DEV Community: Dinuka Karunarathna The latest articles on DEV Community by Dinuka Karunarathna (@dinuka_karunarathna). https://dev.to/dinuka_karunarathna https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F3935640%2F982e27b3-8d5b-4f4d-ac79-33142c217615.jpg DEV Community: Dinuka Karunarathna https://dev.to/dinuka_karunarathna en Java Records Deserve a Mapper Built for Them Dinuka Karunarathna Sun, 24 May 2026 01:33:30 +0000 https://dev.to/dinuka_karunarathna/java-records-deserve-a-mapper-built-for-them-302e https://dev.to/dinuka_karunarathna/java-records-deserve-a-mapper-built-for-them-302e <p>Java Records have been stable since Java 16, and with Java 25 now the LTS baseline, they're showing up everywhere - DTOs, value objects, domain models. Immutable by design, concise, and semantically clear.</p> <p>But here's the gap nobody talks about: <strong>every object mapper in the Java ecosystem was built before Records existed</strong>. They were designed around JavaBeans - mutable objects with getters, setters, and no-arg constructors. Records have none of that. So what happens? These libraries bolt on partial Record support as an afterthought, and the seams show.</p> <p>To be clear: MapStruct and Spring Boot both support Records well when field names match exactly between source and target. The limitation appears in asymmetric mappings - for example, when firstName and lastName on an entity need to map to a single fullName component on a Record DTO. In that case, MapStruct cannot resolve the canonical constructor parameter and silently maps it as null at runtime. Immuto was built specifically to handle these cases using the canonical constructor as the primary contract, turning that silent runtime failure into a compile-time error.</p> <p>I built <a href="https://github.com/karunarathnad/immuto" rel="noopener noreferrer">Immuto</a> to fill that gap.</p> <h2> The problem with retrofitted Record support </h2> <p>A Record's identity is its canonical constructor:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight java"><code><span class="kd">public</span> <span class="n">record</span> <span class="nf">PersonDTO</span><span class="o">(</span><span class="nc">Long</span> <span class="n">id</span><span class="o">,</span> <span class="nc">String</span> <span class="n">fullName</span><span class="o">,</span> <span class="nc">String</span> <span class="n">email</span><span class="o">)</span> <span class="o">{}</span> </code></pre> </div> <p>That constructor is the <em>only</em> way to create a <code>PersonDTO</code>. There are no setters. There is no builder unless you write one yourself. The component accessors are read-only.</p> <p>Existing mappers were not designed with this in mind. To work with Records, they either:</p> <ul> <li>Generate setter calls that don't exist (and fail at runtime)</li> <li>Require you to write a mutable builder as a workaround</li> <li>Fall back to reflection on private fields - bypassing the canonical constructor entirely</li> </ul> <p>These are runtime failures. You don't know something is wrong until you run the code.</p> <h2> What Immuto does differently </h2> <p>Immuto is an annotation processor - it runs during <code>mvn compile</code>, the same way Lombok and the APT-based approach work. It generates plain <code>.java</code> source files that call your record's <strong>canonical constructor directly</strong>. No reflection. No setters. No runtime surprises.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight java"><code><span class="nd">@RecordMapper</span> <span class="kd">public</span> <span class="kd">interface</span> <span class="nc">PersonMapper</span> <span class="o">{</span> <span class="nd">@Mapping</span><span class="o">(</span><span class="n">target</span> <span class="o">=</span> <span class="s">"fullName"</span><span class="o">,</span> <span class="n">expression</span> <span class="o">=</span> <span class="s">"java(source.firstName() + \" \" + source.lastName())"</span><span class="o">)</span> <span class="nc">PersonDTO</span> <span class="nf">toDto</span><span class="o">(</span><span class="nc">PersonEntity</span> <span class="n">source</span><span class="o">);</span> <span class="nd">@InheritInverseConfiguration</span><span class="o">(</span><span class="n">name</span> <span class="o">=</span> <span class="s">"toDto"</span><span class="o">)</span> <span class="nc">PersonEntity</span> <span