DEV Community: Ulrich VACHON

Playing with the embryonic connections in Java with the Foreign Function

Ulrich VACHON — Sun, 02 Jun 2024 22:41:02 +0000

Today we will use the Foreign Function (FFI) in Java 22 to call a native code aims to initiate embryonic connections against any servers.

💡An example is ready to run on my github.com/ulrich space available in the repository : https://github.com/ulrich/java-rawsocket

What is embryonic connections ? 🎓

We use embryonic connections capabilities when we want to initiate an aborted TCP three-way handshake for example. If you remember your Network courses at the Faculty (coucou Paris 8 ❤️) there are a couple of years (for me), you remember the following sequences while the TCP-IP tries to open a network connection :

1️⃣              SYN (seq 1000) -> |
2️⃣                                | <- SYN / ACK (seq 2000, ACK 1001)
3️⃣    ACK (seq 1001, ACK 2001) -> |

When the process is achieved the hosts can talk together. If we don't need to establish a well formed connection between hosts, we can abort the sequence by sending a reset (RST) instruction at the end of the TCP three-way handshake, like this :

1️⃣              SYN (seq 1000) -> |
2️⃣                                | <- SYN / ACK (seq 2000, ACK 1001)
3️⃣                        RST ->  X

There are several reasons to create embryonic connections and from my side I had to implement this feature for a client there is some years...

Anyway, if you want to explore Embryonic Connection go ahead in the dedicated Wikipedia page : https://en.wikipedia.org/wiki/TCP_half-open

The Foreign Function in Java ? 🎓

The best way to resume the FFI in Java is to mention the official definition from Oracle company : The Foreign Function and Memory (FFM) API enables Java programs to interoperate with code and data outside the Java runtime.

In other terms, we want "to bend the game" and forgot the ancestor ways (JNI, JNA, JNR...) to use native code outside the Java Virtal Machine.

The promise behind FFI is to ease the use cases when a Java needs to (down)call and (up)call a native program or library.

This article is not an introduction about FFI and the best to learn about it is to follow the Oracle documentation here : https://docs.oracle.com/en/java/javase/22/core/foreign-function-and-memory-api.html

FFI for embryonic connection ? 🚀

I think you've guessed why we need native program to establish an embryonic connection. Indeed, in Java we unfortunately don't have the ability to create low-level network packets. So the use of the netinet/tcp.h library is reserved for lower-level languages such as C (our example) and so FFI comes to the rescue !

Please deep dive in the SocketTester.java code with me 🔍

public int run() throws Throwable {
    log.info("Running SocketTester for destination address {}:{}", destinationAddress, destinationPort);

1️⃣    try (Arena confinedArena = Arena.ofConfined()) {
        SymbolLookup symbolLookup =
                    SymbolLookup.libraryLookup(Config.getNativeLibraryFile(), confinedArena);

2️⃣        MemorySegment function =
                    symbolLookup.find(Config.getNativeFunctionName())
                            .orElseThrow(() -> new IllegalStateException("Unable to find the native function: " + Config.getNativeFunctionName()));

3️⃣       MethodHandle methodHandle = Linker.nativeLinker()
                .downcallHandle(
                            function,
                            Config.getNativeFunctionDescriptor());

4️⃣       return (int) methodHandle.invoke(
                    confinedArena.allocateFrom(sourceAddress),
                    confinedArena.allocateFrom(destinationAddress),
                    confinedArena.allocateFrom(ValueLayout.OfInt.JAVA_INT, destinationPort),
                    confinedArena.allocateFrom(ValueLayout.OfInt.JAVA_INT, readTimeout),
                    confinedArena.allocateFrom(ValueLayout.OfInt.JAVA_INT, writeTimeout));
    }
}

At the point 1️⃣ we declare that we want to use the restricted Arena only available for the thread which creates the Arena. We can compare Arena with a closed box responsible to control the lifecycle of native memory segments. For the moment FFI allows the following scopes : Global, Automatic, Confined and Shared. Please take a look into Javadoc : https://docs.oracle.com/en/java/javase/22/docs/api/java.base/java/lang/foreign/Arena.html

At the point 2️⃣ we have to load the native library under the .so form.

At the point 3️⃣ we initialize a downcall handler used to communicate from Java to Native code. FFI allows to use upcall handler stub which enable you to pass Java code as a function pointer to a foreign function.

At the point 4️⃣ we invoke the native code by passing the expected parameters previously created by the different allocateFrom methods.

To test the embryonic connection with Foreign Function code, you can use the mentioned project upper.

If all the process is successful, we will obtain the following trace in your terminal :

[INFO (java)] Running SocketTester for destination address 127.0.0.1:8080
[INFO (native)] Selected source port number: 35940
[INFO (native)] TCP header sequence number: 272214228
[INFO (native)] Successfully sent 60 bytes SYN!
[INFO (native)] Received bytes: 40
[INFO (native)] Destination port: 35940
[INFO (native)] Successfully received 40 bytes
[INFO (native)] Received syn: 0, ack: 1, rst: 1
[INFO (native)] TCP header sequence number response: 0
[INFO (native)] TCP header ack sequence number response: 272214229
[INFO (native)] tcph->syn: 0
[INFO (native)] tcph->ack: 16777216
[INFO (native)] SYN ACK received -> Success

Have a good day.

Image par jacqueline macou de Pixabay

Develop your Tomcat App with Docker Compose Watch

Ulrich VACHON — Mon, 15 Apr 2024 23:35:37 +0000

Today we will see how Build, Run, Deploy and Modify in immediate mode a simple Java App deployed on Tomcat via the Docker Compose Watch feature.

The purpose of this article is not to introduce the development of some Tomcat App via Spring or whatever platform but instead of that to explain how we can use the Docker's tools to make easier it.

💡A Docker Compose stack is ready to run on my github.com/ulrich space available in the repository : https://github.com/ulrich/develop-java-app-with-compose-watch

Docker Compose Watch in few words

This tool has been released in the Docker Compose v2.22.0 by my favorite ❤️ team at Docker. Quickly when you use Compose during your developments, it can useful to synchronize your local changes with your deployed App running in his container. Before the Watch feature you were forced to use a workaround like Bind mount for getting a hot reloaded capability and it was OK. But in many cases in many technologies, it's not a good idea to work like this because for example in Java (in particular Java WAR App based model) technology, we don't want to deploy our App after a simple modification. You understood, a Java WAR App needs many resources which can slow down the inner loop development experience.

