https://github.com/apenlor/spring-boot-security-observability-lab
A hands-on lab demonstrating the architectural evolution of a Spring Boot application from a secure monolith to a fully observable, distributed system using modern DevSecOps practices.
https://github.com/apenlor/spring-boot-security-observability-lab
devsecops docker docker-compose grafana java jwt keycloak lab oauth2 observability opentelemetry prometheus proof-of-concept spring-boot spring-security
Last synced: 3 months ago
JSON representation
A hands-on lab demonstrating the architectural evolution of a Spring Boot application from a secure monolith to a fully observable, distributed system using modern DevSecOps practices.
- Host: GitHub
- URL: https://github.com/apenlor/spring-boot-security-observability-lab
- Owner: apenlor
- License: mit
- Created: 2025-07-31T09:54:07.000Z (11 months ago)
- Default Branch: main
- Last Pushed: 2025-08-01T11:55:10.000Z (11 months ago)
- Last Synced: 2025-08-01T13:45:44.810Z (11 months ago)
- Topics: devsecops, docker, docker-compose, grafana, java, jwt, keycloak, lab, oauth2, observability, opentelemetry, prometheus, proof-of-concept, spring-boot, spring-security
- Language: Java
- Homepage:
- Size: 29.3 KB
- Stars: 0
- Watchers: 0
- Forks: 0
- Open Issues: 0
-
Metadata Files:
- Readme: README.md
- License: LICENSE
Awesome Lists containing this project
README
# Spring Boot Security & Observability Lab
[](https://app.codacy.com/gh/apenlor/spring-boot-security-observability-lab/dashboard?utm_source=gh&utm_medium=referral&utm_content=&utm_campaign=Badge_grade)
[](https://github.com/apenlor/spring-boot-security-observability-lab/actions/workflows/ci.yml)
[](https://github.com/apenlor/spring-boot-security-observability-lab/releases/latest)
[](https://opensource.org/licenses/MIT)
This is an advanced, hands-on lab demonstrating the architectural evolution of a modern Java application. We will build
a system from the ground up, starting with a secure monolith and progressively refactoring it into a fully observable,
distributed system using cloud-native best practices.
---
## Workshop Guide: The Evolutionary Phases
This lab is structured in distinct, self-contained phases. The `main` branch always represents the latest completed
phase. To explore a previous phase's code and detailed documentation, use the links below.
| Phase | Description & Key Concepts | Code & Docs (at tag) | Key Pull Requests |
|:-----------------------------------------|:-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|:--------------------------------------------------------------------------------------------------------------------------------------------|:-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| **1. The Secure Monolith** | A standalone service that issues and validates its own JWTs. Concepts: `AuthenticationManager`, custom `JwtAuthenticationFilter`, `jjwt` library, and a foundational CI pipeline. | [`v1.0-secure-monolith`](https://github.com/apenlor/spring-boot-security-observability-lab/tree/v1.0-secure-monolith) | [#2](https://github.com/apenlor/spring-boot-security-observability-lab/pull/2), [#3](https://github.com/apenlor/spring-boot-security-observability-lab/pull/3), [#4](https://github.com/apenlor/spring-boot-security-observability-lab/pull/4) |
| **2. Observing the Monolith** | The service is containerized and orchestrated via `docker-compose`. Concepts: Micrometer, Prometheus, Grafana, custom metrics, and automated dashboard provisioning. | [`v2.0-observable-monolith`](https://github.com/apenlor/spring-boot-security-observability-lab/tree/v2.0-observable-monolith) | [#6](https://github.com/apenlor/spring-boot-security-observability-lab/pull/6) |
| **3. Evolving to Federated Identity** | The system is refactored into a multi-service architecture with an external IdP. Concepts: Keycloak, OIDC, OAuth2 Client (`web-client`) vs. Resource Server, Traefik reverse proxy, service-to-service security. | [`v3.0-federated-identity`](https://github.com/apenlor/spring-boot-security-observability-lab/tree/v3.0-federated-identity) | [#8](https://github.com/apenlor/spring-boot-security-observability-lab/pull/8) |
| **4. Tracing a Distributed System** | Services are instrumented with the OpenTelemetry agent to generate traces. Concepts: Tempo, agent-based instrumentation, W3C Trace Context, Service Graphs, and a hybrid PUSH/PULL metrics architecture. | [`v4.0-distributed-tracing`](https://github.com/apenlor/spring-boot-security-observability-lab/tree/v4.0-distributed-tracing) | [#10](https://github.com/apenlor/spring-boot-security-observability-lab/pull/10) |
| **5. Correlated Logs & Access Auditing** | The three pillars of observability are complete (metrics, traces, logs). Alloy is the unified collection agent. Concepts: Loki, Grafana Alloy, Docker service discovery, structured JSON logs, AOP-based auditing, trace-to-log correlation, and detailed audit metrics. | [`v5.0-correlated-logs-auditing`](https://github.com/apenlor/spring-boot-security-observability-lab/tree/v5.0-correlated-logs-auditing) | [#12](https://github.com/apenlor/spring-boot-security-observability-lab/pull/12) |
| **6. Proactive Alerting** | The system transitions from passive to proactive monitoring. Concepts: Alertmanager, declarative PromQL alert rules, alerting on technical vs. security metrics, and a UI-driven test harness. | [`v6.0-proactive-alerting`](https://github.com/apenlor/spring-boot-security-observability-lab/tree/v6.0-proactive-alerting) | [#14](https://github.com/apenlor/spring-boot-security-observability-lab/pull/14) |
| **7. Continuous Security Integration** | "Shift left" security by embedding automated scanning into the CI/CD pipeline. Concepts: SCA (OWASP Dependency-Check), Container Scanning (Trivy), DAST (OWASP ZAP), and automated vulnerability remediation. | [`v7.0-continuous-security`](https://github.com/apenlor/spring-boot-security-observability-lab/tree/v7.0-continuous-security) | [#17](https://github.com/apenlor/spring-boot-security-observability-lab/pull/17) |
| **8. Advanced Secret Management** | Enhances security by moving application secrets to HashiCorp Vault. Concepts: Vault as a secrets service, automated init container for population, Spring Cloud Vault (modern config), and robust test isolation. | [`v8.0-advanced-secret-management`](https://github.com/apenlor/spring-boot-security-observability-lab/tree/v8.0-advanced-secret-management) | [#19](https://github.com/apenlor/spring-boot-security-observability-lab/pull/19) |
---
## How to Follow This Lab
1. **Start with the `main` branch** to see the final, completed state of the entire lab.
2. To explore any specific phase of the lab, use the **"Code & Docs (at tag)" links** in the table above. Each link will take you to the exact repository state at the end of that phase, where you will find its dedicated `README.md` with instructions for running the project in that particular phase.
3. To understand the *"why"* behind the architectural decisions and evolutionary steps, review the **Key Pull Requests** for each phase.
---
## Running the Project
To run the application and see usage examples for **any phase**, simply navigate to that phase's Git tag using the links in the "Workshop Guide" table above. Each tagged `README.md` file contains detailed, phase-specific instructions for setting up and running the project in that state.
**[>> Instructions for the current main branch state:
`v8.0-advanced-secret-management` <<](https://github.com/apenlor/spring-boot-security-observability-lab/tree/v8.0-advanced-secret-management?tab=readme-ov-file#spring-boot-security--observability-lab)**
---