class="nf">toEntity</span><span class="o">(</span><span class="nc">PersonDTO</span> <span class="n">source</span><span class="o">);</span> <span class="o">}</span> </code></pre> </div> <p>After <code>mvn compile</code>, Immuto writes <code>PersonMapperImpl.java</code> into <code>target/generated-sources</code>. It looks exactly like code you'd write by hand:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight java"><code><span class="nd">@Generated</span><span class="o">(</span><span class="s">"io.github.karunarathnad.immuto.processor.RecordMapperProcessor"</span><span class="o">)</span> <span class="kd">public</span> <span class="kd">final</span> <span class="kd">class</span> <span class="nc">PersonMapperImpl</span> <span class="kd">implements</span> <span class="nc">PersonMapper</span><span class="o">,</span> <span class="nc">ImmutoMapper</span> <span class="o">{</span> <span class="nd">@Override</span> <span class="kd">public</span> <span class="nc">PersonDTO</span> <span class="nf">toDto</span><span class="o">(</span><span class="nc">PersonEntity</span> <span class="n">source</span><span class="o">)</span> <span class="o">{</span> <span class="k">if</span> <span class="o">(</span><span class="n">source</span> <span class="o">==</span> <span class="kc">null</span><span class="o">)</span> <span class="k">return</span> <span class="kc">null</span><span class="o">;</span> <span class="k">return</span> <span class="k">new</span> <span class="nf">PersonDTO</span><span class="o">(</span> <span class="n">source</span><span class="o">.</span><span class="na">id</span><span class="o">(),</span> <span class="n">source</span><span class="o">.</span><span class="na">firstName</span><span class="o">()</span> <span class="o">+</span> <span class="s">" "</span> <span class="o">+</span> <span class="n">source</span><span class="o">.</span><span class="na">lastName</span><span class="o">(),</span> <span class="n">source</span><span class="o">.</span><span class="na">email</span><span class="o">()</span> <span class="o">);</span> <span class="o">}</span> <span class="o">}</span> </code></pre> </div> <p>Canonical constructor. Always. That's the contract Immuto enforces.</p> <h2> Compile-time validation </h2> <p>If a record component can't be mapped, the <strong>build fails</strong> - not at runtime, not in a test, but during compilation.</p> <ul> <li>Unmapped component → build error</li> <li>Type mismatch with no registered converter → build error</li> <li> <code>@RecordMapper</code> on a class instead of an interface → build error</li> </ul> <p>This is the behaviour Records deserve. They were designed to be explicit and safe; your mapper should be too.</p> <h2> Key features </h2> <p><strong>Nested records</strong> - mapped recursively by matching component names. Use <code>@Mapping(expression=...)</code> for asymmetric nesting.</p> <p><strong>Bidirectional mapping</strong> via <code>@InheritInverseConfiguration</code> - define <code>toDto</code>, get <code>toEntity</code> for free.</p> <p><strong><code>@NullSafe</code></strong> - wraps the result in <code>Optional.ofNullable(...)</code> at the call site:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight java"><code><span class="nd">@NullSafe</span> <span class="nc">Optional</span><span class="o">&lt;</span><span class="nc">AddressDTO</span><span class="o">&gt;</span> <span class="nf">toAddressDto</span><span class="o">(</span><span class="nc">AddressEntity</span> <span class="n">entity</span><span class="o">);</span> </code></pre> </div> <p><strong>Sealed class support</strong> - Immuto understands sealed hierarchies, something no existing mapper handles.</p> <p><strong>Lifecycle hooks</strong> - <code>@BeforeMapping</code> and <code>@AfterMapping</code> methods are inlined into the generated code. No AOP, no proxy.</p> <p><strong>Custom type converters</strong>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight java"><code><span class="nd">@Named</span><span class="o">(</span><span class="s">"isoDate"</span><span class="o">)</span> <span class="kd">public</span> <span class="kd">class</span> <span class="nc">IsoDateConverter</span> <span class="kd">implements</span> <span class="nc">TypeConverter</span><span class="o">&lt;</span><span class="nc">LocalDate</span><span class="o">,</span> <span class="nc">String</span><span class="o">&gt;</span> <span class="o">{</span> <span class="nd">@Override</span> <span class="kd">public</span> <span class="nc">String</span> <span class="nf">convert</span><span class="o">(</span><span class="nc">LocalDate</span> <span class="n">source</span><span class="o">,</span> <span class="nc">MappingContext</span> <span class="n">ctx</span><span class="o">)</span> <span class="o">{</span> <span class="k">return</span> <span class="n">source</span> <span class="o">==</span> <span class="kc">null</span> <span class="o">?