Brian Demers

Testing on Thin Ice: Chipping Away at Test Unpredictability

Thu, 25 Sep 2025 00:00:00 +0000

Ever tried to catch melting snowflakes? That’s the challenge of dealing with flaky tests - those annoying, unpredictable tests that fail randomly and pass when rerun. In this talk, we’ll slide down the slippery slope of why flaky tests are more than just a nuisance. They’re time-sinks, morale crushers, and silent code quality killers.

We’ll skate across real-life scenarios to understand how flaky tests can freeze your development in its tracks, and why sweeping them under the rug is like ignoring a crack in the ice. From delayed releases to lurking bugs, the stakes are high, and the costs are real.

Testing on Thin Ice: Chipping Away at Test Unpredictability

Tue, 23 Sep 2025 00:00:00 +0000

SBOMs Are Not Enough

Tue, 13 May 2025 00:00:00 +0000

Software Bill of Materials (SBOMs) have emerged as a critical component of software supply chain security, promising transparency about the dependencies in our applications. But are they delivering on that promise? While SBOMs provide a snapshot of the components included in software, they often fail to address a vital piece of the puzzle: the tools, libraries, and configurations actually used to build it.

In this talk, we’ll explore the varying degrees of SBOM quality and expose the gaps that can undermine their utility. By understanding what SBOMs are—and what they aren’t—we’ll uncover the risks of relying on incomplete or inaccurate data and discuss complementary strategies for achieving a truly transparent and secure build process. Attendees will leave with a deeper appreciation of how SBOMs fit into the broader supply chain security landscape and actionable insights for bridging the gaps.

Testing on Thin Ice: Chipping Away at Test Unpredictability

Thu, 06 Mar 2025 00:00:00 +0000

Use the Maven Wrapper to optimize your build workflow

Mon, 07 Oct 2024 00:00:00 +0000

If you’re a Java developer, the Maven Wrapper is a simple tool that transparently manages your Maven installation.

Five ways to speed up your Maven builds

Tue, 01 Oct 2024 00:00:00 +0000

Get five low-effort strategies for accelerating your Maven builds so you can spend more time doing what you love most—writing code!

Maven Dependency Hell: Five Tips to Get Out

Tue, 16 Jul 2024 00:00:00 +0000

Learn how to better manage your Apache Maven dependencies and avoid the dreaded dependency hell.

How to speed up Apache Maven Builds with a Build Cache

Mon, 03 Jun 2024 00:00:00 +0000

Unlock faster Maven builds! Discover how a build cache can slash your build times and streamline your development workflow. Step-by-step guide included.

Developer Productivity Engineering: What's in it for Java Developers?

Thu, 16 May 2024 00:00:00 +0000

Developer Productivity Engineering (DPE) is the Next Big Thing in Software Development. But what is it? How will it foster Developer Joy? And how can you introduce it to your organization?

It may surprise you to learn that we developers are a patient, tolerant species. People pay us to do what we enjoy - write code and create working applications. In return, we will put up with all sorts of blockages and toil that get in the way of this - long build times, flaky tests, hard-to-debug toolchain failures, etc.

Apache Maven 102: Best Practices

Wed, 15 May 2024 00:00:00 +0000

Know enough about Maven to get by, but not enough to thrive? Then this talk is for you. We will review the basics and then dive into the best practices for both Maven single and multi-module projects. You will also walk away with enough knowledge to troubleshoot your builds. Apache Maven is still the defacto build tool in the Java world.

Testing on Thin Ice: Chipping Away at Test Unpredictability

Wed, 15 May 2024 00:00:00 +0000

Apache Maven 102: Best Practices

Wed, 10 Apr 2024 00:00:00 +0000

5 Ways to Improve Your Maven Projects Using Build Scans

Tue, 09 Apr 2024 00:00:00 +0000

We have all struggled with builds at some point. Build Scans offers solutions to some of the most common challenges Java developers face, including debugging failed builds, identifying performance issues, and managing dependencies more efficiently.

We’ll cover how using Build Scans will help you make your builds faster and foster better collaboration within teams by making sharing build insights easier. We’ll also examine the build processes of open-source projects to showcase valuable lessons learned.

