Java 3 - 2026

Week 6

Week 1 - Setup Pet Clinic App. Deployment using Docker.
Week 2 - Domains, AWS, ER Diagrams and Databases, Understand the Pet Clinic Setup.

Week 3 - MVC, Repository interfaces, Thymeleaf, Internationalization, Controller Unit Tests, 

Week 4 - Use Case Narrative, Sequence Diagram, State Chart Diagram, Create new objects.
Lesson 5 - Users, roles, and permissions setup from Java 2. Unit Tests. Show object details.

Lesson 6 - User Registration. Update and delete existing objects.

Lesson 7 - Homepage with content from the database. Custom not found and error pages.

Lesson 8 - Login and logout. Cookies. User permission access.

Lesson 9 - Edit and delete user profile. Password reset.
Lesson 10 - Filtering and limiting records by category.
Lesson 11 - Web Sockets. Date and currency formatting.
Lesson 12 - Email and SMS messaging. Failed login attempts.
Lesson 13 - Shopping Cart. Payment processing.

Course Plan

• Sort and filter the list of schools

• update and delete a school

• language toggle

• Use local storage to remember language toggle.

• Access schools by visiting "/schools/kirkwood" instead of "/schools/1"

• CSRF? Security
• Email confirmation
• Other inputs - select, radio, checkbox
• Update messages.properties files to include needed translations for the registration form headings, labels, and flash messages
• Register as Student or Register as School Admin. Manually define the default STUDENT role.

• Cannot snapshot C:\Users\mlhau\OneDrive\Kirkwood\Grading\spring-athleagues-lp\build\resources\main\db\h2\data.sql: not a regular file

  
  Cannot snapshot C:\Users\mlhau\OneDrive\Kirkwood\Grading\spring-athleagues-lp\build\classes\java\main\org\springframework\samples\petclinic\model\BaseEntity.class: not a regular file

Next

• Change /register to /register-student

• Flash Message with Closeable X
  <div th:if="${messageSuccess}" class="alert alert-success alert-dismissible fade show" role="alert">
    <span th:text="${messageSuccess}">Profile updated successfully.</span>
    <button type="button" class="btn-close" data-bs-dismiss="alert" aria-label="Close"></button>
  </div>

2027

• The current set up is suitable for building a REST API that communicates with a JavaScript frontend like React, Angular, or Vue.

• The Pet Clinic project uses an MVC structure with Thymeleaf to handle the frontend workload.

• For this project, we need to refactor the AuthController to be a Spring MVC Controller that serves HTML forms and handles the domain redirection logic.

AuthController

• Key Changes:

  • @Controller instead of @RestController (returns Views, not JSON).

  • initRegisterForm: Prepares the blank User object.

  • processRegisterForm: Handles validation, saves the user via UserService, parses the email domain, and redirects to the specific School page.

AuthController

• Your SecurityConfig.java is still pointing to the old API endpoints. We need to open the new /register URL so users can access it without logging in.

• Replace the two existing .requestMatchers with this:
  .requestMatchers("/register","/login").permitAll()

SecurityConfig

• In SchoolRepository, add a method to look up a school by its domain.

• Using Optional allows us to handle the "School Not Found" scenario (like when a user registers with @gmail.com) explicitly in the Controller using .isPresent() or .orElse(), preventing NullPointerExceptions.

SchoolRepository

• Create registerForm.html in a "src/main/resources/templates/auth/" folder.

• This uses the same inputField fragment you previously updated to ensure consistent styling and validation messages.

• th:replace="~{fragments/layout ...}": This means "I USE the layout." as defined in layout.html.

Registration Form Template

• Add English translations.

• You can also add these to your Spanish/Korean files if you wish, but it's not strictly required to pass unit tests.

messages.properties

• Our inputField.html fragment currently has logic for 'text' and 'date', but it has no instruction for what to do if the type is 'password', so it will render nothing.