</span> <span class="kc">null</span> <span class="o">:</span> <span class="n">source</span><span class="o">.</span><span class="na">toString</span><span class="o">();</span> <span class="o">}</span> <span class="o">}</span> </code></pre> </div> <p><strong>Fluent runtime API</strong> - for tests or dynamic environments where APT isn't available:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight java"><code><span class="nc">FluentMapper</span><span class="o">&lt;</span><span class="nc">PersonEntity</span><span class="o">,</span> <span class="nc">PersonDTO</span><span class="o">&gt;</span> <span class="n">mapper</span> <span class="o">=</span> <span class="nc">FluentMapper</span> <span class="o">.</span><span class="na">from</span><span class="o">(</span><span class="nc">PersonEntity</span><span class="o">.</span><span class="na">class</span><span class="o">)</span> <span class="o">.</span><span class="na">to</span><span class="o">(</span><span class="nc">PersonDTO</span><span class="o">.</span><span class="na">class</span><span class="o">)</span> <span class="o">.</span><span class="na">override</span><span class="o">(</span><span class="s">"fullName"</span><span class="o">,</span> <span class="n">p</span> <span class="o">-&gt;</span> <span class="n">p</span><span class="o">.</span><span class="na">firstName</span><span class="o">()</span> <span class="o">+</span> <span class="s">" "</span> <span class="o">+</span> <span class="n">p</span><span class="o">.</span><span class="na">lastName</span><span class="o">())</span> <span class="o">.</span><span class="na">build</span><span class="o">();</span> </code></pre> </div> <p>Note: <code>FluentMapper</code> does use reflection - it's the explicit opt-in escape hatch, not the default path.</p> <h2> Getting started </h2> <div class="highlight js-code-highlight"> <pre class="highlight xml"><code><span class="nt">&lt;dependency&gt;</span> <span class="nt">&lt;groupId&gt;</span>io.github.karunarathnad<span class="nt">&lt;/groupId&gt;</span> <span class="nt">&lt;artifactId&gt;</span>immuto-annotations<span class="nt">&lt;/artifactId&gt;</span> <span class="nt">&lt;version&gt;</span>1.1.0<span class="nt">&lt;/version&gt;</span> <span class="nt">&lt;/dependency&gt;</span> <span class="nt">&lt;dependency&gt;</span> <span class="nt">&lt;groupId&gt;</span>io.github.karunarathnad<span class="nt">&lt;/groupId&gt;</span> <span class="nt">&lt;artifactId&gt;</span>immuto-core<span class="nt">&lt;/artifactId&gt;</span> <span class="nt">&lt;version&gt;</span>1.1.0<span class="nt">&lt;/version&gt;</span> <span class="nt">&lt;/dependency&gt;</span> <span class="nt">&lt;dependency&gt;</span> <span class="nt">&lt;groupId&gt;</span>io.github.karunarathnad<span class="nt">&lt;/groupId&gt;</span> <span class="nt">&lt;artifactId&gt;</span>immuto-processor<span class="nt">&lt;/artifactId&gt;</span> <span class="nt">&lt;version&gt;</span>1.1.0<span class="nt">&lt;/version&gt;</span> <span class="nt">&lt;scope&gt;</span>provided<span class="nt">&lt;/scope&gt;</span> <span class="nt">&lt;/dependency&gt;</span> </code></pre> </div> <p>Add the processor path to the compiler plugin:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight xml"><code><span class="nt">&lt;plugin&gt;</span> <span class="nt">&lt;groupId&gt;</span>org.apache.maven.plugins<span class="nt">&lt;/groupId&gt;</span> <span class="nt">&lt;artifactId&gt;</span>maven-compiler-plugin<span class="nt">&lt;/artifactId&gt;</span> <span class="nt">&lt;configuration&gt;</span> <span class="nt">&lt;annotationProcessorPaths&gt;</span> <span class="nt">&lt;path&gt;</span> <span class="nt">&lt;groupId&gt;</span>io.github.karunarathnad<span class="nt">&lt;/groupId&gt;</span> <span class="nt">&lt;artifactId&gt;</span>immuto-processor<span class="nt">&lt;/artifactId&gt;</span> <span class="nt">&lt;version&gt;</span>1.1.0<span class="nt">&lt;/version&gt;</span> <span class="nt">&lt;/path&gt;</span> <span class="nt">&lt;/annotationProcessorPaths&gt;</span> <span class="nt">&lt;/configuration&gt;</span> <span class="nt">&lt;/plugin&gt;</span> </code></pre> </div> <p>Then annotate an interface, run <code>mvn compile</code>, and use it:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight java"><code><span class="nc">PersonMapper</span> <span class="n">mapper</span> <span class="o">=</span> <span class="nc">Immuto</span><span class="o">.