 Hello developers, my name is Matt Raebel and today I'd like to show you how to build a Java REST API using three different very popular frameworks, Micronaut, Quarkus, and Spring Boot. Let's get started. Everything I'm going to show you today is contained in this blog post, Java REST API Showdown, and I'll admit the title is a little clickbaity, but nevertheless, Daniel wrote it. It's a great post on just how to create a simple API with each of these frameworks and then add protection using JWT token-based authentication. So I have a repo that's part of the blog post and in here there's a demo.adoc. This is the instructions that I'm going to use and it's basically just a condensed set of instructions so I don't have to, you know, read through the blog post and do all this and it's written in ASCII Docs, so I'll go ahead and use my handy-dandy ASCII Doc plugin to render it nicely. You'll see we'll start with creating a Micronaut app. We'll create an OIDC app on Okta and just so you know, we don't actually need to create an app for any of these apps because all they're going to be doing is validating the JWT and then we'll create one with Quarkus and Spring Boot and they'll all be very simple. So everything here is not too complicated, but I think it gives a good overview of how you can do it with each one. So I'll put this on the left here and open up a terminal. If you don't have Micronaut or Java installed, you can use SDKman and SDKman is great. So let me just open that up here and you'll see install it very easily using Curl and it's just a great tool for installing different versions of Java and managing those and even Spring CLI, Micronaut, it's pretty awesome. So I'm going to do SDK install Micronaut and you'll see I already have the latest version installed. So if you ran the same thing and there's a newer version, you would get that newer version and then I'll use I'm going to create a directory called showdown and then I'll use MN for Micronaut, create app, com.octa, rest, Micronaut, and I'm going to use Maven for all of these projects just because that's the default for some of them. It's not for Micronaut, but the build command will make it the default. So it took about 20 seconds to run. I can open that up in IntelliJ. Then I'll modify the pom.xml to have the security libraries. So I have live templates for a lot of these shortcuts. I just have to type MNSecurity and boom. I get Micronaut Security and Micronaut Security JWT. If you want similar shortcuts, these are all IntelliJ live templates, and you can get them from my GitHub repo at mrableidealive-templates. You can install them in your own IntelliJ instance and then have similar commands. So then we'll create a hello controller in here and so new class and we'll give it the controller package. Hello controller. You'll see it's pretty simple. It imports Java security principle. It has a path of slash hello and these security annotations aren't discovered. So what I've noticed is you have to re-import the Maven project and we'll need to rename this application YAML to properties and we'll tighten this up a bit. And then we need a couple of properties in here. Security Token Enabled True or Security Enabled True, Security Token JWT Enabled True and then we'll need to give it a path to where the JWT signature keys exist. And so for me that's dev13320.octa.com and so if you've created your own Octa account then you'll have an issuer like that. And so if you were to log into it, if I log into mine here, I'll just show you where you get that information under API Authorization Servers. That's where you can get that issuer value and if we look back at IntelliJ that is this part, right? So the slash v1 keys is everything else and you can also get your Octa org information from the main dashboard right up here and people often get confused because this is different from what's up here, right? So you want to make sure and not have dash admin in there. All right back to our instructions. So we do need to create an OIDC app on Octa and this is just for OIDC debugger so we can get that access token. So if we do add application and we can do a web app, it doesn't really matter. We can say, you know, call it Java, REST API and none of that really matters but we do have to add open IDC debugger slash debug as a redirect and we have to do implicit flow because that's what this browser based one does here. So once we do that, we'll get a client ID that we can use. Put that right here and the state you'll have to populate. It already has my values in there from before so obviously you might need to populate that and uncheck code and just do token and then we can send a request and then we'll get an access token right that we can use. So copy that and then if you don't have an Octa account, another thing you can do is use the Octa Maven plugin. So if I were to run mvn.com.octa maven set plugin setup, it'll actually go and create an account for me and create an app. So I already had an account so I didn't do this, but if I ran this, I'll show you the app it creates. So if I go back here and go to applications, there's the app it created. All right, and it's already got some basic stuff in there. So it's got the default redirect URI for spring boot and redirect URI for a lot of our Java samples. So we don't need to use that because we already got our access token, but we can start our micronaut app now. So mvn compile exec exec. And then in a new window, we'll define our token token equals that access token. And you can use curl to hit the end point. So curl dash x get dash. Hi, HTTP local host, 8080. Hello, right? That's a lot of typing. But it shows access tonight. An easier way is to use HTTP IE HTT PI. It's hard to say, but you can default to local host. And it also defaults to application JSON. So you can see it's a little less typing. But we need to access it with a token, right? So with HTTP PI, you can do 8080. Hello, and then authorization header with a bearer token, and specify that token value. And now we'll be led in, it'll validate that jot and say hello to our username. So that's all working. Now let's do it with corkis. Oh, we got to create it. So that's what you do with this maven command here. You'll see it uses corkis 142, sets the group ID to com octa rest, and specifies a path for that hello resource, and uses the JWT extension. So then we can open that one up and then tell J. If we go to the hello resource class that's been created for us, you'll see it's pretty simple. We're just going to make it a little more robust and add some security. So we're using the authenticated annotation. And we're using a security