• Open inputField.html and add a new th:case="'password'" to the switch statement.
  <input th:case="'password'"
    th:class="${#fields.hasErrors(name)} ? 'form-control is-invalid' : 'form-control'"
    type="password" th:field="*{__${name}__}" />

inputField Template

• We want to include a "Register" and "Login" button that changes to "Edit Profile" and "Logout" when the user is signed in?

• To implement this, we need to use Spring Security Dialect for Thymeleaf (sec:authorize) to conditionally show buttons based on the user's login status.

• First, ensure your layout.html (at the very top of the file) includes the security namespace, or the sec: tags will be ignored.
  <html th:fragment="layout (template, menu)" xmlns:th="https://www.thymeleaf.org" xmlns:sec="http://www.thymeleaf.org/extras/spring-security">

Register/Login Buttons

• Thymeleaf does not understand sec:authorize out of the box. Without the specific plugin library, it ignores the attribute and renders the buttons by default.

• Open build.gradle.

• Add this line to your dependencies block:
  implementation 'org.thymeleaf.extras:thymeleaf-extras-springsecurity6'

• Reload Gradle (Click the Elephant icon).

Spring Security Dialect

• On desktop view, the Home and Find Schools links should be next to the branding logo, and the new buttons should be on the right.

• On mobile view, the "Home" and "Find Schools" buttons should be stacked vertically with the new buttons underneath.

• Place this code after the last ul tag in the nav section. It must go inside the div#main-navbar.

Register/Login Buttons

• sec:authorize="!isAuthenticated()": Shows the content only if the user is Anonymous (Guest).

• sec:authorize="isAuthenticated()": Shows the content only if the user is Logged In.

• The Left <ul> has me-auto (Margin End Auto). This consumes all available empty space to its right, effectively pushing the next element (the Right <ul>) to the edge.

• Logout Form: I wrapped the logout button in a <form method="post">.

  • Spring Security disables GET requests for logout by default to prevent Cross-Site Request Forgery (CSRF) attacks. 
• We add a conditional class check (th:classappend) to check if the variable menu (passed from the page) matches the specific name for that button. This styles the "active" link.

Implementation Details

• Temporarily change the Logout button from  "isAuthenticated()" to "!isAuthenticated()" 

• The Logout item is a <button> inside a <form>. Browsers apply a default "User Agent Stylesheet" to buttons (gray background, borders, padding) that overrides the Bootstrap .nav-link class.

• Add this code at the bottom of the layout.html <head> section to force the button to behave like an <a> tag and inherit the parent's hover effects.

Logout Button Styling

• From Java 2, our User.java has Database rules (nullable = false), which means the database schema requires them. We changed the structure to not require them.

• User.java is also missing Java Bean Validation rules (@NotEmpty). The Controller checks the Java rules, not the Database rules.

• You need to import jakarta.validation.constraints.* and add the annotations to the fields.

• The @Valid annotation in the AuthController looks for these tags.

User Validation

• Run the app, click Register, and sign up as yourname.student@kirkwood.edu. It should redirect you to the Kirkwood school page.

• Sign up as yourname.student@uiowa.edu. It should redirect you to the Iowa school page.

• Sign up as yourname.student@example.edu. It should redirect you to the Iowa school page.

Run the app

• Some schools have different types of emails for students or alumni, like "@student.kirkwood.edu" or "@alumni.uni.edu".

• Update AuthController.java to add a helper method called findSchoolByRecursiveDomain that will loop through the domain parts until it finds a match or runs out of parts.

• Update part 2 of the processRegisterForm method to call that method.

Allow Subdomains

• You should verify this works by creating  AuthControllerTest.java with a unit test that processes a user register with subdomain redirect.

Allow Subdomains Unit Tests

• To implement a "Flash Message" (a temporary notification that survives a redirect), we use Spring's RedirectAttributes.

• Step 1: Update AuthController.java

  • Update the processRegisterForm method to accept RedirectAttributes. This allows us to pass data (the message) that survives the browser redirect.

Flash Message

• Step 2: Update layout.html HTML

  • We need to add a "Slot" for this message to appear. The best place is inside the main container, right above where the page content (th:replace="${template}") is injected.

