Secure Software, Happy Developers and Cost-effective Applications, All with Spring

September 26, 2018 Diógenes Rettori

It is such an exciting time for Spring and this year's SpringOne Platform is better than ever. While there have been many Spring project releases over the past couple of weeks, you could clearly see some common themes amongst them: increased security, cost-effectiveness, and developer productivity.

If you've seen the announcements and presentations over first two days of S1P, I'm positive you're interested in being more involved in the world of Knative and Function as a Service. And while all that is important, there are plenty of other things you should be excited about.


Improving Security Workflow

Note: you'll see the word hash a few times, here's a quick primer on hash:

Hash is both a noun and a verb. Hashing is the act of converting passwords into unreadable strings of characters that are designed to be impossible to convert back, known as hashes. Some hashing schemes are more easily cracked than others.

From Wired - Hacker Lexicon - What is Password Hashing?

While the discussion on the best hashing is certainly controversial, algorithms such as argon or bcrypt (and their variants) have become increasingly popular. More important though than the algorithm, which evolves over time, should be your ability to upgrade the passwords. To this extent, I share Michal Špaček's view on his blog about the importance of keeping passwords securely stored and upgradable. If IKEA had created an instruction for that, it would probably look like this:

Coming in Spring Security 5.1, you'll have the ability to seamlessly upgrade your passwords to more secure stores, with little to no effort. Spring will automatically identify if the password needs to be upgraded, and upon login will use the user-provided credentials to make the upgrade.

This is a great improvement, and here's why: given that passwords are (or should) be stored in a hashed form, the only way you could have access to the real, unhashed password is when a user types it. Spring Security has implemented a feature that takes the password the user has typed, uses it against the current hash to verify identity, and then performs the upgrade with the new hash. Before, you would actually have to proactively identify and decide to implement this capability yourself. Now you don’t have to do that anymore.


A New Era for Spring Developers

In this digital economy, developers are an even more valuable asset. They are capable of creating the technology that will differentiate how you engage with your customers and business partners.

Many tools fill a developer's life today but it's hard to argue that the code editor, or the IDE, isn't one of the most important of them.

With impressive numbers—tens of millions of downloads of Spring components every month—Spring is the de-facto standard Java technology for cloud-native applications. With that in mind, on Tuesday Pivotal and the extended community announced a new model and capabilities for developers that invest a great part of their day in a development environment.

While most of the previous updates to Spring Tools were iterations on components that were started almost a decade ago, Spring Tools Suite 4 was redesigned and developed from scratch for the applications that will power the future of many enterprises.

One of the great points of change is that developers have different choices for development tools, and Spring Tools 4 is an acknowledgement of that. The toolset was released including support for Eclipse, Visual Studio Code, and Atom.

As part of the integration, the Spring Initializr was included and users can have the same experience on their favorite IDE as they have on the popular page.


Spring Runtime Aware

During the development, or coding phase, developers often want to see the results that their actions are going to have in the working software. Spring Tools Suite 4 can inspect running Spring Boot applications enriching the editor window with information that developers once had to find using others tools. This repetitive context switching could lead to decreased productivity.

The list of features is long. If you want to get your hands on the tool, and check in more detail what's included, check out to this great post by Martin Lippert.


Yes, Data

We do have to appreciate the moment we're in today: stateless applications, function-as-a-service, micro-frameworks, and all other great sets of technologies that can make our applications more scalable.

Now comes the shocker: data still exists, it is still stored, and it still needs be retrieved—now more than ever. A common standard for accessing data stored in databases in Java applications is through the Java Persistence API. Spring users rely on Spring Data JPA to access data on their favorite databases.

While the JPA framework can facilitate the development, it might also bring unnecessary overhead. You might not necessarily want to use all the great features included in JPA, yet you still need to have its components in your project.

To help address this scenario, the Spring team created a new model for accessing data through a low-level mechanism that is based on JDBC. It gives developers access to the popular 'Repository' model while not requiring the complete JPA implementation. This new model is called Spring Data JDBC.

The goal of Spring Data repository abstraction is to significantly reduce the amount of boilerplate code required to implement data access layers for various persistence stores.

Developers can now have application more specifically built for purpose, that can be smaller in size and that could potentially perform better. Spring Data Lovelace was released just a few days ago with many new features and improvements such as the one detailed above.

Another feature worth mentioning is the lazy bootstrapping mode for JPA. The team discovered that there were situations where the JPA initialization was responsible for around 90% of the startup-time. If you need to access data through JPA—which is likely—this process still needs to occur, but now it can happen when needed. An immediate result? Testing processes that don't involve data access can perform their duties on other parts of the application without the unnecessary and unused overhead. Time is money, and now this money is in your pocket and not wasted in heat.


The Future is Bright

At the time of writing this blog, a thread became popular on Reddit sub r/webdev and r/programming, and its title is is in the lines of: are we really creating performatic software today? One of the points raised was that Windows 95 was 30mb, and we have web-pages today that are bigger than that. Full post here.

If you're a Spring developer, that mindset might resonate with you. For a long time, users have relied on Spring due to its smaller footprint, installation size, and other characteristics when compared to the more traditional JavaEE servers.



But there's more we can do. The Spring community is investing in preparing the Spring Boot technology to work with GraalVM. My favorite feature of GraalVM is its ability to create 'native images' of applications. This means that the technology is able to compute at build/compile time all the dependencies necessary to run an application, generating an artifact that does not contain unneeded libraries.

I've been guilty myself of using many Apache Commons libraries because I wanted an often small feature. While doing the R&D work, among the benefits that the team found was the reduced footprint and heavily increased startup performance. Startup performance becomes especially important in serverless workloads.

If you want to check-out other R&D activities, check out Spring Fu. There you will find more literature on improving startup-time and resource utilization in connection with GraalVM support.


Reactive Everything

If you haven't noticed yet, the Spring team is investing in making 'everything' reactive. Spring components heavily rely on Project Reactor. We understand that the reactive model optimizes the utilization of resources and allows for unprecedented levels of scale.

With data, there is also an effort from the Spring team to research a reactive component capable of interfacing with relational databases. The effort is currently named R2DBC ( The project was presented during the Wednesday keynote at the SpringOne Platform event. It is just the beginning for R2DBC but the findings presented on stage have led us to understand the potential it has to keep pushing the bar on scalability.

On the Reactive front, Pivotal engineers also collaborated with Facebook and Netify on a technology called RSocket. And while Facebook has not published precise numbers of it's usage, it was made known that the new protocol is already being used in production supporting millions of requests.

The technologies created by the Spring community continue to be adopted at an unprecedented pace. So it doesn't matter if you're new to Spring or you've been a fan for long, there's always something to keep you excited, more productive and relevant in your organization.

About the Author

Diógenes Rettori

Diogenes Rettori is a Marketing Director at Pivotal, where he's responsible for Spring technologies. His background is in software engineering and he's been involved in the containers and Kubernetes space for quite some time. He runs a few meetups, such as the Boston Kubernetes Meetup and Boston Istio Meetup, and has been a CNCF Ambassador from the beginning.

Follow on Twitter Follow on Linkedin
Vincent Oostindie, Rabobank—SpringOne Platform, 2018
Vincent Oostindie, Rabobank—SpringOne Platform, 2018

Watch Rabobank's Business Architect, Vincent Oostindie, present at SpringOne Platform 2018 in Washington, D.C.

Multi-Cloud and Data Replication Over a Wide Area Network: A High Interest Topic At SpringOne Platform
Multi-Cloud and Data Replication Over a Wide Area Network: A High Interest Topic At SpringOne Platform