</span><span class="na">getMapper</span><span class="o">(</span><span class="nc">PersonMapper</span><span class="o">.</span><span class="na">class</span><span class="o">);</span> <span class="nc">PersonDTO</span> <span class="n">dto</span> <span class="o">=</span> <span class="n">mapper</span><span class="o">.</span><span class="na">toDto</span><span class="o">(</span><span class="n">entity</span><span class="o">);</span> </code></pre> </div> <h2> Why now </h2> <p>Records have been production-ready since Java 16, fully available through both the Java 17 and Java 21 LTS cycles. Java 25 is now the current LTS (released September 2025), with Java 21 as the previous LTS. As more codebases have adopted Records across these LTS versions, the need for tooling that treats them as first-class citizens - not an edge case - has grown with it.</p> <p>Immuto is on Maven Central, Apache 2.0 licensed, and under active development.</p> <h3> Links </h3> <ul> <li><p>GitHub: <a href="https://github.com/karunarathnad/immuto" rel="noopener noreferrer">github.com/karunarathnad/immuto</a></p></li> <li><p>Maven Central: <a href="https://central.sonatype.com/artifact/io.github.karunarathnad/immuto-core" rel="noopener noreferrer">https://central.sonatype.com/artifact/io.github.karunarathnad/immuto-core</a></p></li> </ul> <p>Feedback, issues, and contributions are very welcome.</p> java mapstruct records annotationprocessor Stop Writing Webhook Boilerplate in Spring Boot Dinuka Karunarathna Sun, 17 May 2026 00:52:13 +0000 https://dev.to/dinuka_karunarathna/stop-writing-webhook-boilerplate-in-spring-boot-1og https://dev.to/dinuka_karunarathna/stop-writing-webhook-boilerplate-in-spring-boot-1og <p>If you've ever needed to send outgoing webhooks from a Spring Boot application, you know the drill. You wire up an HTTP client, implement HMAC signing, add retry logic, bolt on a circuit breaker, set up an async thread pool, and somehow fit audit logging in too, before you've even written a single line of business logic.</p> <p>I got tired of doing this repeatedly across projects, so I built <br> <a href="https://github.com/karunarathnad/spring-webhook-sender" rel="noopener noreferrer">spring-webhook-sender</a> - a Spring Boot 3.x starter that handles all of it for you.</p> <h2> What it does </h2> <p>Drop in one dependency and inject <code>WebhookClient</code>. That's it. Under the hood it handles:</p> <ul> <li> <strong>HMAC-SHA256 signing</strong> - every request gets an <code>X-Webhook-Signature: sha256=&lt;hmac&gt;</code> header automatically</li> <li> <strong>Retry with exponential backoff</strong> - 5xx and network errors are retried; 4xx are not</li> <li> <strong>HTTP 429 Retry-After support</strong> - respects the server's retry window</li> <li> <strong>Per-endpoint circuit breaker</strong> - powered by Resilience4j; a broken endpoint only trips its own circuit</li> <li> <strong>Non-blocking async dispatch</strong> - <code>sendAsync()</code> returns a <code>CompletableFuture</code>, your thread is never blocked</li> <li> <strong>Audit logging</strong> - SLF4J by default, pluggable to a database via a single bean</li> </ul> <h2> Installation </h2> <div class="highlight js-code-highlight"> <pre class="highlight xml"><code><span class="nt">&lt;dependency&gt;</span> <span class="nt">&lt;groupId&gt;</span>io.github.karunarathnad<span class="nt">&lt;/groupId&gt;</span> <span class="nt">&lt;artifactId&gt;</span>spring-webhook-sender<span class="nt">&lt;/artifactId&gt;</span> <span class="nt">&lt;version&gt;</span>2.0.1<span class="nt">&lt;/version&gt;</span> <span class="nt">&lt;/dependency&gt;</span> </code></pre> </div> <p>Requires Java 17+ and Spring Boot 3.2+. No extra configuration needed — Spring Boot auto-configuration wires everything up.