Docker Compose Watch offers an another approach for developers by using of new properties allowing to synchronize with a fine-grained level each piece of your App. By the way, a couple of new commands (develop/watch/action) will help you to define what/when/how I have to synchronize one piece of code (file, directory, module...).

You will find more information in the following source here.

Craft a simple Java WAR App

Add a simple Spring Boot app with the convenience dependencies.

The best way, for generating a ready-to-run application in Java you can use the Spring Boot Initializr tool.

We will need to enroll the following dependencies:

spring-boot-starter-tomcat
spring-boot-starter-web
spring-boot-starter-thymeleaf
spring-boot-starter-data-jpa

These followings for this introduction will use Java 21 and Maven.

There is nothing of special to be noted for this application which use the classic architecture from Java App. The data layer is fed by a pre-initialized Postgres Compose service.

After running the Docker Compose services you will access to the students.html page from the following URL : http://localhost:8080/app-for-compose-watch-0.0.1-SNAPSHOT/students/all (figure 1)

Fig. 1

Run the App with --watch flag

In this introduction, we will see two ways to synchronize our application.

For running the App with the Compose Watch enabled, we have to launch like this :

❯ docker compose up --build --watch

This command will build and run the App with the Compose Watch observer enabled (figure 2).

Fig. 2

👋 This way to start the services is interesting because in this case, we ask to build, run and watch the expected service with the logs enabled in the console.

When I want to create or modify the Java code

In Java WAR App based on Tomcat, the easiest way to test the inner-loop development is to instruct Compose Watch for rebuilding and deploying the App when a "witness" file has changed. The following Compose configuration allows this development round-trip :

  app:
    image: app:latest
    build: ./
    develop:
      watch:
        - action: rebuild
          path: deploy.watch
    ports:
      - 8080:8080

The notable point to consider there is the path instruction used to trigger a rebuild action when the developer considers it. As I explained previously, we don't want to trigger a rebuild action for each Java file modifications, so we can consider that when we want to test our modifications, the developer have to update this spy file.

For my part I use a IntelliJ Shell script which update the deploy.watch file located in the root path with this kind of configuration (figure 3).

Fig. 3

When the Deploy App command is triggered, we can see the Docker Compose Watch feature take the hand and making the expected actions (build, deploy and restart Tomcat). PTAL the following sample of logs after executing the command (figure 4).

Fig. 4

Practical and inexpensive!

When I want to modify a HTML file

The solution to synchronize not compiled sources like Thymeleaf files (for example) is to use the sync action. When we use this feature the Docker Compose doesn't restart the App but only copy and past the files denoted by the couple path/targer. Let's take a look of the following configuration used to (hot) update the students.html file located in src/main/resources/templates/ path.

  app:
    image: app:latest
    build: ./
    develop:
      watch:
        - action: rebuild
          path: deploy.watch
        - action: sync
          path: src/main/resources/templates/
          target: /usr/local/tomcat/webapps/app-for-compose-watch-0.0.1-SNAPSHOT/WEB-INF/classes/templates/
    ports:
      - 8080:8080

The main difference with the previous declaration is the necessity to declare a target path.

Please take a look to the following resource : /students/adults (figure 5).

Fig. 5

If I modify the template by adding some information, the modification should instantly happened (figure 6).

Fig. 6

Fig. 7

Conclusion

Finally we can consider the Docker Compose Watch tool while developing a Java WAR App on Tomcat. Given that I think is a good alternative from the classical development stack like IntelliJ Plugin or others. All parts of the inner-loop developments can be make in the image itself and no need to install third party tooling.

Have a good day.

Image par jacqueline macou de Pixabay

Step-up authentication in Keycloak + Spring Boot

Ulrich VACHON — Sat, 15 Apr 2023 15:07:23 +0000

Today I will show you how to set up a stepped-up authentication based on Keycloak and Spring Boot.

Basically in a classical application, the security is often based on the login/password, API key, token, roles, URI pattern, etc... Sometimes one or all of these features are coupled together to implement a security policy worthy of the name.

When you need to enhance the security for a particular action it could be difficult to decide which security feature employing to accomplish that. The OAuth2 specification proposes a simple solution named Step-up Authentication Challenge Protocol, link of the RFC is here.

In this paper I will show you how I implemented this feature in a Spring Boot app coupled at Keycloak.

💡A Docker Compose stack is ready to run on my github.com/ulrich space available in the repository : stepup-authentication-with-keycloak-and-spring-boot.

Wear your seat belt and follow me.

Create the backend

Add a simple Spring boot app with the convenience dependencies.

The best way to generate a Ready-to-run application in Java is to use the Spring boot initializr tool.

By the way we need to enroll the following dependencies:

Spring Web
Spring Security
OAuth2 Client
OAuth2 Server
Lombok
Testcontainers

These followings for this introduction will use Java 17 and Maven (of course).

The minimum implementation

The reader should accept that this app doesn't fill the best practices expected for the Production environment.

Plug the backend to Keycloak

Obviously, we will use Docker and Compose to lead this tutorial.

Create the Docker Compose stack

Add the Dockerfile for the backend app.

Nothing to new for this Dockerfile, we just need to separate the build stage from the runtime stage.



# Build Container
FROM maven:3.8.5-openjdk-17-slim as build

WORKDIR /app/

RUN apt-get update && \
      apt-get install -y --no-install-recommends

COPY pom.xml .
COPY /src src

RUN mvn clean package -DskipTests

# Run Container
FROM amazoncorretto:17

COPY --from=build /app/target/**.jar app.jar

Add the Docker Compose services

Like the previous Docker configuration the Compose file is a-by-the-book example used to run the services:



services:
  keycloak:
    image: quay.io/keycloak/keycloak:21.0
    container_name: stepup-keycloak
    hostname: stepup-keycloak
    ports:
      - 9080:8080
    networks:
      - keycloak-net
    volumes:
      - ./keycloak/config:/opt/keycloak/data/import
    environment:
      KEYCLOAK_ADMIN: admin
      KEYCLOAK_ADMIN_PASSWORD: admin
      KC_HOSTNAME: localhost
    entrypoint: [ "/opt/keycloak/bin/kc.sh", "start-dev", "--import-realm" ]
  backend:
    depends_on:
      - keycloak
    build: ./backend
    container_name: stepup-backend
    hostname: stepup-backend
    ports:
      - 8080:8080
    networks:
      - keycloak-net
    entrypoint: [ "java", "-Xms512m", "-Xmx1g", "-jar", "app.jar", "--debug" ]

networks:
  keycloak-net: { }

Resolve the Keycloak hostname in your local hosts file for Keycloak



❯ docker inspect -f '{{range .NetworkSettings.Networks}}{{.IPAddress}}{{end}}' stepup-keycloak
172.22.0.2
❯ cat /etc/hosts
172.22.0.2  stepup-keycloak

