The latest articles on DEV Community by The Light Piece (@apeh1706). https://dev.to/apeh1706 https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F3983252%2Fd3da371e-381c-441c-8664-8f237fb3b6e2.png https://dev.to/apeh1706 en The Light Piece Sat, 13 Jun 2026 23:06:21 +0000 https://dev.to/apeh1706/securing-financial-apis-in-2026-implementing-global-request-interceptors-and-automated-audit-4g26 https://dev.to/apeh1706/securing-financial-apis-in-2026-implementing-global-request-interceptors-and-automated-audit-4g26 <p>With the recent surge in security vulnerabilities across the Spring ecosystem in the first half of 2026, relying on scattered security validation inside individual REST controllers is no longer an option—especially for banking and financial applications. Security must be tight, centralized, and fully auditable.</p> <p>​In this article, we will look at how to build an enterprise-grade API architecture that secures endpoints globally using a HandlerInterceptor and automatically logs every user transaction into a PostgreSQL database for a bulletproof audit trail.</p> <p><strong>1. Centralizing Request Validation with a HandlerInterceptor</strong><br> Instead of repeating token extraction logic in every controller method, we can intercept incoming HTTP requests globally. This approach keeps our controllers thin and focused purely on routing.<br> First, let's create a centralized security interceptor that validates the token and extracts the necessary audit data:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight java"><code><span class="nd">@Component</span> <span class="kd">public</span> <span class="kd">class</span> <span class="nc">SecurityAuditInterceptor</span> <span class="kd">implements</span> <span class="nc">HandlerInterceptor</span> <span class="o">{</span> <span class="nd">@Autowired</span> <span class="kd">private</span> <span class="nc">AuditLogService</span> <span class="n">auditLogService</span><span class="o">;</span> <span class="nd">@Override</span> <span class="kd">public</span> <span class="kt">boolean</span> <span class="nf">preHandle</span><span class="o">(</span><span class="nc">HttpServletRequest</span> <span class="n">request</span><span class="o">,</span> <span class="nc">HttpServletResponse</span> <span class="n">response</span><span class="o">,</span> <span class="nc">Object</span> <span class="n">handler</span><span class="o">)</span> <span class="kd">throws</span> <span class="nc">Exception</span> <span class="o">{</span> <span class="nc">String</span> <span class="n">authToken</span> <span class="o">=</span> <span class="n">request</span><span class="o">.</span><span class="na">getHeader</span><span class="o">(</span><span class="s">"Authorization"</span><span class="o">);</span> <span class="c1">// Simple token extraction logic</span> <span class="k">if</span> <span class="o">(</span><span class="n">authToken</span> <span class="o">==</span> <span class="kc">null</span> <span class="o">||</span> <span class="o">!</span><span class="n">authToken</span><span class="o">.</span><span class="na">startsWith</span><span class="o">(</span><span class="s">"Bearer "</span><span class="o">))</span> <span class="o">{</span> <span class="k">throw</span> <span class="k">new</span> <span class="nf">UnauthorizedException</span><span class="o">(</span><span class="s">"Missing or invalid Authorization header"</span><span class="o">);</span> <span class="o">}</span> <span class="nc">String</span> <span class="n">jwtToken</span> <span class="o">=</span> <span class="n">authToken</span><span class="o">.</span><span class="na">substring</span><span class="o">(</span><span class="mi">7</span><span class="o">);</span> <span class="nc">String</span> <span class="n">userId</span> <span class="o">=</span> <span class="nc">CommonUtil</span><span class="o">.</span><span class="na">extractUserIdFromToken</span><span class="o">(</span><span class="n">jwtToken</span><span class="o">);</span> <span class="c1">// Store extracted information in the request attribute for later audit logging</span> <span class="n">request</span><span class="o">.</span><span class="na">setAttribute</span><span class="o">(</span><span class="s">"currentUserId"</span><span class="o">,</span> <span class="n">userId</span><span class="o">);</span> <span class="n">request</span><span class="o">.</span><span class="na">setAttribute</span><span class="o">(</span><span class="s">"actionTime"</span><span class="o">,</span> <span class="nc">LocalDateTime</span><span class="o">.</span><span class="na">now</span><span class="o">());</span> <span class="k">return</span> <span class="kc">true</span><span class="o">;</span> <span class="c1">// Proceed to the controller</span> <span class="o">}</span> <span class="nd">@Override</span> <span class="kd">public</span> <span class="kt">void</span> <span class="nf">afterCompletion</span><span class="o">(</span><span class="nc">HttpServletRequest</span> <span class="n">request</span><span class="o">,</span> <span class="nc">HttpServletResponse</span> <span class="n">response</span><span class="o">,</span> <span class="nc">Object</span> <span class="n">handler</span><span class="o">,</span> <span class="nc">Exception</span> <span class="n">ex</span><span class="o">)</span> <span class="kd">throws</span> <span class="nc">Exception</span> <span class="o">{</span> <span class="nc">String</span> <span class="n">userId</span> <span class="o">=</span> <span class="o">(</span><span class="nc">String</span><span class="o">)</span> <span class="n">request</span><span class="o">.