  • It defines three distinct blocks. Since they all use the class flash-message, a jQuery script can be written to automatically handle the slide-up animation for any of them.

Flash Message

• Step 3: Update layout.html JavaScript

  • To make it disappear automatically after 10 seconds, add this script.

Flash Message

• Spring Security creates session cookies automatically to track when a user is "logged in".

• The missing piece is that right now, you are saving the user to the database, but you aren't logging them in. The user remains "Anonymous," so isAuthenticated() returns false, and your buttons don't change.

• Your UserService.registerNewUser(user) method takes the password (e.g., "password123") and overwrites it with a Bcrypt hash (e.g., $2a$10$EixZa...).

• To log the user in, we need the raw password. If we try to login with the hash, it will fail.

Session Cookies

• Open AuthController.java

• We will modify processRegisterForm to:

  • Capture the raw password before the Service hashes it.

  • Inject HttpServletRequest to access the login functionality.

  • Log in the user using AuthenticationManager.

Update AuthController.java

• How it works

  • request.login(email, password): This is a standard Jakarta EE method. It asks Spring Security to verify the credentials.

  • Success: If valid, Spring Security creates a session, generates a JSESSIONID cookie, sends it to the browser, and flips the user status to isAuthenticated().

  • Redirect: When the browser loads the next page (the School page), it sends the cookie back.

  • Layout: Your layout.html sees isAuthenticated() is true and renders the Edit Profile / Logout buttons.

• Restart the application. Register a new user.

• Upon redirect, look at the top right. You should immediately see EDIT PROFILE and LOGOUT.

Update AuthController.java

• If you restart the server and visit "/schools/new" and submit the form with no input, you'll get a 403 forbidden error.

• This error is happening because in your SecurityConfig.java, you likely have this line which protects POST requests, but allows GET requests.

  .requestMatchers(HttpMethod.GET).permitAll()

• This allows an anonymous user to view the form (GET /schools/new).

• However, you do not have a matching rule for the POST request. Therefore, it falls through to your catch-all rule:

  .anyRequest().authenticated()

• Because we disabled the default login form redirect (.formLogin(AbstractHttpConfigurer::disable)), Spring Security simply blocks the request with a 403 Forbidden instead of redirecting you to a login page.

New School or Owner

• If you want to test the form validation without logging in, you must explicitly allow POST requests to that URL.

• Open SecurityConfig.java and add the specific matcher:

Temporarily Unblock

• However, since we have built the Login/Register feature, the intended flow is that only logged-in users should be able to create schools or owners. 

• If you want to test the form validation without logging in, you must explicitly allow POST requests to that URL.

• Open SecurityConfig.java and add the specific matcher:

• If you want to test the form validation without logging in, you must explicitly allow POST requests to that URL.

• Open SecurityConfig.java and add the specific matcher:

• When a user registers, they are redirected to their school's page, but the Register/Login buttons don't change to Edit Profile/Logout.

• The issue we are experiencing happens because of a change in recent versions of Spring Security (specifically Spring Security 6 / Spring Boot 3).

  • The initial project we setup in Java 2 uses Spring Boot 3.5.7

  • Spring Boot 4.0.1 came out in late 2025, which is what our petclinic project uses.

• Currently, our code successfully authenticates the user in the AuthController, but it forgets the user as soon as the redirect happens.

• In the newest version of Spring Security, manually setting the authentication in the SecurityContextHolder no longer automatically saves that context into the user's HTTP Session. You have to explicitly tell Spring to save it so it survives the redirect.

User Registration Bug Fix

• When a user registers, they are redirected to their school's page, but the Register/Login buttons don't change to Edit Profile/Logout.

• The issue we are experiencing happens because of a change in recent versions of Spring Security (specifically Spring Security 6 / Spring Boot 3).

  • The initial project we setup in Java 2 uses Spring Boot 3.5.7

  • Spring Boot 4.0.1 came out in late 2025, which is what our petclinic project uses.

• Currently, our code successfully authenticates the user in the AuthController, but it forgets the user as soon as the redirect happens.