Breeding 10x Developers with Developer Productivity Engineering

Wed, 28 Feb 2024 00:00:00 +0000

Sasquatch. Yeti. The Loch Ness Monster. The 10x Developer. You may think of these as mythical creatures that can’t possibly exist, but the 10x Organization is very real. In this session, Gradle’s Brian Demers will explain how a dedicated Developer Productivity Engineering (DPE) organization can breed 10x Developers. By reducing the toil, friction, and frustration of slow builds, flaky tests, and other avoidable failures, a DPE team enables a level of developer productivity that you may have thought impossible. Brian will help you explore DPE technologies, including build and test acceleration, failure analytics, and easily analyzed build records to show how to create an environment in which 10x Developers not only exist, but thrive.

Security and Productivity - Pick Two with Reproducible builds

Thu, 11 Jan 2024 00:00:00 +0000

Reproducible builds are crucial for ensuring software integrity but can be challenging to achieve. On the other hand, build caches provide a way to speed up builds by reusing previously-built artifacts and dependencies.

This talk will explore how reproducible builds and build caches can work together to create a more efficient, secure, and enjoyable development workflow. We will discuss the benefits and challenges of reproducible builds and build caches and provide practical tips for implementation.

Breeding 10x Developers with Developer Productivity Engineering

Thu, 30 Nov 2023 00:00:00 +0000

Security and Productivity - Pick Two with Reproducible builds

Tue, 21 Nov 2023 00:00:00 +0000

Breeding 10x Developers with Developer Productivity Engineering

Thu, 16 Nov 2023 00:00:00 +0000

Developer Productivity Engineering: What's in it for Java Developers?

Tue, 14 Nov 2023 00:00:00 +0000

Developer Productivity Engineering (DPE) is the Next Big Thing in Software Development. But what is it? How will it foster Developer Joy? And how can you introduce it to your organization?

Apache Maven 102: Best Practices

Sun, 08 Oct 2023 00:00:00 +0000

Breeding 10x Developers with Developer Productivity Engineering

Thu, 14 Sep 2023 00:00:00 +0000

Security and Productivity - Pick Two with Reproducible builds

Thu, 10 Aug 2023 00:00:00 +0000

Breeding 10x Developers with Developer Productivity Engineering

Tue, 18 Jul 2023 00:00:00 +0000

How to report a vulnerability: Responsible Disclosure for Developers

Wed, 21 Jun 2023 00:00:00 +0000

Ever seen a security-related issue that you felt should be reported? Unsure of how reporting security issue is different than a regular bug? Developers of any level should know how to report a vulnerability.

In this talk, we will talk about what CVEs are, some general vulnerability classifications, look at a few common ways you can report security issues, as well as look at a few common mistakes.

This talk is geared toward non-security professionals.

Testing is Confidence - A Developer's Perspective

Mon, 19 Jun 2023 00:00:00 +0000

We all know testing is important, but many of us still struggle with the difference between unit tests and integration tests and build cycles that take too long.

This talk will discuss, why we write tests, the different types of tests, and some best practices. Everything discussed will be language agnostic and discuss some common problems and solutions I’ve seen different shops, big and small.

The audience should walk away with a new appreciation for fast and clean builds.

From Hour-Long Builds to Streamlined Productivity: The Spring Boot Journey

Fri, 02 Jun 2023 00:00:00 +0000

Learn how the Spring Boot team mastered their complex build processes, tackled flaky tests, and significantly improved their build times to enhance developer productivity.

Add Auth to Any App with OAuth2 Proxy

Thu, 14 Jul 2022 00:00:00 +0000

Tutorial: Use OAuth2 Proxy to add auth for you web apps and REST APIs.

Authenticate from the Command Line with Java

Mon, 11 Apr 2022 00:00:00 +0000

Tutorial: Build a Java application with JBang that uses the OAuth 2.0 Device Grant and log in with a code.

Three Ways to Run Your Java Locally with HTTPS

Mon, 31 Jan 2022 00:00:00 +0000

This post describes three different options to get your local Java app running securely with TLS in no time, whether you need it publicly available or not.

Five Anti-Patterns with Secrets in Java

Tue, 14 Dec 2021 00:00:00 +0000

Learn how to better manage and protect your passwords and API keys!