</span><span class="na">getAttribute</span><span class="o">(</span><span class="s">"currentUserId"</span><span class="o">);</span> <span class="nc">String</span> <span class="n">action</span> <span class="o">=</span> <span class="n">request</span><span class="o">.</span><span class="na">getMethod</span><span class="o">()</span> <span class="o">+</span> <span class="s">" "</span> <span class="o">+</span> <span class="n">request</span><span class="o">.</span><span class="na">getRequestURI</span><span class="o">();</span> <span class="nc">String</span> <span class="n">status</span> <span class="o">=</span> <span class="o">(</span><span class="n">ex</span> <span class="o">==</span> <span class="kc">null</span><span class="o">)</span> <span class="o">?</span> <span class="s">"SUCCESS"</span> <span class="o">:</span> <span class="s">"FAILED: "</span> <span class="o">+</span> <span class="n">ex</span><span class="o">.</span><span class="na">getMessage</span><span class="o">();</span> <span class="k">if</span> <span class="o">(</span><span class="n">userId</span> <span class="o">!=</span> <span class="kc">null</span><span class="o">)</span> <span class="o">{</span> <span class="c1">// Log the action asynchronously into PostgreSQL to ensure compliance</span> <span class="n">auditLogService</span><span class="o">.</span><span class="na">saveLog</span><span class="o">(</span><span class="n">userId</span><span class="o">,</span> <span class="n">action</span><span class="o">,</span> <span class="n">status</span><span class="o">);</span> <span class="o">}</span> <span class="o">}</span> <span class="o">}</span> </code></pre> </div> <p>Next, register this interceptor inside your WebMvc configuration:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight java"><code><span class="nd">@Configuration</span> <span class="kd">public</span> <span class="kd">class</span> <span class="nc">WebConfig</span> <span class="kd">implements</span> <span class="nc">WebMvcConfigurer</span> <span class="o">{</span> <span class="nd">@Autowired</span> <span class="kd">private</span> <span class="nc">SecurityAuditInterceptor</span> <span class="n">securityAuditInterceptor</span><span class="o">;</span> <span class="nd">@Override</span> <span class="kd">public</span> <span class="kt">void</span> <span class="nf">addInterceptors</span><span class="o">(</span><span class="nc">InterceptorRegistry</span> <span class="n">registry</span><span class="o">)</span> <span class="o">{</span> <span class="n">registry</span><span class="o">.</span><span class="na">addInterceptor</span><span class="o">(</span><span class="n">securityAuditInterceptor</span><span class="o">)</span> <span class="o">.</span><span class="na">addPathPatterns</span><span class="o">(</span><span class="s">"/api/v1/finance/**"</span><span class="o">);</span> <span class="c1">// Protect all finance endpoints</span> <span class="o">}</span> <span class="o">}</span> </code></pre> </div> <p><strong>2. Designing the Asynchronous Audit Trail Service</strong><br> An audit log must never slow down your main API response times. To achieve this, the service handling the PostgreSQL persistence layer should execute asynchronously.<br> Here is how to design the service pattern using Spring's <a class="mentioned-user" href="https://dev.to/async">@async</a>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight java"><code><span class="nd">@Service</span> <span class="kd">public</span> <span class="kd">class</span> <span class="nc">AuditLogService</span> <span class="o">{</span> <span class="nd">@Autowired</span> <span class="kd">private</span> <span class="nc">AuditLogRepository</span> <span class="n">auditLogRepository</span><span class="o">;</span> <span class="nd">@Async</span> <span class="nd">@Transactional</span> <span class="kd">public</span> <span class="kt">void</span> <span class="nf">saveLog</span><span class="o">(</span><span class="nc">String</span> <span class="n">userId</span><span class="o">,</span> <span class="nc">String</span> <span class="n">action</span><span class="o">,</span> <span class="nc">String</span> <span class="n">status</span><span class="o">)</span> <span class="o">{</span> <span class="nc">AuditLogEntity</span> <span class="n">log</span> <span class="o">=</span> <span class="nc">AuditLogEntity</span><span class="o">.</span><span class="na">builder</span><span class="o">()</span> <span class="o">.</span><span class="na">userId</span><span class="o">(</span><span class="n">userId</span><span class="o">)</span> <span class="o">.</span><span class="na">action</span><span class="o">(</span><span class="n">action</span><span class="o">)</span> <span class="o">.</span><span class="na">status</span><span class="o">(</span><span class="n">status</span><span class="o">)</span> <span class="o">.</span><span class="na">timestamp</span><span class="o">(</span><span class="nc">LocalDateTime</span><span class="o">.</span><span class="na">now</span><span class="o">())</span> <span class="o">.</span><span class="na">build</span><span class="o">();</span> <span class="n">auditLogRepository</span><span class="o">.