• In the newest version of Spring Security, manually setting the authentication in the SecurityContextHolder no longer automatically saves that context into the user's HTTP Session. You have to explicitly tell Spring to save it so it survives the redirect.

User Registration Bug Fix

• Step 1: Update your processRegisterForm method signature to include HttpServletRequest request.
  @PostMapping("/register-student")
public String processRegisterForm(@Valid User user,
              BindingResult result,
              RedirectAttributes redirectAttributes,
              HttpServletRequest request) {

• Step 2: Add the session-saving logic immediately after setting the authentication. This ensures the authentication survives the redirect
  HttpSession session = request.getSession(true);
session.setAttribute(
 HttpSessionSecurityContextRepository.SPRING_SECURITY_CONTEXT_KEY,
 SecurityContextHolder.getContext()
);

User Registration Bug Fix

• On the /register-student page, if I enter an email that already exists in the database, the error "is already in use" displays, but I want the message in this line of code to display.
  result.rejectValue("email", "duplicate", "This email is already registered");

• In the standard PetClinic template, the word duplicate is already defined in the messages.properties file, and its value is set to "is already in use".

• When you call rejectValue("email", "duplicate", "..."), Spring sees the "duplicate" error code, looks it up in the properties file, and uses it.

• If you change the error code (the second argument) to something that doesn't exist in the properties file (like "duplicateEmail"), Spring will be forced to use your hardcoded default message.

Registration Duplicate Email

• If you plan to keep doing translations, a better practice would be to update messages.properties

• Spring builds a hierarchy of error codes when validation fails. You can target this exact field by adding a highly specific key to the bottom of your messages.properties file:

  • duplicate.user.email=This email is already registered

• If you do this, you do not need to change your Java code at all. Spring will look up duplicate.user.email, find your new custom sentence, and display it on the form.

• If you created a custom @Unique annotation for the User class—similar to what we did for the School domain earlier—that validation might be triggering during the @Valid check before it even reaches this line of code. If so, you would update the message attribute inside that annotation instead

Registration Duplicate Email

• GitHub Actions works as your "robot butler." Instead of you manually running gradle build, docker build, and docker push on your laptop, GitHub does it automatically every time you push code.

• Here is the workflow:

  • You push code to your GitHub repository.

  • GitHub Actions wakes up, spins up a temporary server (runner).

  • It builds your jar using Gradle.

  • It logs in to Docker Hub (using secrets you provide).

  • It builds and pushes your Docker image.

GitHub Actions

• You should never put your Docker Hub password directly in the file. You use GitHub Secrets.

• Go to your GitHub repository.

• Click Settings -> Secrets and variables -> Actions.

• Click New repository secret.

• Add these two:

  • Name: DOCKERHUB_USERNAME

    • Secret Value: your_actual_username

  • Name: DOCKERHUB_TOKEN

    • Secret Value: (Go to Docker Hub -> Account Settings -> Personal access tokens​ -> Generate New Token)

    • For access permissions, select "Read & Write".

    • Use this token instead of your real password.

Set up Secrets

• In your project, create this directory structure and file: .github/workflows/deploy.yml

• Paste this content in, customized for Gradle and Java 17.

• Change petclinic to your image name.

• To keep your v1, v2, v3 pattern going without having to manually type it every time, you can use a built-in GitHub variable called github.run_number.

Create the Workflow File

• The petclinic app comes with three workflows `deploy-and-test-cluster.yml`, `gradle-build.yml`, and `maven-build.yml`.

• Here is exactly why it is safe to remove them:

• maven-build.yml: You already committed to Gradle for this project, making the Maven pipeline completely redundant.

• gradle-build.yml: By default, this workflow runs ./gradlew build, which automatically executes all of the Spring Boot integration tests. Because you updated the application properties to require environment variables for your external MySQL database, the GitHub Actions server cannot start the application context to run the tests, which will cause the entire run to crash. Furthermore, your custom deploy.yml file already handles the necessary Gradle building for you (while intentionally skipping those tests using the -x test flag).