</p> <h2> Usage </h2> <div class="highlight js-code-highlight"> <pre class="highlight java"><code><span class="nd">@Service</span> <span class="kd">public</span> <span class="kd">class</span> <span class="nc">OrderService</span> <span class="o">{</span> <span class="nd">@Autowired</span> <span class="kd">private</span> <span class="nc">WebhookClient</span> <span class="n">webhookClient</span><span class="o">;</span> <span class="kd">private</span> <span class="kd">static</span> <span class="kd">final</span> <span class="nc">WebhookEndpoint</span> <span class="no">PAYMENT_ENDPOINT</span> <span class="o">=</span> <span class="nc">WebhookEndpoint</span><span class="o">.</span><span class="na">builder</span><span class="o">()</span> <span class="o">.</span><span class="na">id</span><span class="o">(</span><span class="s">"payment-service"</span><span class="o">)</span> <span class="o">.</span><span class="na">targetUrl</span><span class="o">(</span><span class="s">"https://payments.example.com/webhooks"</span><span class="o">)</span> <span class="o">.</span><span class="na">secret</span><span class="o">(</span><span class="nc">System</span><span class="o">.</span><span class="na">getenv</span><span class="o">(</span><span class="s">"PAYMENT_WEBHOOK_SECRET"</span><span class="o">))</span> <span class="o">.</span><span class="na">build</span><span class="o">();</span> <span class="kd">public</span> <span class="kt">void</span> <span class="nf">onOrderCreated</span><span class="o">(</span><span class="nc">Order</span> <span class="n">order</span><span class="o">)</span> <span class="o">{</span> <span class="nc">WebhookEvent</span> <span class="n">event</span> <span class="o">=</span> <span class="nc">WebhookEvent</span><span class="o">.</span><span class="na">builder</span><span class="o">()</span> <span class="o">.</span><span class="na">eventType</span><span class="o">(</span><span class="s">"order.created"</span><span class="o">)</span> <span class="o">.</span><span class="na">payload</span><span class="o">(</span><span class="n">order</span><span class="o">)</span> <span class="o">.</span><span class="na">build</span><span class="o">();</span> <span class="n">webhookClient</span><span class="o">.</span><span class="na">sendAsync</span><span class="o">(</span><span class="n">event</span><span class="o">,</span> <span class="no">PAYMENT_ENDPOINT</span><span class="o">)</span> <span class="o">.</span><span class="na">thenAccept</span><span class="o">(</span><span class="n">result</span> <span class="o">-&gt;</span> <span class="n">log</span><span class="o">.</span><span class="na">info</span><span class="o">(</span><span class="s">"delivered={} attempts={}"</span><span class="o">,</span> <span class="n">result</span><span class="o">.</span><span class="na">success</span><span class="o">(),</span> <span class="n">result</span><span class="o">.</span><span class="na">totalAttempts</span><span class="o">()));</span> <span class="o">}</span> <span class="o">}</span> </code></pre> </div> <p>The JSON payload sent to the endpoint looks like this:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight json"><code><span class="p">{</span><span class="w"> </span><span class="nl">"eventId"</span><span class="p">:</span><span class="w"> </span><span class="s2">"a3f1c2d4-..."</span><span class="p">,</span><span class="w"> </span><span class="nl">"eventType"</span><span class="p">:</span><span class="w"> </span><span class="s2">"order.created"</span><span class="p">,</span><span class="w"> </span><span class="nl">"occurredAt"</span><span class="p">:</span><span class="w"> </span><span class="s2">"2026-05-10T08:30:00Z"</span><span class="p">,</span><span class="w"> </span><span class="nl">"payload"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"orderId"</span><span class="p">:</span><span class="w"> </span><span class="s2">"ORD-001"</span><span class="p">,</span><span class="w"> </span><span class="nl">"amount"</span><span class="p">:</span><span class="w"> </span><span class="mf">99.99</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">}</span><span class="w"> </span></code></pre> </div> <h2> Configuration </h2> <p>All settings have sensible defaults. Override only what you need in <code>application.yml</code>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">webhook</span><span class="pi">:</span> <span class="na">retry</span><span class="pi">:</span> <span class="na">max-attempts</span><span class="pi">:</span> <span class="m">3</span> <span class="na">initial-interval</span><span class="pi">:</span> <span class="s">1s</span> <span