{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,6,9]],"date-time":"2026-06-09T15:53:28Z","timestamp":1781020408372,"version":"3.54.1"},"reference-count":51,"publisher":"MDPI AG","issue":"5","license":[{"start":{"date-parts":[[2022,2,22]],"date-time":"2022-02-22T00:00:00Z","timestamp":1645488000000},"content-version":"vor","delay-in-days":0,"URL":"https:\/\/creativecommons.org\/licenses\/by\/4.0\/"}],"content-domain":{"domain":[],"crossmark-restriction":false},"short-container-title":["Sensors"],"abstract":"<jats:p>In this study, we implemented an integrated security solution with Spring Security and Keycloak open-access platform (SSK) to secure data collection and exchange over microservice architecture application programming interfaces (APIs). The adopted solution implemented the following security features: open authorization, multi-factor authentication, identity brokering, and user management to safeguard microservice APIs. Then, we extended the security solution with a virtual private network (VPN), Blowfish and crypt (Bcrypt) hash, encryption method, API key, network firewall, and secure socket layer (SSL) to build up a digital infrastructure. To accomplish and describe the adopted SSK solution, we utilized a web engineering security method. As a case study, we designed and developed an electronic health coaching (eCoach) prototype system and hosted the system in the expanded digital secure infrastructure to collect and exchange personal health data over microservice APIs. We further described our adopted security solution\u2019s procedural, technical, and practical considerations. We validated our SSK solution implementation by theoretical evaluation and experimental testing. We have compared the test outcomes with related studies qualitatively to determine the efficacy of the hybrid security solution in digital infrastructure. The SSK implementation and configuration in the eCoach prototype system has effectively secured its microservice APIs from an attack in all the considered scenarios with 100% accuracy. The developed digital infrastructure with SSK solution efficiently sustained a load of (\u2248)300 concurrent users. In addition, we have performed a qualitative comparison among the following security solutions: Spring-based security, Keycloak-based security, and their combination (our utilized hybrid security solution), where SSK showed a promising outcome.<\/jats:p>","DOI":"10.3390\/s22051703","type":"journal-article","created":{"date-parts":[[2022,2,22]],"date-time":"2022-02-22T22:35:00Z","timestamp":1645569300000},"page":"1703","update-policy":"https:\/\/doi.org\/10.3390\/mdpi_crossmark_policy","source":"Crossref","is-referenced-by-count":34,"title":["Applying Spring Security Framework with KeyCloak-Based OAuth2 to Protect Microservice Architecture APIs: A Case Study"],"prefix":"10.3390","volume":"22","author":[{"ORCID":"https:\/\/orcid.org\/0000-0003-0407-7702","authenticated-orcid":false,"given":"Ayan","family":"Chatterjee","sequence":"first","affiliation":[{"name":"Department of Information and Communication Technology, Centre for e-Health, University of Agder, 4630 Kristiansand, Norway"}],"role":[{"vocabulary":"crossref","role":"author"}]},{"ORCID":"https:\/\/orcid.org\/0000-0002-0646-2877","authenticated-orcid":false,"given":"Andreas","family":"Prinz","sequence":"additional","affiliation":[{"name":"Department of Information and Communication Technology, Centre for e-Health, University of Agder, 4630 Kristiansand, Norway"}],"role":[{"vocabulary":"crossref","role":"author"}]}],"member":"1968","published-online":{"date-parts":[[2022,2,22]]},"reference":[{"key":"ref_1","doi-asserted-by":"crossref","first-page":"e186","DOI":"10.2196\/jmir.2494","article-title":"Analysis of the security and privacy requirements of cloud-based electronic health records systems","volume":"15","author":"Rodrigues","year":"2013","journal-title":"J. Med. Internet Res."},{"key":"ref_2","doi-asserted-by":"crossref","first-page":"e61","DOI":"10.2196\/jmir.1468","article-title":"Security considerations for e-mental health interventions","volume":"12","author":"Bennett","year":"2010","journal-title":"J. Med. Internet Res."},{"key":"ref_3","doi-asserted-by":"crossref","first-page":"2180","DOI":"10.1109\/TII.2014.2307795","article-title":"A health-IoT platform based on the integration of intelligent packaging, unobtrusive bio-sensor, and intelligent medicine box","volume":"10","author":"Yang","year":"2014","journal-title":"IEEE Trans. Ind. Inform."},{"key":"ref_4","doi-asserted-by":"crossref","first-page":"1368","DOI":"10.1109\/JSEN.2015.2502401","article-title":"BSN-Care: A secure IoT-based modern healthcare system using body sensor network","volume":"16","author":"Gope","year":"2015","journal-title":"IEEE Sens. J."