Security.txt: Make Vulnerabilities Easier to Report

Tue, 19 Oct 2021 00:00:00 +0000

We all know that all software has bugs and that security is hard, but somehow we are still surprised when we see new vulnerabilities.

Session Clustering for OAuth 2.0 Applications

Thu, 30 Sep 2021 00:00:00 +0000

A common OAuth 2.0 question we get: “How do I deal with OAuth in a load-balanced application?” The short answer: There’s nothing specific about session clustering for OAuth. The longer answer is—you likely still need to worry about cluster session management. This post will discuss how an OAuth login relates to your application’s session. And we’ll build a simple, secure, load-balanced application to demonstrate.

Spring Native in Action with the Okta Spring Boot Starter

Thu, 16 Sep 2021 00:00:00 +0000

This video is a recording of a live Twitch stream wherein Brian Demers and Matt Raible (from Okta) work with Josh Long (from Spring) to make Okta’s Spring Boot starter work with Spring Native.

"Basic Authentication" in Five Minutes

Tue, 10 Aug 2021 00:00:00 +0000

Learn what “Basic Authentication” is, how it’s used, and what the HTTP Request looks like!

Developers Guide to GPG and YubiKey

Wed, 04 Aug 2021 00:00:00 +0000

Content negotiation allows for an HTTP server to respond to different types of clients. Many modern clients expect a JSON response, but there may be a need to format responses differently, maybe XML for older clients or a binary format for newer ones. Content negotiation is the mechanism used to solve that problem and others, such as dealing with multiple languages and even compressing HTTP requests.

In this post, I’ll walk through building a simple Java MicroProfile application and explain how content negotiation works.

Developers Guide to GPG and YubiKey

Wed, 07 Jul 2021 00:00:00 +0000

Setting up a new YubiKey as a second factor is easy—your browser walks you through the entire process. However, setting up a YubiKey to sign your Git commits and Secure Shell (SSH) authentication is a very different experience. In this post, I’ll walk through configuring a YubiKey and highlight some of the things I’ve learned along the way.

Chocolatey Chat with Rob Reynolds + Okta DevRel

Thu, 11 Mar 2021 00:00:00 +0000

Join the Okta DevRel team as we talk about what’s coming for Chocolatey on Windows, CI/CD, CLI integrations, and more!

Learning the Okta CLI

Thu, 14 Jan 2021 00:00:00 +0000

Brian Demers and Micah Silverman teach Lee Brandt how to use the Okta CLI.

A Beginner's Guide to JWTs

Mon, 21 Dec 2020 00:00:00 +0000

JSON Web Tokens (JWT) are used everywhere (even places they shouldn’t be). This post will cover the basics of what you need to know about JWT and the related specifications in the Javascript Object Signing and Encryption (JOSE) family.

JWT vs Opaque Access Tokens: Use Both With Spring Boot

Fri, 07 Aug 2020 00:00:00 +0000

The topic of validating an OAuth 2.0 access tokens comes up frequently on this blog. Often we talk about how to validate JSON Web Token (JWT) based access tokens; however, this is NOT part of the OAuth 2.0 specification. JWTs are so commonly used that Spring Security supported them before adding support for remotely validating tokens (which is part of the OAuth 2.0 specification.)

In this post, you will build a simple application that takes advantage of both types of validation.

Arm Up Your Java: Performance Benchmarks

Wed, 05 Aug 2020 00:00:00 +0000

Arm processors have been in the news lately, and it’s causing confusion and worries about processor performance for some folks. After Apple announced its plan to switch to Arm-based processors, I heard people (incorrectly!) speculating the performance would be similar to a Raspberry Pi. Java on Arm is nothing new, but we are seeing increased Arm investment from cloud vendors. Amazon recently updated its Arm offerings, and Microsoft is working on porting the JVM to Arm64 for Windows (no doubt for future Azure support).

Introducing JPaseto: Security Tokens For Java

Thu, 23 Jul 2020 00:00:00 +0000

PASETO is a new security token format designed to be easy to use and free from the issues inherent with JSON Web Token (JWT) related specifications. Platform Agnostic SEcurity TOkens (PASETO) is a draft RFC spec created by Scott Arciszewski. PASETO reduces the scope of the JavaScript Object Signing and Encryption (JOSE) family of specs (which JWT is a part of), while still providing the functions that secure applications need.

