How To Build Web Service Using Spring Boot 2.x

Architecture Contains

  • MVC Architecture
  • JWT Based Authentication
  • Spring Data (JPA)
  • Application User Password Encryption
  • DB password Encryption.
  • SQL Server
  • Slf4j
  • Swagger For API Doc

Repository Contains

  • Application Source code
  • SQL script of Data Base along with key data
  • DB.txt file contains the DB config details.
  • Postman JSON script to test all web services.

Steps to Run Applications

  • Install JDK 11 or the latest version.
  • Clone the Project repository into local.
  • Git Url:
  • Install SQL server 2012.
  • Create application DB and user
  • Insert the DB key data.
  • Add the decoding key of the database password into the system variables. It is present in the DB.txt file.
  • Sometimes we may need to restart the windows to pick up the updated system variables.
  • Run the project source code.
  • To call the web services, import provided postman JSON scripts into the postman client application.

About Project Configurations

Web-Service Declaration

Each Web-services of the application will be declared in the controller layer.


public class UserController {

    private static final Logger logger = LoggerFactory.getLogger(UserController.class);

    private GeneralServices generalServices;

    private UserService userService;

     * Web service to create new user
     * @param httpServletRequest
     * @param user
     * @return
    @PostMapping(consumes = MediaType.APPLICATION_JSON_VALUE, produces = MediaType.APPLICATION_JSON_VALUE)
    public ResponseEntity<Object> createUser(HttpServletRequest httpServletRequest,
                                             @Valid @RequestBody UserCreateModel user) {
        logger.debug("<--- Service to save new user request : received --->");
        ApiSuccessResponse apiResponse = userService.createUser(user, generalServices.getApiRequestedUserId(httpServletRequest));
        logger.debug("<--- Service to save new user response : given --->");
        return ResponseEntity.status(HttpStatus.CREATED).body(apiResponse);



  • @RequestMapping(“/api/v1/user”) annotation is used to mention the category of web service.
  • @RestController annotation will configure the class to receive the rest-full web service call.
  • @PostMapping() annotation will decide the HTTP request type.
  • consumer & consumer tags will decide the content type of the HTTP request and response.

From this “controller layer,” API requests will be taken to the service layer. All business logic will be handled here, then it will talk with the database using JPA.

Common Error Handling

Whenever an exception happens, it will throw from the respective classes and be handled in the “CommonExceptionHandlingController.” We have to handle this separately for each type of exception. This function is performed with the help of “ControllerAdvice” named annotation.


public class CommonExceptionHandlingController extends ResponseEntityExceptionHandler {

    private static final Logger logger = 

    protected ResponseEntity<Object> handleHttpRequestMethodNotSupported(HttpRequestMethodNotSupportedException httpRequestMethodNotSupportedException,
                                                                         HttpHeaders headers, HttpStatus status, WebRequest request) {
        return ResponseEntity.status(HttpStatus.NOT_FOUND).body(new ApiErrorResponse(Constants.WRONG_HTTP_METHOD,
                Constants.WRONG_HTTP_METHOD_ERROR_MESSAGE, Calendar.getInstance().getTimeInMillis()));

    protected ResponseEntity<Object> handleMethodArgumentNotValid(MethodArgumentNotValidException methodArgumentNotValidException,
                                                                  HttpHeaders headers, HttpStatus status, WebRequest request) {
        return ResponseEntity.status(HttpStatus.BAD_REQUEST).body(new ApiErrorResponse(Constants.MANDATORY_FIELDS_ARE_NOT_PRESENT_CODE,
                Constants.MANDATORY_FIELDS_ARE_NOT_PRESENT_ERROR_MESSAGE, Calendar.getInstance().getTimeInMillis()));


Spring Data (JPA) Configuration

  • All interaction of the application with the database will handle by the JPA library.
  • JPA will have an Entity class and a corresponding Repository interface for all logical objects in the application.

Entity Class

Repository Interface

  • Other JPA configurations will be done in named file.

JPA Database Configuration in Application Properties

Database Configuration

  • The database name will be present in the file.
  • Other information like connection URL and user credentials will be mentioned in two different other property files.
      • It will have the configurations which we used for the development.
      • It will have the configurations which we used for the production.
  • The above-mentioned property configuration will be present in the main “” file.
  • It will decide which sub-property file should load to the system(dev or pro).

#DB config

#DB config

#DB config

Database Password Encryption

  • The application database password will be encrypted using __Jasypt __ library with the help of an encryption key.
  • This encryption key needs to add to the computer system variables of environmental variables under the “JASYPT_ENCRYPTOR_PASSWORD” named key.
  • We have to mention the encrypted database password in the property file as follows. This is how the system will understand the password needs to be decrypted using a secret key which is added in the system variables.

  • For the__Jasypt __ decryption we need to mention the default encryption configuration in the property file as follows:

  • We also provide @EnableEncryptableProperties annotation in the application main class to let the application know about this database password encryption configuration.

JWT Authentication Configuration

  • We implemented JSON Web Token-based authentication with the help of spring security.
  • Upon the success of a logged-in user, we will create two tokens (accessToken & refreshToken) and send them back to the client.
  • accessToken will be created using a private key, expiry time (1 hr), user id, and role name.
  • refreshToken will be created using a private key, expiry time (24 hr), user id, and role name.
  • After successful login, each API request needs to have this accessToken in the header under the Authorization key.
  • A “bearer” named key should be attached at the starting of the access token like follows.
  • “bearer accessToken”
  • The access token will keep monitor in every web-service request.
  • If the validity of the access token expires, we revert the request with 401 HTTP status.
  • At that moment web-service user (client) needs to call access token renewal request using the refresh token.
  • Then we will check the validity of the refresh token. If it is not expired we will give a new access token and refresh token.
  • The client can continue using these new tokens.
  • If the validity of the refresh token also expired, we ask them to re-login using their username and password.

