In the final installment of his account of the new Udacity Nanodegree program that will enhance your career prospects as a Java web developer, Nikos Vagglis runs the final lap - Security and DevOps.

Having reached the final stage of the Nanodegree, a mix of coding and devops activities are in order. By way of coding we have to secure an Ecommerce app with JWT, test it by writing Unit tests, and by way of devops the tasks are collecting logs, getting them into Splunk, and integrating Jenkins, hosted on AWS, with Github.

In more detail, the outline of this class was: 

• Explain the concepts related to authentication and authorization in an enterprise web application
• Implement authentication and authorization on a Spring Boot application using JSON Web Token (JWT)
• Demonstrate the fundamentals of unit testing using ”JUnit” and ”Mockito” frameworks
• Use SLF4J logging API and Log4J logging framework for code insight and debugging the application
• Use the Splunk tool for analyzing machine-generated raw data
• Use CI/CD as one of the best practices of DevOps 

Let's get on with it.

Lesson1, Authentication and Authorization goes through the basic concepts of the common mechanisms of Authentication, highlighting the differences between the two frequently conflicting terms of Authentication vs Authorization.It also outlines hashing and salting of passwords, Role-Based Access Control (RBAC) and when to go for JSON Web Tokens (JWTs).

Lesson 2, Unit Testing, is a flashback to the testing concepts we've been utilizing thus far, although this lesson looks into the more advanced functionality that JUnit offers: Assert,@Before, @BeforeClass, @After, @AfterClass, @Ignore,@RunWith and @SelectClasses are detailed. Of course Mockito couldn't be left out, we're utilizing mocks with it in our testing.

There were some concerns expressed by my peers that the material on testing was outdated and hasn't been updated to cover the latest Junit version. However, I think that the purpose of the lesson was to demonstrate the concepts; chasing the latest version is a futile cat-and-mouse game.

In Lesson 3, Logging, we learn how to integrate SLF4J and Log4j into our Spring boot applications. This was the shortest and lightest lesson of them all.

The natural progression after recording useful information into our logs, is to aggregate it and analyze it to gain insight which can be used for Business Intelligence or troubleshooting. And there's Lesson 4 and Splunk for that, a "search engine that was created to analyze machine-generated data". So with Splunk we can: 

• Analyze high volumes of machine-generated data
• Pre-processes and clean up data
• Monitor data sources for changes and building auto-alert systems
• Generate statistics
• Create beautiful visual dashboards

The rest of the chapter revolves around setting up Splunk locally (using a 60-days trial version), uploading data to it and doing searches with its Search Processing Language.

That's the basics, but  Splunk offers a lot more advanced functionality as I've discovered when integrating it into my final project. In it I devised an event which, every 2 minutes, checks the log files that are updated in real time by my application's API end points, such as /add/order, being called. When more than 7 User actions were detected in that timeframe, an alert fires. Of course, there's much more than that, like installing Forwarders or getting in depth with the SPL and the aggregate functions for statistics generation.

In the final Lesson 5 CI/CD we immediately learn the difference between DevOps and CI/CD:

DevOps is a set of tools that enable a company to showcase industry best practices in software development whereas CI/CD, for Continuous Integration/Continuous Delivery, is a consistent and automated way for a DevOps team to build, package, and test applications.

Further contrasting the two, Continuous Integration means newly developed code changes to a project are regularly built, tested, and merged to a shared repository like Git, while Continuous Delivery is the process of automating the release of the merged and validated code of a repository and releasing the outcome of a production-ready build to the production environment.

To demonstrate, this lesson expects students to setup a CI/CD pipeline which: 

• automates the steps in the software delivery process, such as initiating automatic builds, tests and then deploying to the server (Amazon EC2 instances).
• rebuilds, and re-deploys every time there is a change in source code resident in a version control system. 

This involves setting up a Github repository, creating an AWS free tier account and connecting to it through SSH. Then installing Docker on it and running Jenkins as a Docker image which accesses our code in a GitHub repository. Of course, this requires us to link our GitHub repository with Jenkins through tokens and instructions are given.

All in all, this chapter was about the basic concepts and then it was a case of following instructions to set everything up. This setting up required some fiddling and troubleshooting here and there, but eventually came right in the end.

But enough talk, let's get our hands dirty by working on the final project, a simple eCommerce Application.The aim of the project is for the students to: 

• Demonstrate correct handling of authorization with proper security using JWT.
• Write tests and meet an acceptable code coverage level.
• Identify the correct metrics for logging, in order to monitor a system.
• Index metrics to Splunk.
• Demonstrate configuration and automation of the CI/CD pipeline. 

It's a lot to do, but most importantly and coding wise is securing the application with JWT. The source code template with the basic infrastructure has already taken care most of the work. We build on that by cloning it to a repository of ours locally. What remains is to integrate the JWT support by following some clearly presented instructions found in an 0Auth (non-Udacity) article. In order to pass that test the following should be only accessible after the user has authenticated: 

• Logged in, user profile
• Cart details
• Purchase History 

After that we test with Junit and Mockito, anticipating a code coverage of a minimum of 60%.

The next step is to generate some data by recording a few user actions, such as placing an order or logging in, successfully or not, exceptions and the like to some custom log files. We then have to index those logs to Splunk and set up an alert of our liking, i.e when a user has placed an order of more than two items. On top of that sprinkle with part Jenkins and part Github so that starting the building process from within Jenkins gets the fresh code from Github and outputs a jar file ready for deployment.

Have we reached the end?  No, just before touching the finishing line we must improve our Linkedin profiles. This is then reviewed by an Udacity career advisor who offers valuable tips on making it more recognizable.

And now,this is the end.

Final impressions?

If you ask me it certainly was a quick, demanding, challenging, but also compelling Nanodegree. Certainly there were quirks that could benefit from some improvement, but overall the quality was high - well above average. As I said at the outset, I took the course not looking for a job but to delve into this cutting edge technology called Spring Boot and to use the newly acquired skills on the job or on personal endeavors.

And I've really learned a lot, not just about Spring, but about a lot about other concepts too, which many of which I'd had already mastered, but not under Spring's spotlight.

Add Devops to the picture - in that respect and in graduating, I feel a much more well-rounded developer.

Before checking out, I have to admit that I haven't used any of the student facilities Udacity offers. Apart from a few questions and minimal interaction on the Mentor forum, I wasn't actively engaged with the Udacity student community. On offer there was the opportunity to chat to peers or work in teams, and access to career services after graduation, and other features that emulate a bricks and mortar college. While I haven't used any of those services, others could find them very useful.

So, what's my next challenge going to be?

More Information

Java Web Developer Nanodegree

Related Articles

The Insider's Guide to the Java Web Developer Nanodegree - 1

The Insider's Guide to the Java Web Developer Nanodegree - 2

The Insider's Guide to the Java Web Developer Nanodegree - 3

The Insider's Guide to the Java Web Developer Nanodegree - 4

To be informed about new articles on I Programmer, sign up for our weekly newsletter, subscribe to the RSS feed and follow us on Twitter, Facebook or Linkedin.

Comments

Make a Comment or View Existing Comments Using Disqus

or email your comment to: comments@i-programmer.info