Resolve the Keycloak hostname in your local hosts file for the backend



❯ docker inspect -f '{{range .NetworkSettings.Networks}}{{.IPAddress}}{{end}}' stepup-backend
172.22.0.3
❯ cat /etc/hosts
172.22.0.3  stepup-backend

Create the Keycloak the stepped-up configuration realm

The detailed configuration can be found in this the stepup-realm.json
file, but we can highlight some points:

The client user-client is mandated for delivering an access token to the user,
The frontend-url property has necessary to be set to http://172.30.0.2:8080 for the issuer claim value.

Create the OAuth2 security layer

Backend side we can use a simple but an effective configuration where the settings are spread both in
the application.yml and SecurityConfiguration.java files. No more needed for the time.

The following shows the main content of the files:

In the application.yml file we need to declare to Spring Security where the OIDC configuration can be found.



spring:
  security:
    oauth2:
      resourceserver:
        jwt:
          client-id: user-client
          issuer-uri: http://stepup-keycloak:8080/realms/stepup
          jwk-set-uri: http://stepup-keycloak:8080/realms/stepup/protocol/openid-connect/certs

In the SecurityConfiguration.java file we need to describe a basic configuration indicates how to handle the request.




@Configuration
@EnableWebSecurity
@EnableMethodSecurity
class SecurityConfiguration {

    // ...

    @Bean
    public SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
        http.cors();
        http.csrf().disable();
        http.authorizeHttpRequests()
                .anyRequest().authenticated()
                .and()
                .oauth2ResourceServer().jwt();

        return http.build();
    }
}

Test the security configuration

At this point we can run the Compose stack:



❯ docker compose up --build

You can note that the client secret was generated during this documentation and located in the stepup-realm.json file.

Open a terminal and test the configuration with curl.

Get a valid access token from Keycloak



❯ TOKEN=`curl -XPOST 'http://stepup-keycloak:8080/realms/stepup/protocol/openid-connect/token' \
        --header 'Content-Type: application/x-www-form-urlencoded' \
        --data-urlencode 'client_secret=6AurffbSrQ4yaGOl2TE7nvdveKwM2CB0' \
        --data-urlencode 'client_id=user-client' \
        --data-urlencode 'grant_type=password' \
        --data-urlencode 'username=ulrich' \
        --data-urlencode 'password=ulrich' | jq -r .access_token`

Test an authenticated access



❯ curl -i "http://stepup-backend:8080/user?email=foo@gmail.com" \
        --header "Authorization: Bearer $TOKEN"

The expected result from the previous request should be:



HTTP/1.1 200 
Vary: Origin
Vary: Access-Control-Request-Method
Vary: Access-Control-Request-Headers
X-Content-Type-Options: nosniff
X-XSS-Protection: 0
Cache-Control: no-cache, no-store, max-age=0, must-revalidate
Pragma: no-cache
Expires: 0
X-Frame-Options: DENY
Content-Type: application/json
Transfer-Encoding: chunked
Date: Mon, 10 Apr 2023 16:35:48 GMT

{"email":"foo@gmail.com"}

If we omit the Authorization header we should have this kind of response:



HTTP/1.1 401 
Vary: Origin
Vary: Access-Control-Request-Method
Vary: Access-Control-Request-Headers
Set-Cookie: JSESSIONID=21C630C8B2B38333DC81029DEBC2818E; Path=/; HttpOnly
WWW-Authenticate: Bearer
X-Content-Type-Options: nosniff
X-XSS-Protection: 0
Cache-Control: no-cache, no-store, max-age=0, must-revalidate
Pragma: no-cache
Expires: 0
X-Frame-Options: DENY
Content-Length: 0
Date: Mon, 10 Apr 2023 19:54:26 GMT

The step-up implementation from app side

It's time to add more securities in our app by using a step-up mechanism involves the add of a request interceptor. The
request interceptor will should be triggered if any resource is marked by @StepupAuthentication annotation.

The step-up components

No caveat in the current implementation based on Spring, we just need to develop three components:

StepupAuthentication.java is the class that we will put on a stepped-up resource,
StepupAuthenticationInterceptor.java is the implementation of the step-up mechanism. It is responsible for the ACR validation by opening the jwt-token and check if the signed token contains the expected LOA value,
StepupAuthenticationInterceptorConfig.java is the underlying code responsible to declare own interceptor.

The resource security enhancement

All is ready to enhance the security and for the test we will put the @StepupAuthentication on
the UserResource.delete resource.

Just like that:




@RestController
@RequestMapping(
        value = "user",
        produces = {"application/json"})
public class UserResource {

    private final UserRepository userRepository;

    @Autowired
    public UserResource(UserRepository userRepository) {
        this.userRepository = userRepository;
    }

    // ...

    @DeleteMapping
    @StepupAuthentication
    public ResponseEntity<Void> delete(@RequestParam String email) {
        userRepository.deleteUserByEmail(email);

        return new ResponseEntity<>(HttpStatus.NO_CONTENT);
    }
}

The step-up implementation from Keycloak side

The Keycloak instance is ready to test in this tutorial, but we will brief take a look in the authentication flow where all work.

The overridden Browser flow

The basic Browser flow doesn't allow to build a stepped-up flow, so I created the browser-stepup-flow cloned from the browser-flow. More details are available in the Keycloak configuration but just note the two flows, the first one for the default flow and the second for the step-up flow.

The key here is that the user pass through with success the Stepup authentication flow the ACR field will contain the
expected LOA value (2 for my example).

Remember, if the stepup authentication interceptor validates the ACR code, it will let the execution continue.

Test the step-up configuration

Open a terminal and test the configuration.