Migrate From Travis CI to GitHub Actions

Mon, 18 May 2020 00:00:00 +0000

Recently, a colleague pointed out that I was still configuring Travis-CI on new GitHub repos and suggested I used GitHub Actions instead. I had given Actions the ol’ five-minute test when it was still in beta, but ran into a few problems and gave up. After all, I’ve been a fan of Travis-CI for a while and I had enough new things to learn at the time.

Build a Secure Java Application with Apache Shiro and OAuth 2.0

Mon, 11 May 2020 00:00:00 +0000

Apache Shiro is a Java security framework that can perform authentication, authorization, session management, along with a host of other features for building secure applications. In this tutorial, you will build a simple Java REST application using JAX-RS. JAX-RS, like many Java APIs, is a set of interfaces, and you will need to pick an implementation

OpenID Connect Logout Options with Spring Boot

Fri, 27 Mar 2020 00:00:00 +0000

On the Okta blog, we spend much of our time talking about logging in. That is because once you configure your application to log in, the log out just works. But there are a few things you should consider when you’re thinking about your app’s logout configuration. In this post, I’ll walk through examples of the two logout options you have with Spring Security: the “default” session clearing logout, and relying party initiated logout.

A Developer Guide to Reporting Vulnerabilities

Fri, 13 Mar 2020 00:00:00 +0000

Many of us are not familiar with vulnerability reporting and how it is different from reporting a regular bug. Frequently, I’ve seen people report vulnerabilities or potential security issues incorrectly. A public bug tracker or Stack Overflow is NOT the right tool; developers need to handle vulnerabilities differently and should not disclose them until the project/vendor fixes them.

Create and Verify PASETO Tokens in Java

Fri, 14 Feb 2020 00:00:00 +0000

PASETO is the latest trend in security token formats. Its primary goal is to reduce the problems the JSON Web Token (JWT) related specifications introduce. In this post, I’ll give you a brief introduction to PASETO tokens and then jump into an example that creates and parses tokens using in Java using JPaseto.

10 Excellent Ways to Secure Spring Boot Applications

Tue, 04 Feb 2020 00:00:00 +0000

Curious to know best practices for securing your Spring Boot applications? This webinar provides 10 excellent ways to secure your Spring Boot apps with Spring Security and other techniques.

Build a Secure Spring Boot App in Minutes

Tue, 04 Feb 2020 00:00:00 +0000

This screencast walks you through building a secure Spring Boot application in two commands using the Spring Initalizr and the Okta Maven Plugin on the command line!

Five Tools to Improve Your Java Code

Tue, 14 Jan 2020 00:00:00 +0000

This screencast show you five tools to help improve and reduce bugs in your Java code!

Secure Legacy Apps with Spring Cloud Gateway

Wed, 08 Jan 2020 00:00:00 +0000

One of the biggest challenges of adding OAuth 2.0 support to legacy applications is a lack of support in the underlying framework. Maybe it’s homegrown, or maybe it’s just old? Either way, migrating away from an old form-based login doesn’t need to be so painful. In this post, I’ll walk you through a low-code option using Spring Cloud Gateway and Okta.

Five Tools to Improve Your Java Code

Fri, 20 Dec 2019 00:00:00 +0000

Writing quality code takes practice. To write better code, you need to know what should improve. Code quality and what makes code easy to read are very subjective; ask five different developers, you will get six different answers. For this post, I’ll avoid most of the subjective and focus on ways to detect real issues and potential bugs.

Watch GraalVM Turn Your Java Into Binaries

Wed, 27 Nov 2019 00:00:00 +0000

There has been much buzz about GraalVM and what it means for the Java world. GraalVM is a Java distribution from Oracle that adds a bunch of features, most notably a new JIT compiler, polyglot capabilities, an LLVM runtime… and the ability to turn your Java application into a native binary.

This last one offers the potential to distribute Java applications as a single binary, and a few frameworks like Quarkus, Helidon, and Micronaut already take advantage of this feature. Native images also open up the possibility to distribute Java applications as CLI applications, which has recently been the near-exclusive domain of Go and Node. This tutorial will show you how!

