These instructions show how to create native images with Micronaut, Quarkus, Spring Boot, and Helidon. You’ll learn how to run a secure, OAuth 2.0-protected, Java REST API that allows JWT authentication.
Prerequisites:
-
SDKMAN (for Java 21 with GraalVM)
-
HTTPie (a better version of cURL)
-
A free Auth0 account and the Auth0 CLI
Tip
|
The brackets at the end of some steps indicate the IntelliJ Live Templates to use. You can find the template definitions at mraible/idea-live-templates. |
Use SDKMAN to install Java 21 with GraalVM
sdk install java 21.0.2-graalce
-
Install the Auth0 CLI and run
auth0 login
to connect it to your account. -
Create an access token using Auth0’s CLI:
auth0 test token -a https://<your-auth0-domain>/api/v2/ -s openid
-
Set the access token as a
TOKEN
environment variable in a terminal window.TOKEN=eyJraWQiOiJYa2pXdjMzTDRBYU1ZSzNGM...
-
Use SDKMAN to install Micronaut’s CLI and create an app:
sdk install micronaut mn create-app com.example.rest.app -f security-jwt -f micronaut-aot mv app micronaut
-
Create
controller/HelloController.java
: [mn-hello
]package com.example.rest.controller; import io.micronaut.http.MediaType; import io.micronaut.http.annotation.Controller; import io.micronaut.http.annotation.Get; import io.micronaut.http.annotation.Produces; import io.micronaut.security.annotation.Secured; import io.micronaut.security.rules.SecurityRule; import java.security.Principal; @Controller("/hello") public class HelloController { @Get @Secured(SecurityRule.IS_AUTHENTICATED) @Produces(MediaType.TEXT_PLAIN) public String hello(Principal principal) { return "Hello, " + principal.getName() + "!"; } }
-
Enable and configure JWT security in
src/main/resources/application.properties
: [mn-security-config
]micronaut.security.token.jwt.signatures.jwks.okta.url=https://<your-auth0-domain>/.well-known/jwks.json
-
Start your app:
./gradlew run
-
Use HTTPie to pass the JWT in as a bearer token in the
Authorization
header:http :8080/hello Authorization:"Bearer $TOKEN"
You should get a 200 response with your user id in it.
-
Compile your Micronaut app into a native binary:
./gradlew nativeCompile
-
Start your Micronaut app:
./build/native/nativeCompile/app
-
Test it with HTTPie and an access token. You may have to generate a new JWT if yours has expired.
http :8080/hello Authorization:"Bearer $TOKEN"
-
Use SDKMAN to install the Quarkus CLI and create a new app with JWT support:
sdk install quarkus quarkus create app com.example.rest:quarkus \ --extension="smallrye-jwt,rest" \ --gradle
-
Rename
HelloResource.java
toHelloResource.java
and add user information to thehello()
method: [qk-hello
]package com.example.rest; import io.quarkus.security.Authenticated; import jakarta.ws.rs.GET; import jakarta.ws.rs.Path; import jakarta.ws.rs.Produces; import jakarta.ws.rs.core.Context; import jakarta.ws.rs.core.MediaType; import jakarta.ws.rs.core.SecurityContext; import java.security.Principal; @Path("/hello") public class HelloResource { @GET @Authenticated @Produces(MediaType.TEXT_PLAIN) public String hello(@Context SecurityContext context) { Principal userPrincipal = context.getUserPrincipal(); return "Hello, " + userPrincipal.getName() + "!"; } }
-
Add your Auth0 endpoints to
src/main/resources/application.properties
: [qk-properties
]mp.jwt.verify.issuer=https://<your-auth0-domain>/ mp.jwt.verify.publickey.location=${mp.jwt.verify.issuer}.well-known/jwks.json
-
Rename
GreetingResourceTest
toHelloResourceTest
and modify it to expect a 401 instead of a 200:package com.example.rest; import io.quarkus.test.junit.QuarkusTest; import org.junit.jupiter.api.Test; import static io.restassured.RestAssured.given; @QuarkusTest public class HelloResourceTest { @Test public void testHelloEndpoint() { given() .when().get("/hello") .then() .statusCode(401); } }
-
Run your Quarkus app:
quarkus dev # or use Gradle: ./gradlew --console=plain quarkusDev
-
Test it from another terminal:
http :8080/hello
-
Test with access token:
http :8080/hello Authorization:"Bearer $TOKEN"
-
Compile your Quarkus app into a native binary:
quarkus build --native # Gradle: ./gradlew build -Dquarkus.package.type=native
-
Start your Quarkus app:
./build/quarkus-1.0.0-SNAPSHOT-runner
-
Test it with HTTPie and an access token:
http :8080/hello Authorization:"Bearer $TOKEN"
-
Use SDKMAN to install the Spring Boot CLI. Then, create a Spring Boot app with OAuth 2.0 support:
sdk install springboot spring init -d=web,oauth2-resource-server,native \ --group-id=com.example.rest --package-name=com.example.rest spring-boot
-
Add a
HelloController
class that returns the user’s information: [sb-hello
]package com.example.rest.controller; import org.springframework.web.bind.annotation.GetMapping; import org.springframework.web.bind.annotation.RestController; import java.security.Principal; @RestController public class HelloController { @GetMapping("/hello") public String hello(Principal principal) { return "Hello, " + principal.getName() + "!"; } }
-
Configure the app to be an OAuth 2.0 resource server by adding the issuer to
application.properties
.spring.security.oauth2.resourceserver.jwt.issuer-uri=https://<your-auth0-domain>/
-
Start your app from your IDE or using a terminal:
./gradlew bootRun
-
Test your API with an access token.