Get a valid access token from Keycloak



❯ TOKEN=`curl -XPOST 'http://stepup-keycloak:8080/realms/stepup/protocol/openid-connect/token' \
        --header 'Content-Type: application/x-www-form-urlencoded' \
        --data-urlencode 'client_secret=6AurffbSrQ4yaGOl2TE7nvdveKwM2CB0' \
        --data-urlencode 'client_id=user-client' \
        --data-urlencode 'grant_type=password' \
        --data-urlencode 'username=ulrich' \
        --data-urlencode 'password=ulrich' | jq -r .access_token`

Step 1

Call the delete user resource



❯ curl -i -XDELETE "http://stepup-backend:8080/user?email=foo@gmail.com" \
        --header "Referer: http://localhost:8080" \
        --header "Authorization: Bearer $TOKEN"

The expected result from the previous request should be:



HTTP/1.1 412 
Vary: Origin
Vary: Access-Control-Request-Method
Vary: Access-Control-Request-Headers
X-Content-Type-Options: nosniff
X-XSS-Protection: 0
Cache-Control: no-cache, no-store, max-age=0, must-revalidate
Pragma: no-cache
Expires: 0
X-Frame-Options: DENY
Content-Type: application/json
Content-Length: 253
Date: Fri, 14 Apr 2023 12:02:51 GMT

{"status":"PRECONDITION_FAILED","authenticationUrl":"http://stepup-keycloak:8080/realms/stepup/protocol/openid-connect/auth?client_id=user-client&redirect_uri=http%3A%2F%2Flocalhost%3A8080%2F&response_type=code&response_mode=query&scope=openid&acr_values=2"}

Explanations:

This response status available in the status field means that the LOA (Level Of Access) value stored in ACR claim field was not in the good level,
The step-up mechanism built a validation URL for the end user available in the authenticationUrl field.

Step 2

To continue the authentication flow, the user needs to follow the given URL and provides to good password.

If the password form is successfully passed, the Keycloak forwards the flow by using the given URI located in the redirect_uri URL parameter.

Step 3

At this moment, the app needs to exchange the authorization-code (located in the response header Location) for the access-token. This is the final step where the app will receive the access-token filled with the expected ACR claim value (2).

Proceed to get the new access-token.



TOKEN=`curl -XPOST 'http://stepup-keycloak:8080/realms/stepup/protocol/openid-connect/token' \
        --header 'Content-Type: application/x-www-form-urlencoded' \
        --data-urlencode 'grant_type=authorization_code' \
        --data-urlencode 'client_id=user-client' \
        --data-urlencode 'client_secret=6AurffbSrQ4yaGOl2TE7nvdveKwM2CB0' \
        --data-urlencode 'code=3125c7c3-b2a9-4c20-a2dd-e5bb14b16b6b.e4702561-58b5-44b2-b493-b30242eb1c71.d4b4ea5c-b02b-46d6-8859-5a0f0ed32287' \
        --data-urlencode 'redirect_uri=http://localhost:8080/' | jq -r .access_token`

The expected result from the previous request should be a new access-token with the ACR claim field updated:

Step 4

It's now possible to call the protected resources with the good level of accreditation.



❯ curl -i -XDELETE "http://stepup-backend:8080/user?email=foo@gmail.com" \
        --header "Referer: http://localhost:8080" \
        --header "Authorization: Bearer $TOKEN"

The expected result from the previous request should be:



HTTP/1.1 204 
Vary: Origin
Vary: Access-Control-Request-Method
Vary: Access-Control-Request-Headers
X-Content-Type-Options: nosniff
X-XSS-Protection: 0
Cache-Control: no-cache, no-store, max-age=0, must-revalidate
Pragma: no-cache
Expires: 0
X-Frame-Options: DENY
Date: Fri, 14 Apr 2023 12:34:41 GMT

The status code of the delete user action is 204.

Conclusion

Finally the set up of a stepped-up authentication solution is relatively easy with some knowledge of how to deal with ACR/LOA notions and obviously if you use a powerful tool like Spring. But you can without troubles employ another mechanism like Servlet Filter or whatever technologies even outside of Java. Moreover you can use a more powerful checker like OTP or else.

Have a good day.

Image par jacqueline macou de Pixabay

Simple health check for Keycloak

Ulrich VACHON — Thu, 23 Jun 2022 14:26:58 +0000

Today we will see how to add a simple and not intrusive health check based on shell script for your Keycloak

Sometime ago I did the (bad) experience to note the user sessions increase very faster without known reason on the main cluster.

The result of this was a rise of the user sessions which keep busy the CPU because we reached the maximum of heap memory occupation. More of 50k user sessions have been created on a dedicated Keycloak client by a health check probe a bit chatty 😇

Lesson of the day, if you fine-tuned your token settings don't forget to login AND logout test users.

A simple probe

The only prerequisite is to have jq command available on the environment where the script runs.

#!/bin/bash

login_access=$(curl -k -X POST \
   -H "Content-Type:application/x-www-form-urlencoded" \
   -d "grant_type=password" \
   -d "client_id=admin-cli" \
   -d "username=alive" \
   -d "password=[REDACTED]" \
 'https://keyclaok.company.com/auth/realms/[REALM]/protocol/openid-connect/token')

error=$(jq -r .error <<< $login_access)

if [ $error == "null" ]; then
    echo "Login successful for test user."
else
    echo "Unable to login test user ($error)."
    exit 1
fi

access_token=$(jq -r  '.access_token' <<< "${login_access}")
refresh_token=$(jq -r  '.refresh_token' <<< "${login_access}")

logout_response=$(curl -s -o /dev/null -w '%{http_code}' -k -X POST \
   -H "Content-Type:application/x-www-form-urlencoded" \
   -H "Authorization: Bearer $access_token" \
   -d "client_id=[CLIENT_ID]" \
   -d "refresh_token=$refresh_token" \
 'https://keycloak.company.com/auth/realms/[REALM]/protocol/openid-connect/logout')

if [ $logout_response -eq 204 ]; then
    echo "Logout successful for test user."
else
    echo "Unable to logout test user ($logout_response)."
    exit 1
fi

Le me try it

https://gist.github.com/ulrich/aa04a793d54703998ecb015a0e2ff803

Crédit photo : https://pixabay.com/fr/users/jackmac34-483877/

Configure Keycloak by a CLI extension

Ulrich VACHON — Mon, 30 May 2022 21:49:47 +0000

Today I will show you how to configure a Keycloak property by command-line interface.

The main advantage in the Keycloak world is the possibility to extend it. 🔧 Indeed, it exists several way to extend or manage this software and one of these is to use a CLI script.

In this article we will change the value at the startup time of the global property named staticMaxAge responsible of the caching for all assets of all themes. To be noted that we cannot configure this value by the UI but only by the standalone(-ha).xml file.