The Dangers of Self-Signed Certificates

Wed, 23 Oct 2019 00:00:00 +0000

How many times have you started a new job, and the first thing you see on the company intranet is a “Your connection is not private” error message? Maybe you asked around and were directed to a wiki page. Of course, you probably had to click through the security warnings before actually viewing that page. If you are security-minded, this probably bothers you, but because you have a new job to do, you accept the warning and proceed to jump through the hoops of installing the certificate.

How to Build and Parse JWTs in Java with JJWT

Fri, 11 Oct 2019 00:00:00 +0000

This screencast walks you through creating JWTs with the Java library JJWT.

How to Build a Maven Plugin

Mon, 23 Sep 2019 00:00:00 +0000

Apache Maven is still the most popular build tool in the Java space, thanks to the popularity of its ecosystem of plugins. It’s easy to find an existing plugin to do almost anything your application needs, from ensuring your source files have license headers, to validating binary compatibility between versions. Occasionally though, you need to write a custom plugin to fulfill a requirement in your product.

Make Java Tests Groovy With Hamcrest

Wed, 21 Aug 2019 00:00:00 +0000

My favorite way to test Java code is with Groovy. Specifically, writing tests in Groovy with Hamcrest. In this post, I’ll walk through how to test a simple Spring Boot application with these tools.

Groovy is an optionally typed dynamic language for the JVM, and can be compiled statically. That is a mouthful and I’ll explain this as we go, but for now think of Groovy as Java with lots of sugar.

Joining Okta's Developer Relations team Team

Mon, 19 Aug 2019 00:00:00 +0000

I’m excited to announce that I’ve joined Okta’s Developer Relations team! I’ve been working on Okta’s awesome Developer Experience team for the last couple years so I’m not exactly a new face around here. 😉

Secure Server-to-Server Communication with Spring Boot and OAuth 2.0

Mon, 02 Apr 2018 00:00:00 +0000

Most OAuth 2.0 guides are focused around the context of a user, i.e., login to an application using Google, Github, Okta, etc., then do something on behalf of that user. While useful, these guides ignore server-to-server communication where there is no user and you only have one service connecting to another one.

Hugo to Firebase

Thu, 01 Feb 2018 00:00:00 +0000

Last time I created a simple Hugo based website, this time, we will deploy it. For free! With TLS!

OK, I am making a couple of assumptions here:

You already own a domain name (cheap but not free)
You are hosting your site in a GitHub repo (this is not required, but if you want to follow along, I’m going to use GitHub & Travis-CI)

NOTE: Since writing this I started using Netlify and I’d strongly recommend checking that out!

How to Hugo

Tue, 30 Jan 2018 00:00:00 +0000

I’ve been meaning to work on this site for a while. I even picked up vanity .io and a .wtf domains. Until reciently they just pointed to a GitHub Pages repo. My hand was forced when I had to unexpectedly migrate a small website from one provider elsewhere. Long story, it involves a Nonprofit I’m involved with and needing a cheap/free solution. I figured that process would make for a cool blog post and force me to work on this site.

5 Tips for Building your Java API

Wed, 23 Aug 2017 00:00:00 +0000

Developers use APIs to for everything! You build APIs for your own apps to consume, or as a part of a microservices architecture. Bottom line, you’re building and using APIs to make your life easier. The ongoing effort to simplify development and work more efficiently, sometimes this also means looking for new libraries or processes (or more often less process). For many teams managing authentication and access control for their apps and APIs is more work than it’s worth, or simply not an efficient use of time, so we want to share a few tips that will save you time and code, along with making your applications more secure and easier to maintain.

Protecting a Spring Boot App with Apache Shiro

Thu, 13 Jul 2017 00:00:00 +0000

My favorite thing about Apache Shiro is how easy it makes handling authorization. You can use a role-based access control (RBAC) model of assigning roles to users and then permissions to roles. This makes dealing with the inevitable requirements change simple. Your code does not change, just the permissions associated with the roles. In this post I want to demonstrate just how simple it is, using a Spring Boot application and walking through how I’d handle the following scenario:

Secure your SPA with Spring Boot and OAuth

Thu, 13 Jul 2017 00:00:00 +0000

If you have a JavaScript single-page application (SPA) that needs to securely access resources from a Spring Boot application, you likely want to use the OAuth 2.0 implicit flow! With this flow your client will send a bearer token with each request and your server side application will verify the token with an Identity Provider (IdP). This allows your resource server to trust that your client is authorized to make the request. In OAuth terms your SPA is the client and your Spring Boot application is the Resource Server. For a more detailed explanation on the various OAuth flows take a look at our What the Heck is OAuth post.