class="na">multiplier</span><span class="pi">:</span> <span class="m">2.0</span> <span class="na">max-interval</span><span class="pi">:</span> <span class="s">30s</span> <span class="na">circuit-breaker</span><span class="pi">:</span> <span class="na">failure-rate-threshold</span><span class="pi">:</span> <span class="m">50</span> <span class="na">minimum-number-of-calls</span><span class="pi">:</span> <span class="m">10</span> <span class="na">async</span><span class="pi">:</span> <span class="na">core-pool-size</span><span class="pi">:</span> <span class="m">4</span> <span class="na">max-pool-size</span><span class="pi">:</span> <span class="m">16</span> </code></pre> </div> <h2> Extending </h2> <p>Need to persist delivery records to a database? Register one bean:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight java"><code><span class="nd">@Bean</span> <span class="kd">public</span> <span class="nc">AuditLogger</span> <span class="nf">webhookAuditLogger</span><span class="o">(</span><span class="nc">WebhookAuditRepository</span> <span class="n">repo</span><span class="o">)</span> <span class="o">{</span> <span class="k">return</span> <span class="n">record</span> <span class="o">-&gt;</span> <span class="n">repo</span><span class="o">.</span><span class="na">save</span><span class="o">(</span><span class="n">toEntity</span><span class="o">(</span><span class="n">record</span><span class="o">));</span> <span class="o">}</span> </code></pre> </div> <p>Need a custom signing strategy? Override <code>SignatureStrategy</code>. Need snake_case JSON? Override <code>webhookObjectMapper</code>. The library gets out of your way when you need it to.</p> <h2> Verifying on the receiving side </h2> <div class="highlight js-code-highlight"> <pre class="highlight java"><code><span class="nc">Mac</span> <span class="n">mac</span> <span class="o">=</span> <span class="nc">Mac</span><span class="o">.</span><span class="na">getInstance</span><span class="o">(</span><span class="s">"HmacSHA256"</span><span class="o">);</span> <span class="n">mac</span><span class="o">.</span><span class="na">init</span><span class="o">(</span><span class="k">new</span> <span class="nc">SecretKeySpec</span><span class="o">(</span><span class="n">secret</span><span class="o">.</span><span class="na">getBytes</span><span class="o">(</span><span class="no">UTF_8</span><span class="o">),</span> <span class="s">"HmacSHA256"</span><span class="o">));</span> <span class="nc">String</span> <span class="n">expected</span> <span class="o">=</span> <span class="s">"sha256="</span> <span class="o">+</span> <span class="nc">HexFormat</span><span class="o">.</span><span class="na">of</span><span class="o">().</span><span class="na">formatHex</span><span class="o">(</span><span class="n">mac</span><span class="o">.</span><span class="na">doFinal</span><span class="o">(</span><span class="n">rawBody</span><span class="o">.</span><span class="na">getBytes</span><span class="o">(</span><span class="no">UTF_8</span><span class="o">)));</span> <span class="nc">String</span> <span class="n">received</span> <span class="o">=</span> <span class="n">request</span><span class="o">.</span><span class="na">getHeader</span><span class="o">(</span><span class="s">"X-Webhook-Signature"</span><span class="o">);</span> <span class="c1">// constant-time comparison to prevent timing attacks</span> <span class="kt">boolean</span> <span class="n">valid</span> <span class="o">=</span> <span class="nc">MessageDigest</span><span class="o">.</span><span class="na">isEqual</span><span class="o">(</span><span class="n">expected</span><span class="o">.</span><span class="na">getBytes</span><span class="o">(</span><span class="no">UTF_8</span><span class="o">),</span> <span class="n">received</span><span class="o">.</span><span class="na">getBytes</span><span class="o">(</span><span class="no">UTF_8</span><span class="o">));</span> </code></pre> </div> <h2> Links </h2> <ul> <li>GitHub: <a href="https://github.com/karunarathnad/spring-webhook-sender" rel="noopener noreferrer">https://github.com/karunarathnad/spring-webhook-sender</a> </li> <li>Maven Central: <a href="https://central.sonatype.com/artifact/io.github.karunarathnad/spring-webhook-sender" rel="noopener noreferrer">https://central.sonatype.com/artifact/io.github.karunarathnad/spring-webhook-sender</a> </li> </ul> java springboot webhook opensource