Saturday, September 9, 2017

Designing a Stateless State Machine: Simplicity Over Frameworks

Context

I recently came across Spring State Machine while working on a project that uses Spring Boot. At first glance, it seemed like a perfect fit.

However, I quickly ran into a few challenges:

  • Managing custom exceptions felt awkward and required hacks.

  • I needed to instantiate multiple state machines through a pool (since maintaining them per session or thread is discouraged).

  • A Spring State Machine only processes one event at a time, which I found limiting—even though state transitions are fast.

  • Overall, the framework feels unnecessarily stateful, and I don’t see why it has to be that way.

That said, the documentation is very clear and helped me learn a lot about state machine concepts.


Discussion

While digging into the source code, I noticed a fundamental issue: Spring State Machine tightly couples transitions with the current state. From my perspective, transitions should be static and immutable, while the current state can change independently.

If transitions are immutable, they can safely be shared across threads without synchronization concerns.

Based on this idea, I implemented a simpler solution—what I now call a state manager. Transitions are stored in a Map-like structure, where the key is [sourceState, event] and the value is the targetState.

This means you only need to perform a simple lookup with the current state and the incoming event. Guards and actions can then be layered on top of this lookup logic.

The result is:

  • No synchronization needed.

  • A single state manager instance can be reused across threads or created on the fly.

  • Works very well for simple state machines.

Of course, it doesn’t yet cover more complex scenarios like regions or nested states—higher abstractions may be needed for that. But as a starting point, this approach has been effective.


Conclusion

State machines are a powerful tool and appear often in business requirements. But I believe they should be isolated from business code rather than embedded directly. Unfortunately, I haven’t yet found a simple, production-friendly implementation in Java.

In my next post, I’ll share a more advanced version of this state manager, which I’ve used successfully to extend an existing approval system. The code is on GitHub (still a work in progress).

My takeaway: a lightweight state manager as an internal service class often provides more flexibility than a fully-fledged state machine framework. It leverages existing application infrastructure for persistence, business rules, and object scope—without unnecessary complexity.

Thanks for reading, and I look forward to your comments.


🔗 Related post: Why developers never use state machines


Sunday, September 3, 2017

My usefull posts

 Java posts

Blockchain/Smart contacts


REST service Mutual SSL aauthentication

Migrating applications to micro-services means having a couple of applications that need to talk to each other. We need an architecture to allow to add security at method level and to keep our data safe from inside attacks. Much of what will be said here can be applied to non spring based micro-services.

Oauth2, our best friend

This is an authorization problem that can be solved with oauth2. Oauth2 is widely used as a mechanism to give web applications developers access to users data at Google/Facebook/GitHub directly from the foreign services in a secure way.

What is Aouth2 
Oauth2 provides also a very elegant solution. The core components of oauth2 cooperates but they are loosely coupled to each other. In fact, they have no knowledge of each other. Once the system is in place, resource server modules that needs security can have almost  security for free.

  • Resource Owner - our users
  • Resource Server - This is any of module based spring boot that contains data of our users
  • Authorization Server - This is essentially the token endpoint. It could also any existing compliant oauth2 server or simply a spring based oauth2. It allows user to manage tokens that give access to resource servers. This is the central point for authorization where users give access to their resources and resource server validate theses tokens to build their security context
  • Client - This is any of module based spring boot that manage  data on the behalf of our users. Mobile apps, web apps, any program etc
How it works ? 

The user authenticates on a authorization service, which maps the user session to a token. The authentication is outside the scope of oauth2. Any further API call to the resource services must provide this token. The services are able to recognize the provided token and ask the authorization service, which authorities this token grants, and who is the owner of this resource.  

It is important to highlight that Oauth2 is not an authentication server and acts only as an authorization server by enforcing who can access to what. For that, it reuses the user identity obtained via authentication process as well as the application (client_id) who are consuming the resources on behalf the of user. 

With OAuth2 you can define, which application (web, mobile, desktop, additional website) can access which resources on the top of the user identity which tell us which user can access which data. 


JWT

Oauth2 doesn't solve all of our problems. OAuth2 as a protocol does not tell us how the token is looking like and where it is stored. Also, for each request against a resource micro service containing a token in the header, the service will perform another request to authorization server to check the token. That's not good enough.

To solve these two problems, we can use JWT or  JSON Web Token.  This token contains info about the OAuth client, optionally the user with its authorities and the granted scope that is serialized into JSON first, encoded with base64 and finally signed using cryptographic key. The result is called JSON Webtoken, which we use as an access token directly. This json token may be sign with public key, symmetric key or a shared key.

When this token is passed via HTTP header, the resource servers just have to take this JWT, verify it was really properly signed (meaning this token is coming from the authorization server), and instead of asking user info, deserializing the JSON content into a OAuth2Authentication, establishing a SecurityContext based on this.

Using JWT provides a simple way of transmitting tokens, containing the permissions and user data in the access token string. Since all the data is already inside, there neither is a need to maintain a token store, nor the resource servers must ask authorization for token checks. The security of the token is based on the underlying cryptographic primitive used to secured the tokens. So, using JWT makes OAuth2 available to micro services, without affecting the architectures scalability.


Work on progress.....