Protecting JAX-RS Resources with RBAC and Apache Shiro

Wed, 18 Jan 2017 00:00:00 +0000

Security is probably the most important thing for your application, but it doesn’t have to be the hardest thing. Today I’ll show you how to use Shiro’s wildcard permissions to enable fine grained Role-Based Access Control (RBAC) which makes granting user permissions trivial (a single line). This will also make your application’s security policy more flexible, so when your business rules change (and you know they will) your code does not have to. You can read more about RBAC and Roles vs Permissions here.

JAX-RS vs Spring for REST Endpoints

Mon, 09 Jan 2017 00:00:00 +0000

REST endpoints are used just about everywhere you need to decouple your web service and client. Many developers have used Spring or JAX-RS for this purpose. Some have used one but not the other, in this post I’ll go over the the differences between the two using basically the same code. In future posts I’ll show you how easy it is to secure these REST endpoints using Apache Shiro and Stormpath. If you cannot wait until then, you can check out these examples right now.

String Interpolation with Apache Shiro

Thu, 17 Nov 2016 00:00:00 +0000

I am happy to announce the the 0.8.0-RC1 release of our Stormpath-Shiro integration. This release builds on top of the recent Apache Shiro 1.4.0-RC2 release.

The 1.4.0 Apache Shiro release adds a handful of great features:

Apache Shiro Stormpath Integration 0.7.1 Released

Thu, 22 Sep 2016 00:00:00 +0000

Welcome to the new Apache Shiro Stormpath integration! This new release features a servlet plugin, plus deeper support for Spring and Spring Boot. Until now, we have only had a basic Apache Shiro realm for Stormpath. While sufficient, this basic realm never granted access to the full suite of Stormpath services. Today, that changed!

Tutorial: Apache Shiro EventBus

Thu, 04 Aug 2016 00:00:00 +0000

Last week we released Apache Shiro 1.3, and I shared a tutorial on the new Hazelcast support. Today, I’d like to introduce you to the new EventBus system and show you a couple different ways to use it. Shiro’s EventBus is implemented very similar to Guava’s EventBus, if you are already familiar with that, you already know how to use it.

Apache Shiro 1.3 Released

Mon, 27 Jun 2016 00:00:00 +0000

The Apache Shiro team is proud to announce the 1.3.0 release. This is the first feature release in a few years, and we’re really excited about it.

Hazelcast Support in Apache Shiro

Mon, 27 Jun 2016 00:00:00 +0000

Nexus Tips: Disable Redeployment in Nexus

Wed, 02 Nov 2011 00:00:00 +0000

It’s a fundamental tenet of Maven that release artifacts never change once they are released. This is enforced in Maven by the fact that once a release artifact or POM is located in the local repository, Maven will never check for an updated artifact in a remote repository. Once an artifact is released, it is considered a static, unchanging artifact. If you release an artifact and then subsequently change it (intentionally or otherwise), you’re in for some fun as people will have different versions based on when they first retrieved it… that’s a situation not exactly conducive to a repeatable, standard build. This blog post discusses a feature in Nexus 1.4 which can enforce this rule and help you avoid problems caused by the redeployment of release artifacts.

Goodbye SVN, Hello Git

Fri, 29 Apr 2011 00:00:00 +0000

A migration story from Subversion to Git.

Plexus Container Five Minute Tutorial

Thu, 21 May 2009 00:00:00 +0000

The goal of this blog is to show an updated and more involved example then what is currently located on the plexus site. This will cover creating a couple of components and explain the different ways to inject your dependencies. This example assumes you are using maven 2 to make your life easier.

Using Staging Repositories for Deployment in Nexus

Thu, 21 May 2009 00:00:00 +0000

For a number of reasons you might want to require your developers to use a staging repository. Staged software releases in Nexus Professional are the best way to enable your development team to push a release to an artifact repository such as Nexus while providing management and quality assurance with a way to test and approve a release before “burning” it to production. If you want to learn how to make a staged release, you can watch this video. or read the remainder of this blog post.