Process of Creating Tokens

    public ApiSuccessResponse userLoginService(String username, String password) {
        Tokens tokens = null;
        Users user = userService.findByUsername(username);
        if (user != null) {
            if (passwordEncryptingService.matches(password,
                    user.getUserAccount().getPassword())) {
                if (user.getUserAccount().getStatus() == Constants.ACTIVE_STATUS) {
                    String roleName = user.getUserAccount().getUserRole().getRoleName();
                    // Creating new tokens
                    try {
                        tokens = createTokens(user.getUserAccount().getId().toString(), roleName);
                    } catch (Exception exception) {
                        logger.error("Token creation failed : ", exception);
                        throw new UnknownException();

                    // Validating tokens
                    if (validationService.validateTokens(tokens)) {
                        return new ApiSuccessResponse(tokens);

                    } else {
                        throw new UnknownException();

                } else {
                    return new ApiSuccessResponse(new ApiResponseWithCode(Constants.USER_ACCOUNT_IS_INACTIVE_ERROR_CODE,

            } else {
                return new ApiSuccessResponse(new ApiResponseWithCode(Constants.USERNAME_OR_PASSWORD_IS_INCORRECT_ERROR_CODE,

        } else {
            return new ApiSuccessResponse(new ApiResponseWithCode(Constants.USERNAME_OR_PASSWORD_IS_INCORRECT_ERROR_CODE,

    public ApiSuccessResponse createNewAccessTokenUsingRefreshToken(String refreshToken) {
        Tokens tokens = null;
        UserAccounts userAccount = null;
        AppConfigSettings configSettings = appConfigSettingsService.findByConfigKeyAndStatus(Constants.JWT_SECRET_KEY,
        // Validate Refresh token
        userAccount = jwtTokenHandler.validate(configSettings.getConfigValue(), refreshToken);
        if (userAccount != null) {
            // Creating new tokens if provided refresh token is valid
            try {
                tokens = createTokens(userAccount.getId().toString(), userAccount.getRole());
            } catch (Exception exception) {
                logger.error("Token creation failed : ", exception);
                throw new UnknownException();
            if (validationService.validateTokens(tokens)) {
                return new ApiSuccessResponse(tokens);

            } else {
                throw new UnknownException();
        } else {
            return new ApiSuccessResponse(new ApiResponseWithCode(Constants.REFRESH_TOKEN_EXPIRED_ERROR_CODE,

  • In the above code userLoginService named method will check the credentials of the user and provide tokens if it is valid.
  • CreateNewAccessTokenUsingRefreshToken named method will create the new access token and refresh token upon the success refresh token validation.

Process of Filtering and Validating Tokens

  • This configuration will enable the spring security module using @EnableWebSecurity AND @EnableGlobalMethodSecurity(prePostEnabled = true) named annotations.
  • Here we will inject the JWT filter into the HTTP request of the system.

public class JwtAuthenticationTokenFilter extends AbstractAuthenticationProcessingFilter {

    private final Logger logger = LoggerFactory.getLogger(this.getClass());

    private GeneralServices generalServices;

    public JwtAuthenticationTokenFilter() {

    public Authentication attemptAuthentication(HttpServletRequest httpServletRequest,
                                                HttpServletResponse httpServletResponse) throws AuthenticationException, IOException, ServletException {

  • Here, in the above class JwtAuthenticationTokenFilter() named method will filter all incoming web-service requests who have the “api” named keyword in the URL.
  • All filtered web-service requests will reach the attemptAuthentication named method.
  • We can do all our business logic in this method.

Application User Password Encryption

  • All passwords of the users in this application will be encrypted for security using BCrypt.

  • Here, the encode named method is used to encrypt the password.
  • matches named method is used to cross-check the provided password and actual password of the user.

Log Configuration Using Slf4j

  • We have one XML file to configure the Log named by logback-spring.xml.
  • To log information from each class, we need to inject the respective class to Slf4j.


public class UserServiceImpl implements UserService {
    private static final Logger logger = LoggerFactory.getLogger(UserServiceImpl.class);

  • The above code snippet shows how we inject the class into the logger.
  • Following are the basic methods to log the information.
    • logger.error(“Error”);
    • logger.warn(“Warn”);

Swagger For API Doc

  • API doc has an important role in the web-service application.
  • Previously we used to create API doc using any static Excel documents.
  • This library will help us to create the API doc using some annotations inside the application.




  • These are the libraries we used in the pom file to integrate Swagger.
  • We need to do some configurations in the applications to enable the API doc.

  • As we can see in the above class, we need to add some basic information about our project.
  • We need to tell Swagger from which class it needs to create API docs, and that is configured under .apis(RequestHandlerSelectors.withClassAnnotation,(RestController.class)) named line.
  • Swagger API doc will be accessible from http://localhost:8080/sampleWebService/apidoc.

Postman Script

  • We can find 2 Postman JSON scripts in the repository. Please import both of them into the Postman client application.
  • Execute the login web-service request at first. Then execute the rest of the web services.

Thank you!


Leave a Comment