Delete other Workflow Files

• deploy-and-test-cluster.yml: This is a highly specialized workflow built for deploying the application to a Kubernetes cluster (specifically using a tool called standard kind). Since you are using Azure Container Apps, this file serves no purpose for your infrastructure.

Delete other Workflow Files

• Commit this file and push it to GitHub.
  git add .
git commit -m "Add GitHub Action workflow"
git push

• Go to the "Actions" tab in your GitHub repository. You will see the workflow running. When it turns green, check Docker Hub—your image will have been freshly updated!

• By doing this, every single push to your main branch will create a brand-new, uniquely numbered tag (starting with v1). 

Trigger it

• Right now, GitHub pushes the image, but Azure doesn't know about it yet. You have two choices:

• Continuous Deployment (CD) in Azure:

  • Go to your Azure Container App in the portal.

  • Under Application -> Revision management (or Continuous deployment), you can enable a setting that says "Create a new revision when a new image is pushed."

  • Note: This often requires a webhook setup.

• Add an Azure Step to the YAML:

  • You can add a final step to the GitHub Action that runs az containerapp update to tell Azure to pull the new image immediately.

  • We will set this up on the next slide.

How does Azure know to update?

• To make this work, GitHub Actions needs an "ID badge" (a Service Principal) so Azure trusts it enough to accept the remote update command.

• Run this command in your PowerShell terminal to create a dedicated service account that only has access to your specific resource group, keeping your wider Azure account secure.
  az ad sp create-for-rbac `
  --name "github-actions-petclinic" `
  --role contributor `
  --scopes /subscriptions/your-subscription-id/resourceGroups/your-resource-group-rg `
  --json-auth

• Replace with your subscription id and resource group

• Go to Azure, open your resource group, click Access control (IAM), then Role Assignments.

Azure Step in YAML

• Go back to your GitHub repository.

• Navigate to Settings -> Secrets and variables -> Actions.

• Click New repository secret.

• Name: AZURE_CREDENTIALS

• Value: (Paste the entire JSON block here)

• Click Add secret.

GitHub Secrets

• Add these final two steps to the very bottom of your .github/workflows/deploy.yml file.

• Since your GitHub Actions workflow runs on a Linux machine (ubuntu-latest), we use the bash line-continuation character \ here instead of the PowerShell backtick.

• Change petclinic to your image name.

Append to your YAML File

• To securely run your automated tests against your external MySQL database, we need to inject those credentials into the GitHub Actions runner right before Gradle executes.

• Go to your GitHub repository.

• Navigate to Settings -> Secrets and variables -> Actions.

• Click New repository secret and add these three secrets one by one:

  • Name: MYSQL_URL, Value: jdbc:mysql://YOUR_WEB_DB_HOST:3306/YOUR_DB_NAME?useSSL=true

  • Name: MYSQL_USER, Value: YOUR_DB_USERNAME

  • Name: MYSQL_PASS, Value: YOUR_DB_PASSWORD

MySQL database credentials

• Now, we need to update Step 3 in your .github/workflows/deploy.yml file.

• Provide the secrets to the step using the env: block.

• Change the run command to ./gradlew clean build -x jar. (Using build instead of bootJar tells Gradle to explicitly run the test phase before packaging the application).

• If someone submits a pull request or pushes broken code to your repository, the test phase will fail. When a step fails in GitHub Actions, the entire workflow immediately stops. This guarantees that a broken image is never built, pushed to Docker Hub, or deployed to Azure.

MySQL database credentials

• The project uses the Spring Java Format plugin. This is a strict code-styling enforcer that the Spring team uses to guarantee all code looks exactly the same (spacing, indentation, bracket placement, etc.).

• When your GitHub Action runs./gradlew clean build, it triggers the checkFormatMain task. The plugin scans new Java files you add and fails if they don't perfectly match the official Spring style guide. 

• You do not need to format these files by hand. The Gradle plugin can fix them for you automatically.