Search the node path of the property

Whatever the selected Keycloak profile (standalone or cluster mode), we will find the expected node here :

server > profile > subsystem:keycloak-server > theme > staticMaxAge

Create the CLI script

As soon as we have the node we have to translate it to JBoss script.

embed-server --server-config=standalone.xml

/subsystem=keycloak-server/theme=defaults/:write-attribute(name=staticMaxAge,value=3600)

quit

The first one line indicates to the engine the target profile,
The second one line writes the expected value in the property (staticMaxAge).

📝 One little tip, you can use a environment variable to fill the property :

embed-server --server-config=standalone.xml

/subsystem=keycloak-server/theme=defaults/:write-attribute(name=staticMaxAge,value="${env.KEYCLOAK_ADMIN_STATIC_MAX_AGE:3600})

quit

Push the CLI script in the right folder

If you want to configure your instance at the startup time (the common case for the production environment) you have to push the script in the following path : /opt/jboss/startup-scripts

This is an example of my Docker 🐋 configuration :

RUN mkdir /opt/jboss/startup-scripts

ADD --chown=jboss:root cli/update_assets_cache.cli /opt/jboss/startup-scripts/

Let me try it

If you want a complete example with a Docker configuration, you can clone the repository https://github.com/ulrich/keycloak-configuration-with-cli

Crédit photo : Vanille

Add Keycloak in legacy Spring app

Ulrich VACHON — Mon, 23 May 2022 14:25:02 +0000

Today I will show you how I added Keycloak in existing Spring app.

Often when we want to study some technology, it's easy to ignit the stack by running the corresponding hello-world 🌎 sample from sources, documentation, blog post, hands-on...

But as you say in the real life (project), the things are never straightforward. OK it said.

Thereby this article we'll discover an application which already being protected by an existing security layer but which needs to use Keycloak for the next generation of its controllers. So the challenge for us there is to do work together the existing security layer with the newer based on Keycloak.

The existing code

For the demonstration we use a very simple security pattern based on the Authorization header presence. You can imagine that this security being based on a custom JWT layer or anything else...

@RestController
@RequestMapping(value = "/api/v1/user")
public class UserControllerImpl {

    @GetMapping
    public ResponseEntity<User> getUser(@RequestHeader("Authorization") String authorization, String id) {
        var tokenOpt = Optional.ofNullable(authorization);

        if (tokenOpt.isEmpty()) {
            return ResponseEntity
                    .status(BAD_REQUEST)
                    .build();
        }
        var token = tokenOpt.get();

        if (!"authorization".equals(token)) {
            return ResponseEntity
                    .status(UNAUTHORIZED)
                    .build();
        }
        return ResponseEntity
                .ok(new User("1", "Ulrich"));
    }
}

As expected I will call my controller with CURL command and the result shall be very simple to understand.

❯ curl -H "Authorization: foo" --verbose http://localhost:9999/api/v1/user          
*   Trying 127.0.0.1:9999...
* TCP_NODELAY set
* Connected to localhost (127.0.0.1) port 9999 (#0)
> GET /api/v1/user HTTP/1.1
> Host: localhost:9999
> User-Agent: curl/7.68.0
> Accept: */*
> Authorization: foo
> 
* Mark bundle as not supporting multiuse
< HTTP/1.1 401 
< Content-Length: 0
< Date: Sun, 22 May 2022 14:03:49 GMT
< 
* Connection #0 to host localhost left intact

Add Keycloak security layer

This part won't be detailed because it's only some configurations to add in your Maven project and Spring Security layer, but broadly we have to follow the steps :

Add Spring Security feature

This is the start of migration and for that we have to add some dependencies in our project as Spring Security configuration to bu use by the existing resources (/api/v1).

Keep in mind that we don't want to substitute the existing security layer by Spring Security and Keycloak but we want to dedicate a Spring Security configuration to the existing resources. Nothing else.

@Configuration
@EnableWebSecurity
@ConditionalOnProperty(value = "app.keycloak.enabled", havingValue = "false", matchIfMissing = true)
public class LegacySecurityConfig extends WebSecurityConfigurerAdapter {

    private static final Logger logger = LoggerFactory.getLogger(LegacySecurityConfig.class);

    @Override
    protected void configure(HttpSecurity httpSecurity) throws Exception {
        logger.info("Configuring the legacy security layer");

        httpSecurity.csrf().disable();
        httpSecurity.authorizeRequests().anyRequest().permitAll();
    }
}

We will test this configuration by a CURL command to check if the existing resource can be reached again and also search the entry log related to the initialization of this configuration.

2022-05-22 16:31:18.102  INFO 34438 --- [main] c.r.s.config.LegacySecurityConfig : Configuring the legacy security layer

It's works👌

Add Keycloak feature

In this part of the migration I supposed that you have an Keycloak instance already set with a realm named test. If this is not the case you can start an instance based on my project located in the GitHub project.

Declare the KeycloakConfigResolver component

The goal of this component is to create a deployment in the Keycloak terminology. The deployment bean stores the configuration claimed by the combo Spring Security and Keycloak library.

@Configuration
@Component("keycloakConfigResolver")
public class SimpleKeycloakConfigResolver implements KeycloakConfigResolver {

    private final static Logger logger = LoggerFactory.getLogger(SimpleKeycloakConfigResolver.class);

    @Value("${app.keycloak.server_url}")
    private String keycloakServerUrl;

    @Value("${app.keycloak.config_ssl}")
    private String keycloakConfigSSL;

    @Value("${app.keycloak.config_realm}")
    private String keycloakConfigRealm;

    @Value("${app.keycloak.config_resource}")
    private String keycloakConfigResource;

    @Override
    public KeycloakDeployment resolve(OIDCHttpFacade.Request request) {
        logger.info("Configuring the Keycloak deployment");

        var adapterConfig = new AdapterConfig();

        adapterConfig.setBearerOnly(true);
        adapterConfig.setRealm(keycloakConfigRealm);
        adapterConfig.setSslRequired(keycloakConfigSSL);
        adapterConfig.setResource(keycloakConfigResource);
        adapterConfig.setAuthServerUrl(keycloakServerUrl);

        return KeycloakDeploymentBuilder
                .build(adapterConfig);
    }
}

💡As you can image we can have as much deployments as we want and by definition having a multitenant app capability.

Declare the KeycloakSecurityConfig component

This component is the entry point of the Keycloak configuration and allows developer to customize the behavior of sub components able to manage several things as the requests, the CORS or CSRF configurations etc...