http :8080/hello Authorization:"Bearer $TOKEN"
-
Compile your Spring Boot app into a native executable:
./gradlew nativeCompile
TipTo build a native app and a Docker container, use the Spring Boot Gradle plugin and ./gradlew bootBuildImage
. -
Start your Spring Boot app:
./build/native/nativeCompile/spring-boot
-
Test your API with an access token.
http :8080/hello Authorization:"Bearer $TOKEN"
-
Use SDKMAN to install the Helidon CLI. Then, create a Helidon app:
sdk install helidon helidon init --flavor MP --groupid com.example.rest \ --artifactid helidon --package com.example.rest --batch
TipSee Migrating a Helidon SE application to Gradle for Gradle support. -
Delete the default Java classes created by the Helidon CLI:
-
On Windows:
del /s *.java
-
On Mac/Linux:
find . -name '*.java' -delete
-
-
Add MicroProfile JWT support in
pom.xml
:<dependency> <groupId>io.helidon.microprofile.jwt</groupId> <artifactId>helidon-microprofile-jwt-auth</artifactId> </dependency>
-
Add a
HelloResource
class that returns the user’s information: [h-hello
]package com.example.rest.controller; import io.helidon.security.Principal; import io.helidon.security.annotations.Authenticated; import jakarta.ws.rs.GET; import jakarta.ws.rs.Path; import jakarta.ws.rs.core.Context; @Path("/hello") public class HelloResource { @Authenticated @GET public String hello(@Context SecurityContext context) { return "Hello, " + context.userName() + "!"; } }
-
Add a
HelloApplication
class insrc/main/java/com/example/rest
to register your resource and configure JWT authentication: [h-app
]package com.example.rest; import com.example.rest.controller.HelloResource; import org.eclipse.microprofile.auth.LoginConfig; import jakarta.enterprise.context.ApplicationScoped; import jakarta.ws.rs.core.Application; import java.util.Set; @LoginConfig(authMethod = "MP-JWT") @ApplicationScoped public class HelloApplication extends Application { @Override public Set<Class<?>> getClasses() { return Set.of(HelloResource.class); } }
-
Add your Auth0 endpoints to
src/main/resources/META-INF/microprofile-config.properties
.mp.jwt.verify.issuer=https://<your-auth0-domain>/ mp.jwt.verify.publickey.location=${mp.jwt.verify.issuer}.well-known/jwks.json
-
Start your app from your IDE or using a terminal:
helidon dev
-
Test your API with an access token.
http :8080/hello Authorization:"Bearer $TOKEN"
-
Run each image three times before recording the numbers, then each command five times.
TipUse the start.sh
script to get the real time, not what each framework prints to the console. -
Write each time down, add them up, and divide by five for the average. For example:
Micronaut: (27 + 26 + 26 + 26 + 25) / 5 = 26 Quarkus: (17 + 17 + 16 + 17 + 17) / 5 = 16.8 Spring Boot: (38 + 37 + 37 + 36 + 36) / 5 = 36.8 Helidon: (29 + 31 + 31 + 30 + 31) / 5 = 30.4
Printed duration:
Micronaut: (9 + 8 + 8 + 8 + 8) / 5 = 8.2 Quarkus: (9 + 9 + 9 + 9 + 9) / 5 = 9 Spring Boot: (27 + 26 + 25 + 25 + 25) / 5 = 25.6 Helidon: (24 + 23 + 23 + 23 + 23) / 5 = 23.2
Framework | Command executed | Milliseconds to start |
---|---|---|
Micronaut |
|
26 |
Quarkus |
|
16.8 |
Spring Boot |
|
36.8 |
Helidon |
|
30.4 |
Note
|
These numbers are from an Apple M3 Max with 64 GB RAM. |
Test the memory usage in MB of each app using the command below. Make sure to send an HTTP request to each one before measuring.
ps -o pid,rss,command | grep --color <executable> | awk '{$2=int($2/1024)"M";}{ print;}'
Substitute <executable>
as follows:
Framework | Executable | MB after startup | MB after 1 request | MB after 10K requests |
---|---|---|---|---|
Micronaut |
|
53 |
63 |
105 |
Quarkus |
|
37 |
48 |
71 |
Spring Boot |
|
77 |
87 |
109 |
Helidon |
|
82 |
92 |
69 |
./build.sh ./start.sh micronaut|quarkus|spring-boot|helidon ./memory.sh $TOKEN micronaut|quarkus|spring-boot|helidon ./start-docker.sh mraible/<framework>
Micronaut and Helidon support virtual threads by default.
Quarkus requires you add a @RunOnVirtualThread
annotation.
import io.quarkus.security.Authenticated;
+import io.smallrye.common.annotation.RunOnVirtualThread;
import jakarta.ws.rs.GET;
import jakarta.ws.rs.Path;
import jakarta.ws.rs.Produces;
@@ -18,6 +19,7 @@ public class HelloResource {
@Path("/")
@Authenticated
@Produces(MediaType.TEXT_PLAIN)
+ @RunOnVirtualThread
public String hello(@Context SecurityContext context) {
Principal userPrincipal = context.getUserPrincipal();
return "Hello, " + userPrincipal.getName() + "!";
Spring Boot requires a spring.threads.virtual.enabled=true
property.
spring.security.oauth2.resourceserver.jwt.issuer-uri=https://mraible.us.auth0.com/
+spring.threads.virtual.enabled=true