• Open the terminal in IntelliJ and run the automatic formatter command:

• Windows (PowerShell): .\gradlew format

• Mac/Linux: ./gradlew format

Spring Java Format plugin

• The Spring PetClinic project includes a plugin called NoHttp. Its sole purpose is to scan every single file in your project (Java, HTML, XML, Markdown, etc.) and fail the build if it finds a URL that starts with http:// instead of the secure https://.

• This guarantees that the application never accidentally loads resources over an unencrypted, insecure connection.

• Open the file mentioned in the error: src\main\resources\templates\fragments\layout.html

• Go to line 3.

• Change the http to https so it looks exactly like this: https://www.thymeleaf.org/extras/spring-security

Task :checkstyleNohttp FAILED

• Commit and push this updated YAML file to your main branch. This will immediately trigger the workflow.

• If successful, GitHub will build your app, push the dynamically tagged image to Docker Hub, and seamlessly tell Azure to swap to that exact numbered version!

• If it failed, GitHub provides detailed logs for every single command it runs.

• Click on the workflow run that has a red X next to it.

• On the left side under "Jobs", click build-and-push.

• You will see a list of steps. Click on the step that has the red X (likely Build and Test with Gradle) to expand its terminal output.

• Scroll to the bottom of that expanded log. You are looking for a specific Java or Gradle error.

Trigger it

• Our SiteGround databases currently allow access from any IP address, which is not secure.

• If I limited the IP addresses, while your laptop might be allowed to connect, the GitHub Actions server is a random machine in the cloud. SiteGround will look at GitHub's IP address and block the connection, causing your Gradle tests to hang and fail.

• If it is a firewall issue, you generally have two paths forward:

• Option A (Skip Tests in CI): The easiest fix. You can change the YAML run command back to ./gradlew clean bootJar -x test -x jar. You simply rely on running your tests locally on your computer before you push.

• Option B (Testcontainers): The professional standard. Instead of connecting to your external SiteGround database during the GitHub test phase, you configure Spring Boot to spin up a temporary, throwaway Docker container with MySQL inside the GitHub runner itself just for the tests.

SiteGround Database

• X

More Create Table Statements

• X

More Create Table Statements

• X

More Create Table Statements

• It is possible to replace Thymeleaf with a frontend JavaScript framework like React, Angular, or Vue.

• This involves shifting your application from a Server-Side Rendered (SSR) architecture to a Client-Side Rendered (CSR) or Single Page Application (SPA) architecture.

• Here is how that transition works:

  • Thymeleaf: The Spring Boot server generates the full HTML page. It merges the data (e.g., a list of Vets) with the template (vetList.html) and sends the finished HTML to the browser.

  • React/Angular/Vue: The Spring Boot server becomes a REST API. It sends only the raw data (usually in JSON format). The JavaScript framework running in the browser receives that JSON and builds the HTML dynamically.

Frontend JavaScript Frameworks

• A benefit of the layered architecture (Controller > Service > Repository) is that you do not need to change your Database or Repository layers—you only need to modify the Controller layer.

• If you look at VetController.java, the application already has an endpoint ready for a JavaScript framework to use:

Frontend JavaScript Frameworks

• The @ResponseBody annotation tells Spring: "Do not look for a Thymeleaf template. Just take this Java object, convert it to JSON, and send it back."

• A React or Angular app would make a fetch('/vets') call to this URL, receive the list of doctors, and render the table itself.

• To fully replace Thymeleaf, you would:

• Update Controllers: Change your @Controller classes to @RestController (which automatically applies @ResponseBody to every method).

• Return Data, Not Strings: Instead of returning strings like "owners/createOrUpdateOwnerForm", your methods would return Owner objects or ResponseEntity objects.

• Delete Templates: You would eventually delete the src/main/resources/templates folder since the Java app no longer generates HTML.

• Frontend Build: You would build your React/Angular app separately. You can then either run it on a separate server (like Node.js) that talks to your Spring Boot API, or package the built JavaScript files into the Spring Boot static folder to serve them together.

Frontend JavaScript Frameworks