The configure method is the place where we declare the Http security configuration and specially which one URL have to be handled by Keycloak.

@Configuration
@EnableWebSecurity
@KeycloakConfiguration
@DependsOn("keycloakConfigResolver")
@ConditionalOnProperty(value = "app.keycloak.enabled", havingValue = "true")
public class KeycloakSecurityConfig extends KeycloakWebSecurityConfigurerAdapter {

    private static final Logger logger = LoggerFactory.getLogger(LegacySecurityConfig.class);

    public static final String VALIDATING_BY_KEYCLOAK = "/api/v2/**";

    @Autowired
    public void authenticationProvider(AuthenticationManagerBuilder authenticationManagerBuilder) {
        authenticationManagerBuilder.authenticationProvider(keycloakAuthenticationProvider());
    }

    @Bean
    @Override
    protected SessionAuthenticationStrategy sessionAuthenticationStrategy() {
        return new NullAuthenticatedSessionStrategy();
    }

    @Override
    protected void configure(HttpSecurity httpSecurity) throws Exception {
        logger.info("Configuring the Keycloak security layer");

        super.configure(httpSecurity);

        httpSecurity.cors();
        httpSecurity.csrf().disable();
        httpSecurity.authorizeRequests().antMatchers(VALIDATING_BY_KEYCLOAK).authenticated();
        httpSecurity.authorizeRequests().anyRequest().permitAll();
    }
}

If we take the time to test the global mechanism we see that configuration runs well and that the /api/v2/user endpoit as well protected, awesome!

🟢Here we use a valid access token for test :

❯ curl -H 'Authorization: Bearer eyJhbGciOiJSUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICItNFZiQmhtN1pZaXlhckdSMjk0el8xRDIwYzA5Y2Vrc0V4ZHJmUW9ESnhNIn0.eyJleHAiOjE2NTMyNDAzMjcsImlhdCI6MTY1MzI0MDAyNywianRpIjoiMjJlN2E4NTgtMDJhYS00NzE4LTlkZGItMDUwMDkwMmEyN2NiIiwiaXNzIjoiaHR0cDovL2xvY2FsaG9zdDo4MDgwL2F1dGgvcmVhbG1zL3Rlc3QiLCJzdWIiOiI5OTZmMDU2My04OGExLTQwYjEtYTc2NS0xNmI1NDYyMjBjZWYiLCJ0eXAiOiJCZWFyZXIiLCJhenAiOiJhZG1pbi1jbGkiLCJzZXNzaW9uX3N0YXRlIjoiNGExZDcyODEtZjk5OC00NGQ0LTliYmQtZDRkNmM4ZjhhNDJlIiwiYWNyIjoiMSIsInNjb3BlIjoicHJvZmlsZSBlbWFpbCIsInNpZCI6IjRhMWQ3MjgxLWY5OTgtNDRkNC05YmJkLWQ0ZDZjOGY4YTQyZSIsImVtYWlsX3ZlcmlmaWVkIjpmYWxzZSwicHJlZmVycmVkX3VzZXJuYW1lIjoidWxyaWNoIn0.h26O4nyVIpYPIzN5ocgvtBCRHcjEGT9kCxkv5T0yniLeTYU2XE0GZp_dmmb383sPz1KNJPOZRCYqMOgRFBl-7l9yWbiW85CsJ9EBsKDsp6z1lgtg_hkH0VDi_yVgDcdtQQ5fr7RppeoOhvmlM39qYf4_H2dr4WvhnJnjqLRBDsxcEaFWB97W8CUG66Ng2qEaHpmsqwFP7tPOdkwjktY9iBHJzG85SqKYO6YHbMM6YvukT14EwH2lFI4l-LpSfq1kXCMjZ9M__YEBbYswHs9RXfubI_Myr1kwCxFkXiqG6JOlwrxP8-UIRqTu2BCmbyq5YeliDhzO0NZP0eMTsaAedw' --verbose http://localhost:9999/api/v2/user
*   Trying 127.0.0.1:9999...
* TCP_NODELAY set
* Connected to localhost (127.0.0.1) port 9999 (#0)
> GET /api/v2/user HTTP/1.1
> Host: localhost:9999
> User-Agent: curl/7.68.0
> Accept: */*
> Authorization: Bearer eyJhbGciOiJSUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICItNFZiQmhtN1pZaXlhckdSMjk0el8xRDIwYzA5Y2Vrc0V4ZHJmUW9ESnhNIn0.eyJleHAiOjE2NTMyNDAzMjcsImlhdCI6MTY1MzI0MDAyNywianRpIjoiMjJlN2E4NTgtMDJhYS00NzE4LTlkZGItMDUwMDkwMmEyN2NiIiwiaXNzIjoiaHR0cDovL2xvY2FsaG9zdDo4MDgwL2F1dGgvcmVhbG1zL3Rlc3QiLCJzdWIiOiI5OTZmMDU2My04OGExLTQwYjEtYTc2NS0xNmI1NDYyMjBjZWYiLCJ0eXAiOiJCZWFyZXIiLCJhenAiOiJhZG1pbi1jbGkiLCJzZXNzaW9uX3N0YXRlIjoiNGExZDcyODEtZjk5OC00NGQ0LTliYmQtZDRkNmM4ZjhhNDJlIiwiYWNyIjoiMSIsInNjb3BlIjoicHJvZmlsZSBlbWFpbCIsInNpZCI6IjRhMWQ3MjgxLWY5OTgtNDRkNC05YmJkLWQ0ZDZjOGY4YTQyZSIsImVtYWlsX3ZlcmlmaWVkIjpmYWxzZSwicHJlZmVycmVkX3VzZXJuYW1lIjoidWxyaWNoIn0.h26O4nyVIpYPIzN5ocgvtBCRHcjEGT9kCxkv5T0yniLeTYU2XE0GZp_dmmb383sPz1KNJPOZRCYqMOgRFBl-7l9yWbiW85CsJ9EBsKDsp6z1lgtg_hkH0VDi_yVgDcdtQQ5fr7RppeoOhvmlM39qYf4_H2dr4WvhnJnjqLRBDsxcEaFWB97W8CUG66Ng2qEaHpmsqwFP7tPOdkwjktY9iBHJzG85SqKYO6YHbMM6YvukT14EwH2lFI4l-LpSfq1kXCMjZ9M__YEBbYswHs9RXfubI_Myr1kwCxFkXiqG6JOlwrxP8-UIRqTu2BCmbyq5YeliDhzO0NZP0eMTsaAedw
> 
* Mark bundle as not supporting multiuse
< HTTP/1.1 200 
< Vary: Origin
< Vary: Access-Control-Request-Method
< Vary: Access-Control-Request-Headers
< Set-Cookie: JSESSIONID=89CE06C8B841F99D3F161C4E3D1FE8A5; Path=/; HttpOnly
< X-Content-Type-Options: nosniff
< X-XSS-Protection: 1; mode=block
< Cache-Control: no-cache, no-store, max-age=0, must-revalidate
< Pragma: no-cache
< Expires: 0
< X-Frame-Options: DENY
< Content-Type: application/json
< Transfer-Encoding: chunked
< Date: Sun, 22 May 2022 17:21:07 GMT
< 
* Connection #0 to host localhost left intact
{"id":"1","name":"Ulrich"}