context and grabbing the context using that context annotation, and just getting the user's name from there and printing it out like we did before. So an application that properties, you need to specify the keys, right? So dev 133320.com. And that's our public key location, as well as our issuer. So this uses micro profile. That's why you have to see that MP prefix. I'm not sure why they couldn't just look up the public key because the issuer has that information. It's pretty cool. And open ID connect if you were to go to default dot well known, probably have it in here. Nope. So if you were to go there and well known, open ID configuration, it has all the endpoints, including that JWKS URI. So maybe micro profile needs some improvements there. But whatever, this works. Right. So now we can run our corpus app. And then if we test it with HTTP pi, 8080. Hello. That's not up yet. Come on corpus. The dev command isn't optimized for speed. So it's optimized for letting you actually change files. And it reloads and compiles them on the fly. So of all these three frameworks, that's one thing I noticed about corpus. Once you start it up, you really never have to compile or restart anything. The other is you have to compile your files either in IntelliJ or using, you know, a CLI. So now we'll hit 8080. Hello. You'll see it's 401. And if we did it with a token in there, now it should succeed. And it does. All right. So that's corpus. That's all running. And now our last one is spring boot. So using HTTP, we can create a new spring boot app here. And so it's going to hit start that spring.io. It's going to use Java dependencies or web and octa. And it's using this baster and then just extracting it right into it. So if we go into spring boot, we can open that up. And then in the main application directory, we can create a hello controller. So we'll do it in a controller package. Hello controller. And you'll see this is probably the least amount of code that's required. But a lot of this is because of spring security. And it's been around for so long. And it's really been polished over the years. So we're using an authentication principle here to get the principle. And we're printing out their name just as before. And then in our application of properties, we can put that octa to issuer. And then we can run our spring boot app. So you could do it from the IDE there just by hitting play. But since I did all the other ones from the command line, I might as well do this one as well. Oh, this is new in spring boot 2.3. Yeah, I forgot to make this right. So we're executable. So once that starts up, we can prove that we get a 401 when we hit 8080 hello with no access token. And you'll notice spring security returns a whole lot more headers than the other frameworks. So there's a lot of default headers that are pretty good in there, especially for security. And then if we want to do with the token, and again, that works. So that's pretty awesome. They're all working. We can compare the startup times of the various ones. So if we do MVNW package for each one. So what I've noticed is when I'm running Camtasia, which I'm using to record this, the timings aren't that great. So I'm on a 2018 MacBook Pro. And it's got 16 or 32 gigs of RAM. It's got a six core processor, i9. Everything's, you know, pretty fast normally. But when I'm recording, things slow down a bit. So the numbers that I give you today probably aren't going to be that accurate. So I'll just, I'll run it a couple of times and we can see what the differences are between them. And I've also noticed that a lot of times they recommend you use grawl to really speed things up. And so I'm not going to do that because grawl compilation takes a little time, but I'll give you some grawl numbers too. And it looks like corkis doesn't compile out of the box. So we've got to skip some tests. I shouldn't say it doesn't compile. I should say the tests fail. So now just to start up microknot, we can do Java dash jar target, and there will be a microknot 0.1.jar that we can run. So we'll wait till corkis finishes. There we go. Let's see how fast this one is. That was 4.5 seconds. I've seen it at like a second or even below a second. So like I said, I think Camtasia does influence this by recording my screen and making these times a little slower, but at least we can compare them to each other, right? Because they all have the same hindrance in this particular example. So around 4 seconds, 4.5, 3.7, 3.9. And then for corkis, Java dash jar target, and you'll want to do the runnable one. You can see that 3.2 seconds for the first one, 3.1 seconds, and 3.0. And then spring boot, Java dash jar target, demo jar. So that one looks like it took a little over 10 seconds. All right, let's try again. Come on, spring boot, you can do better. So about 10 seconds, that seems to be the average. So almost double micronaut and triple corkis. So people ask about grauLVM. With grauLVM, you can really make things faster, but you pay in the compilation time to make that native image. So according to the documentation that I found, micronaut is about 12 milliseconds to start up with grauLVM. So that's wicked fast, right? A tenth of a second. Corkis is 14. So really splitting hairs here. The corkis documentation doesn't list a startup time, but the micronaut one does, and then spring boot has this blog post where they say they're 44 milliseconds. So still half a second to start up. Like, wow, that's fast. But in serverless architectures, I can see why you would want, you know, start up just as fast as you can. So like I said, the source code is on GitHub. And so in that octa, java, rest API comparison example, and the blog post is back here. And I did add some numbers when I wasn't running Camtasia this morning. So let's go look at those. You'll see here, just running compile exec exec, and all these which aren't optimized, you'll see that micronaut is the fastest. But once you do java-jar, micronaut said about a second. Corkis is about 0.67 of a second. And then spring boot is a couple of seconds. So wicked fast for all of them. Well done, folks. And they keep getting faster every release. So it's pretty cool. So if you enjoyed this video, follow my team on Twitter at octadev. I'm on Twitter at mrable. And if you like Volkswagen's, we'll get along just great. My direct messages are wide open. So you can send me any questions you might have. And my whole team as well posts a lot of videos on YouTube. So subscribe. And you'll notice we have an OAuth happy hour every Thursday at 2 p.m. If you'd like to ask questions about OAuth. Thanks for watching. And I hope you have a great day.