</span><span class="na">save</span><span class="o">(</span><span class="n">log</span><span class="o">);</span> <span class="c1">// Output to secure internal log management system</span> <span class="nc">System</span><span class="o">.</span><span class="na">out</span><span class="o">.</span><span class="na">println</span><span class="o">(</span><span class="s">"AUDIT TRAIL LOGGED | User: "</span> <span class="o">+</span> <span class="n">userId</span> <span class="o">+</span> <span class="s">" | Action: "</span> <span class="o">+</span> <span class="n">action</span><span class="o">);</span> <span class="o">}</span> <span class="o">}</span> </code></pre> </div> <p><strong>3. Masking Sensitive Enterprise Data via DTOs</strong><br> When processing multi-layered, nested financial structures (like transaction histories or asset calculations), never expose your underlying database entities to the client. This prevents accidental data leaks and decouples your database schema from the API contract.<br> Always map your database entities to tight, unmodifiable Data Transfer Objects (DTOs):<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight java"><code><span class="nd">@Data</span> <span class="nd">@Builder</span> <span class="kd">public</span> <span class="kd">class</span> <span class="nc">TransactionSummaryDto</span> <span class="o">{</span> <span class="kd">private</span> <span class="nc">String</span> <span class="n">referenceNumber</span><span class="o">;</span> <span class="kd">private</span> <span class="nc">BigDecimal</span> <span class="n">totalAmount</span><span class="o">;</span> <span class="kd">private</span> <span class="nc">List</span><span class="o">&lt;</span><span class="nc">ItemDetailDto</span><span class="o">&gt;</span> <span class="n">items</span><span class="o">;</span> <span class="o">}</span> <span class="nd">@Data</span> <span class="nd">@Builder</span> <span class="kd">public</span> <span class="kd">class</span> <span class="nc">ItemDetailDto</span> <span class="o">{</span> <span class="kd">private</span> <span class="nc">String</span> <span class="n">itemId</span><span class="o">;</span> <span class="kd">private</span> <span class="nc">String</span> <span class="n">itemName</span><span class="o">;</span> <span class="kd">private</span> <span class="nc">BigDecimal</span> <span class="n">price</span><span class="o">;</span> <span class="o">}</span> </code></pre> </div> <p><strong>4. Enforcing Predictable API Responses</strong><br> A truly resilient API handles errors gracefully and keeps the response schema uniform. Whether a transaction succeeds or a security exception is thrown, the frontend client should receive a clean JSON wrapper.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight java"><code><span class="nd">@Data</span> <span class="nd">@AllArgsConstructor</span> <span class="kd">public</span> <span class="kd">class</span> <span class="nc">BaseResponse</span><span class="o">&lt;</span><span class="no">T</span><span class="o">&gt;</span> <span class="o">{</span> <span class="kd">private</span> <span class="nc">String</span> <span class="n">status</span><span class="o">;</span> <span class="kd">private</span> <span class="nc">String</span> <span class="n">message</span><span class="o">;</span> <span class="kd">private</span> <span class="no">T</span> <span class="n">data</span><span class="o">;</span> <span class="kd">public</span> <span class="kd">static</span> <span class="o">&lt;</span><span class="no">T</span><span class="o">&gt;</span> <span class="nc">BaseResponse</span><span class="o">&lt;</span><span class="no">T</span><span class="o">&gt;</span> <span class="nf">success</span><span class="o">(</span><span class="no">T</span> <span class="n">data</span><span class="o">)</span> <span class="o">{</span> <span class="k">return</span> <span class="k">new</span> <span class="nc">BaseResponse</span><span class="o">&lt;&gt;(</span><span class="s">"SUCCESS"</span><span class="o">,</span> <span class="s">"Transaction completed successfully"</span><span class="o">,</span> <span class="n">data</span><span class="o">);</span> <span class="o">}</span> <span class="kd">public</span> <span class="kd">static</span> <span class="o">&lt;</span><span class="no">T</span><span class="o">&gt;</span> <span class="nc">BaseResponse</span><span class="o">&lt;</span><span class="no">T</span><span class="o">&gt;</span> <span class="nf">error</span><span class="o">(</span><span class="nc">String</span> <span class="n">message</span><span class="o">)</span> <span class="o">{</span> <span class="k">return</span> <span class="k">new</span> <span class="nc">BaseResponse</span><span class="o">&lt;&gt;(</span><span class="s">"ERROR"</span><span class="o">,</span> <span class="n">message</span><span class="o">,</span> <span class="kc">null</span><span class="o">);</span> <span class="o">}</span> <span class="o">}</span> </code></pre> </div> <p><strong>Conclusion</strong><br> As cybersecurity requirements tighten globally for financial services, building robust, audit-ready applications is no longer optional. By coupling global request interceptors with asynchronous PostgreSQL logging and strict data boundaries via DTOs, you protect your system against vulnerabilities while making life significantly easier for your frontend developers.</p> java springboot security backend