🔴Here we use an invalid access token for test :

❯ curl -H 'Authorization: MY_BEARER_TOKEN_IS_WRONG' --verbose http://localhost:9999/api/v2/user
*   Trying 127.0.0.1:9999...
* TCP_NODELAY set
* Connected to localhost (127.0.0.1) port 9999 (#0)
> GET /api/v2/user HTTP/1.1
> Host: localhost:9999
> User-Agent: curl/7.68.0
> Accept: */*
> Authorization: MY_BEARER_TOKEN_IS_WRONG
> 
* Mark bundle as not supporting multiuse
< HTTP/1.1 401 
< Vary: Origin
< Vary: Access-Control-Request-Method
< Vary: Access-Control-Request-Headers
< WWW-Authenticate: Bearer realm="test"
< X-Content-Type-Options: nosniff
< X-XSS-Protection: 1; mode=block
< Cache-Control: no-cache, no-store, max-age=0, must-revalidate
< Pragma: no-cache
< Expires: 0
< X-Frame-Options: DENY
< WWW-Authenticate: Bearer realm="test"
< Content-Length: 0
< Date: Sun, 22 May 2022 17:24:50 GMT
< 
* Connection #0 to host localhost left intact

We have to confirm that the previous /api/v1/user resource works as before but unfortunately it's broken.

🔴Here we can confirm something was broken :

❯ curl -H "Authorization: authorization" --verbose http://localhost:9999/api/v1/user
*   Trying 127.0.0.1:9999...
* TCP_NODELAY set
* Connected to localhost (127.0.0.1) port 9999 (#0)
> GET /api/v1/user HTTP/1.1
> Host: localhost:9999
> User-Agent: curl/7.68.0
> Accept: */*
> Authorization: authorization
> 
* Mark bundle as not supporting multiuse
< HTTP/1.1 401 
< Vary: Origin
< Vary: Access-Control-Request-Method
< Vary: Access-Control-Request-Headers
< WWW-Authenticate: Bearer realm="test"
< X-Content-Type-Options: nosniff
< X-XSS-Protection: 1; mode=block
< Cache-Control: no-cache, no-store, max-age=0, must-revalidate
< Pragma: no-cache
< Expires: 0
< X-Frame-Options: DENY
< WWW-Authenticate: Bearer realm="test"
< Content-Length: 0
< Date: Sun, 22 May 2022 17:28:55 GMT
< 
* Connection #0 to host localhost left intact

Declare the KeycloakAuthenticationProcessingFilter component

The reason behind the previous issue is related to the way of Spring Security interacts with the Keycloak library. Keycloak takes the hand for all incoming requests and we have to declare we don't want handle all requests but only the /api/v2/user based requests.

For that, we have only to override the KeycloakAuthenticationProcessingFilter bean by adding a specific matcher which match only for the /api/v2/* requests. Please take a look :

public class CustomKeycloakAuthenticationProcessingFilter extends KeycloakAuthenticationProcessingFilter {

    public CustomKeycloakAuthenticationProcessingFilter(AuthenticationManager authenticationManager) {
        super(authenticationManager, new AntPathRequestMatcher(VALIDATING_BY_KEYCLOAK));
    }
}

To achieve this overloading we have to improve the existing KeycloakSecurityConfig bean.

@Configuration
@EnableWebSecurity
@KeycloakConfiguration
@DependsOn("keycloakConfigResolver")
@ConditionalOnProperty(value = "app.keycloak.enabled", havingValue = "true")
public class KeycloakSecurityConfig extends KeycloakWebSecurityConfigurerAdapter {

    private static final Logger logger = LoggerFactory.getLogger(LegacySecurityConfig.class);

    public static final String VALIDATING_BY_KEYCLOAK = "/api/v2/**";

    @Autowired
    public void authenticationProvider(AuthenticationManagerBuilder authenticationManagerBuilder) {
        authenticationManagerBuilder.authenticationProvider(keycloakAuthenticationProvider());
    }

    @Bean
    @Override
    protected KeycloakAuthenticationProcessingFilter keycloakAuthenticationProcessingFilter() throws Exception {
        return new CustomKeycloakAuthenticationProcessingFilter(authenticationManagerBean());
    }

    @Bean
    @Override
    protected SessionAuthenticationStrategy sessionAuthenticationStrategy() {
        return new NullAuthenticatedSessionStrategy();
    }

    @Override
    protected void configure(HttpSecurity httpSecurity) throws Exception {
        logger.info("Configuring the Keycloak security layer");

        super.configure(httpSecurity);

        httpSecurity.cors();
        httpSecurity.csrf().disable();
        httpSecurity.authorizeRequests().antMatchers(VALIDATING_BY_KEYCLOAK).authenticated();
        httpSecurity.authorizeRequests().anyRequest().permitAll();
    }
}

🎉Here we are testing the /api/v1/user call with Keycloak enabled :

❯ curl -H "Authorization: authorization" --verbose http://localhost:9999/api/v1/user
*   Trying 127.0.0.1:9999...
* TCP_NODELAY set
* Connected to localhost (127.0.0.1) port 9999 (#0)
> GET /api/v1/user HTTP/1.1
> Host: localhost:9999
> User-Agent: curl/7.68.0
> Accept: */*
> Authorization: authorization
> 
* Mark bundle as not supporting multiuse
< HTTP/1.1 200 
< Vary: Origin
< Vary: Access-Control-Request-Method
< Vary: Access-Control-Request-Headers
< X-Content-Type-Options: nosniff
< X-XSS-Protection: 1; mode=block
< Cache-Control: no-cache, no-store, max-age=0, must-revalidate
< Pragma: no-cache
< Expires: 0
< X-Frame-Options: DENY
< Content-Type: application/json
< Transfer-Encoding: chunked
< Date: Sun, 22 May 2022 17:57:56 GMT
< 
* Connection #0 to host localhost left intact
{"id":"1","name":"Ulrich"}

Let me try it

If you want a complete Spring boot example with the Keycloak integration as expected in this article, you can clone the repository https://github.com/ulrich/spring-legacy-and-keycloak

Crédit photo : https://pixabay.com/fr/users/jackmac34-483877/

Automatically add CORS configuration to Spring controllers

Ulrich VACHON — Fri, 20 May 2022 16:31:58 +0000

It could be useful to add with a less of code the expected CORS headers in your Spring boot configuration. Let's do this!

