          

# Spring Boot Security & Observability Lab

[![Codacy Badge](https://app.codacy.com/project/badge/Grade/8132e73dce8a4e74934e4e4a7baffc9a)](https://app.codacy.com/gh/apenlor/spring-boot-security-observability-lab/dashboard?utm_source=gh&utm_medium=referral&utm_content=&utm_campaign=Badge_grade)
[![CI Build Status](https://github.com/apenlor/spring-boot-security-observability-lab/actions/workflows/ci.yml/badge.svg)](https://github.com/apenlor/spring-boot-security-observability-lab/actions/workflows/ci.yml)
[![Latest Release](https://img.shields.io/github/v/release/apenlor/spring-boot-security-observability-lab)](https://github.com/apenlor/spring-boot-security-observability-lab/releases/latest)
[![License](https://img.shields.io/badge/License-MIT-blue.svg)](https://opensource.org/licenses/MIT)

This is an advanced, hands-on lab demonstrating the architectural evolution of a modern Java application. We will build
a system from the ground up, starting with a secure monolith and progressively refactoring it into a fully observable,
distributed system using cloud-native best practices.

---

## Workshop Guide: The Evolutionary Phases

This lab is structured in distinct, self-contained phases. The `main` branch always represents the latest completed
phase. To explore a previous phase's code and detailed documentation, use the links below.

| Phase | Description & Key Concepts | Code & Docs (at tag) | Key Pull Requests |
|:-----------------------------------------|:-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|:--------------------------------------------------------------------------------------------------------------------------------------------|:-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| **1. The Secure Monolith** | A standalone service that issues and validates its own JWTs. Concepts: `AuthenticationManager`, custom `JwtAuthenticationFilter`, `jjwt` library, and a foundational CI pipeline. | [`v1.0-secure-monolith`](https://github.com/apenlor/spring-boot-security-observability-lab/tree/v1.0-secure-monolith) | [#2](https://github.com/apenlor/spring-boot-security-observability-lab/pull/2), [#3](https://github.com/apenlor/spring-boot-security-observability-lab/pull/3), [#4](https://github.com/apenlor/spring-boot-security-observability-lab/pull/4) |
| **2. Observing the Monolith** | The service is containerized and orchestrated via `docker-compose`. Concepts: Micrometer, Prometheus, Grafana, custom metrics, and automated dashboard provisioning. | [`v2.0-observable-monolith`](https://github.com/apenlor/spring-boot-security-observability-lab/tree/v2.0-observable-monolith) | [#6](https://github.com/apenlor/spring-boot-security-observability-lab/pull/6) |
| **3. Evolving to Federated Identity** | The system is refactored into a multi-service architecture with an external IdP. Concepts: Keycloak, OIDC, OAuth2 Client (`web-client`) vs. Resource Server, Traefik reverse proxy, service-to-service security. | [`v3.0-federated-identity`](https://github.com/apenlor/spring-boot-security-observability-lab/tree/v3.0-federated-identity) | [#8](https://github.com/apenlor/spring-boot-security-observability-lab/pull/8) |
| **4. Tracing a Distributed System** | Services are instrumented with the OpenTelemetry agent to generate traces. Concepts: Tempo, agent-based instrumentation, W3C Trace Context, Service Graphs, and a hybrid PUSH/PULL metrics architecture. | [`v4.0-distributed-tracing`](https://github.com/apenlor/spring-boot-security-observability-lab/tree/v4.0-distributed-tracing) | [#10](https://github.com/apenlor/spring-boot-security-observability-lab/pull/10) |
| **5. Correlated Logs & Access Auditing** | The three pillars of observability are complete (metrics, traces, logs). Alloy is the unified collection agent. Concepts: Loki, Grafana Alloy, Docker service discovery, structured JSON logs, AOP-based auditing, trace-to-log correlation, and detailed audit metrics. | [`v5.0-correlated-logs-auditing`](https://github.com/apenlor/spring-boot-security-observability-lab/tree/v5.0-correlated-logs-auditing) | [#12](https://github.com/apenlor/spring-boot-security-observability-lab/pull/12) |
| **6. Proactive Alerting** | The system transitions from passive to proactive monitoring. Concepts: Alertmanager, declarative PromQL alert rules, alerting on technical vs. security metrics, and a UI-driven test harness. | [`v6.0-proactive-alerting`](https://github.com/apenlor/spring-boot-security-observability-lab/tree/v6.0-proactive-alerting) | [#14](https://github.com/apenlor/spring-boot-security-observability-lab/pull/14) |
| **7. Continuous Security Integration** | "Shift left" security by embedding automated scanning into the CI/CD pipeline. Concepts: SCA (OWASP Dependency-Check), Container Scanning (Trivy), DAST (OWASP ZAP), and automated vulnerability remediation. | [`v7.0-continuous-security`](https://github.com/apenlor/spring-boot-security-observability-lab/tree/v7.0-continuous-security) | [#17](https://github.com/apenlor/spring-boot-security-observability-lab/pull/17) |
| **8. Advanced Secret Management** | Enhances security by moving application secrets to HashiCorp Vault. Concepts: Vault as a secrets service, automated init container for population, Spring Cloud Vault (modern config), and robust test isolation. | [`v8.0-advanced-secret-management`](https://github.com/apenlor/spring-boot-security-observability-lab/tree/v8.0-advanced-secret-management) | [#19](https://github.com/apenlor/spring-boot-security-observability-lab/pull/19) |

---

## How to Follow This Lab

1. **Start with the `main` branch** to see the final, completed state of the entire lab.
2. To explore any specific phase of the lab, use the **"Code & Docs (at tag)" links** in the table above. Each link will take you to the exact repository state at the end of that phase, where you will find its dedicated `README.md` with instructions for running the project in that particular phase.
3. To understand the *"why"* behind the architectural decisions and evolutionary steps, review the **Key Pull Requests** for each phase.

---

## Running the Project

To run the application and see usage examples for **any phase**, simply navigate to that phase's Git tag using the links in the "Workshop Guide" table above. Each tagged `README.md` file contains detailed, phase-specific instructions for setting up and running the project in that state.

**[>> Instructions for the current main branch state:
`v8.0-advanced-secret-management` <<](https://github.com/apenlor/spring-boot-security-observability-lab/tree/v8.0-advanced-secret-management?tab=readme-ov-file#spring-boot-security--observability-lab)**
---