CORS (Cross-Origin Resource Sharing) is a mechanism that allows "to protect" your resources APIs from undesirated calls. By saying protect I mean restrict the resources to be requested by any domain outside the origin domain where the resources was served.

Flag all resources with @CrossOrigin

This is the only step required by the configurer to claim the cross origin resource sharing. For example :

@CrossOrigin
@RestController
@RequestMapping(value = "/api/user")
public interface UserController { ...

Declare the CORS Spring configurer

This Spring bean is responsible of several things 🔎 The first one action is to scan your resources looking for the paths will should be protected. In this example we use the autowired bean ApplicationContext as entry point in the Spring application context :

@Autowired
public CorsConfig(ApplicationContext applicationContext) {
    corsControllers = Stream.of(applicationContext.getBeanNamesForAnnotation(CrossOrigin.class))
            .filter(Objects::nonNull)
            .map(bean -> applicationContext.findAnnotationOnBean(bean, RequestMapping.class))
            .filter(mapping -> Objects.nonNull(mapping) && mapping.path().length > 0)
            .map(mapping -> mapping.path()[0])
            .peek(path -> log.info("Register CORS configuration for \"{}\".", path))
            .collect(toSet());
}

Please keep this code safe !

The second one action is to declare WebMvcConfigurer bean will add the protected path in the CORS Registry.

@Bean
public WebMvcConfigurer corsConfigurer() {
    return new WebMvcConfigurer() {
        @Override
        public void addCorsMappings(CorsRegistry registry) {
            for (String corsController : corsControllers) {
                registry.addMapping(corsController)
                        .allowedOriginPatterns(allowedCorsOrigin)
                        .allowedHeaders("Authorization", ...)
                        .allowedMethods("OPTIONS", "PUT", "POST", ...);
            }
        }
    };
}

Something interresting to note there is that we can externalize the declaration of allowed domains by Ant patterns in an array of String. The property allowedCorsOrigin is a variable annoted by @Value (see the sample code).

Test the Spring configuration with CURL

Now we are able to test the configuration in a real Spring app.

🟢Here we use a valid domain for test :

❯ curl -H "Origin: https://fr.reservoircode.net" --verbose http://localhost:9999/api/user
*   Trying 127.0.0.1:9999...
* TCP_NODELAY set
* Connected to localhost (127.0.0.1) port 9999 (#0)
> GET /api/user HTTP/1.1
> Host: localhost:9999
> User-Agent: curl/7.68.0
> Accept: */*
> Origin: https://fr.reservoircode.net
> 
* Mark bundle as not supporting multiuse
< HTTP/1.1 200 
< Vary: Origin
< Vary: Access-Control-Request-Method
< Vary: Access-Control-Request-Headers
< Access-Control-Allow-Origin: https://fr.reservoircode.net
< Content-Type: application/json
< Transfer-Encoding: chunked
< Date: Fri, 20 May 2022 16:20:17 GMT
< 
* Connection #0 to host localhost left intact
{"id":"1","name":"Ulrich"}

🔴Here we use a invalid domain for test :

❯ curl -H "Origin: https://foo.com" --verbose http://localhost:9999/api/user       
*   Trying 127.0.0.1:9999...
* TCP_NODELAY set
* Connected to localhost (127.0.0.1) port 9999 (#0)
> GET /api/user HTTP/1.1
> Host: localhost:9999
> User-Agent: curl/7.68.0
> Accept: */*
> Origin: https://foo.com
> 
* Mark bundle as not supporting multiuse
< HTTP/1.1 403 
< Vary: Origin
< Vary: Access-Control-Request-Method
< Vary: Access-Control-Request-Headers
< Transfer-Encoding: chunked
< Date: Fri, 20 May 2022 16:23:02 GMT
< 
* Connection #0 to host localhost left intact
Invalid CORS request

Let me try it

If you want a Spring boot example you can clone the repository https://github.com/ulrich/spring-cors-autoconfig

Crédit photo : https://pixabay.com/fr/users/jackmac34-483877/

Create and use a result captor in Mockito

Ulrich VACHON — Fri, 13 May 2022 15:02:11 +0000

Today I will show you how to create a Mockito captor

In Mockito it exists the possibilty to use ArgumentCaptor to allow developers to verify the arguments used during the call of mocked method, but not the result itself.
Indeed, in the current release of Mockito it's not possible to capture it and my solution to do that is to build a ResultCaptor class which implements the Answer interface and generify it for more conveniance.

Let's take a look.

Create the ResultCaptor class

public static class ResultCaptor<T> implements Answer<T> {
    private T result = null;

    public T getResult() {
        return result;
    }

    @Override
    public T answer(InvocationOnMock invocationOnMock) throws Throwable {
        //noinspection unchecked
        result = (T) invocationOnMock.callRealMethod();
        return result;
    }
}

In this quite simple implementation we see that the ResultCaptor class implements the Answer interface which force to override the answer method. We use this "interceptor" to call the real method of spied bean and capture the result to store it in the current context.

Use the ResultCaptor class

ResultCaptor<ServiceResult> serviceResultCaptor = new ResultCaptor<>();
var message = new Message("id", "hello all!");
doAnswer(serviceResultCaptor).when(serviceSpy).sendMessage(message);
// do the call
var serviceResult = serviceResultCaptor.getResult();
assertThat(serviceResult).isNotNull();
assertThat(serviceResult.getWhatever()).isEqualTo("Whatever");

And that's it !

Let me try it

If you want a Spring boot example you can clone the repository github.com/ulrich/mockito-result-captor-demo

Crédit photo : https://pixabay.com/fr/users/jackmac34-483877/