},{"key":"ref_5","doi-asserted-by":"crossref","first-page":"3019","DOI":"10.1007\/s10916-011-9779-x","article-title":"Advances and current state of the security and privacy in electronic health records: Survey from a social perspective","volume":"36","author":"Tejero","year":"2012","journal-title":"J. Med. Syst."},{"key":"ref_6","doi-asserted-by":"crossref","unstructured":"Papoutsi, C., Reed, J.E., Marston, C., Lewis, R., Majeed, A., and Bell, D. (2015). Patient and public views about the security and privacy of Electronic Health Records (EHRs) in the UK: Results from a mixed methods study. BMC Med. Inform. Decis. Mak., 15.","DOI":"10.1186\/s12911-015-0202-2"},{"key":"ref_7","doi-asserted-by":"crossref","first-page":"93","DOI":"10.1007\/s10916-010-9449-4","article-title":"Security and privacy issues in wireless sensor networks for healthcare applications","volume":"36","author":"Liu","year":"2012","journal-title":"J. Med. Syst."},{"key":"ref_8","doi-asserted-by":"crossref","first-page":"3649","DOI":"10.1007\/s10916-012-9839-x","article-title":"An authentication scheme to healthcare security under wireless sensor networks","volume":"36","author":"Hsiao","year":"2012","journal-title":"J. Med. Syst."},{"key":"ref_9","first-page":"1043","article-title":"Meaningful Healthcare Security: Does \u201cMeaningful-Use\u201d Attestation Improve Information Security Performance?","volume":"42","author":"Kwon","year":"2018","journal-title":"MIS Q."},{"key":"ref_10","doi-asserted-by":"crossref","first-page":"1","DOI":"10.1186\/s40537-017-0110-7","article-title":"Big healthcare data: Preserving security and privacy","volume":"5","author":"Abouelmehdi","year":"2018","journal-title":"J. Big Data"},{"key":"ref_11","doi-asserted-by":"crossref","first-page":"5978636","DOI":"10.1155\/2018\/5978636","article-title":"Security and privacy in the medical internet of things: A review","volume":"2018","author":"Sun","year":"2018","journal-title":"Secur. Commun. Netw."},{"key":"ref_12","doi-asserted-by":"crossref","first-page":"127","DOI":"10.1007\/s10916-017-0778-4","article-title":"Security techniques for the electronic health records","volume":"41","author":"Kruse","year":"2017","journal-title":"J. Med. Syst."},{"key":"ref_13","first-page":"277","article-title":"Microservices API security","volume":"7","author":"Salibindla","year":"2018","journal-title":"Int. J. Eng. Res. Technol."},{"key":"ref_14","doi-asserted-by":"crossref","unstructured":"Xie, L., Han, L., Li, M.H., and Dong, X.L. (2017, January 20\u201322). Design and implement of spring security-based T-RBAC. Proceedings of the 2017 International Conference on Wireless Communications, Networking and Applications, Shenzhen, China.","DOI":"10.1145\/3180496.3180629"},{"key":"ref_15","doi-asserted-by":"crossref","first-page":"257","DOI":"10.17706\/jsw.14.6.257-264","article-title":"Applying Spring Security Framework and OAuth2 To Protect Microservice Architecture API","volume":"14","author":"Nguyen","year":"2019","journal-title":"J. Softw."},{"key":"ref_16","unstructured":"Dikanski, A., Steinegger, R., and Abeck, S. (2012, January 19\u201324). Identification and implementation of authentication and authorization patterns in the spring security framework. Proceedings of the Sixth International Conference on Emerging Security Information, Systems and Technologies (SECURWARE), Rome, Italy."},{"key":"ref_17","first-page":"64","article-title":"Secure iot resources with access control over restful web services","volume":"6","author":"Aloufi","year":"2020","journal-title":"Jordan J. Electr. Eng."},{"key":"ref_18","doi-asserted-by":"crossref","first-page":"111","DOI":"10.1007\/s11761-017-0221-1","article-title":"Adaptive security architecture for protecting RESTful web services in enterprise computing environment","volume":"12","author":"Beer","year":"2018","journal-title":"Serv. Oriented Comput. Appl."},{"key":"ref_19","doi-asserted-by":"crossref","unstructured":"Serme, G., de Oliveira, A.S., Massiera, J., and Roudier, Y. (2012, January 24\u201329). Enabling message security for RESTful services. Proceedings of the 2012 IEEE 19th International Conference on Web Services, Honolulu, HI, USA.","DOI":"10.1109\/ICWS.2012.94"},{"key":"ref_20","doi-asserted-by":"crossref","unstructured":"de Backere, F., Hanssens, B., Heynssens, R., Houthooft, R., Zuliani, A., Verstichel, S., and de Turck, F. (2014, January 5\u20139). Design of a security mechanism for RESTful Web Service communication through mobile clients. Proceedings of the 2014 IEEE Network Operations and Management Symposium (NOMS), Krakow, Poland.","DOI":"10.1109\/NOMS.2014.6838308"},{"key":"ref_21","unstructured":"Mularien, P. (2010). Spring Security 3, Packt Publishing."},{"key":"ref_22","unstructured":"Sanders, C. (2017). Practical Packet Analysis: Using Wireshark to Solve Real-World Network Problems, No Starch Press."},{"key":"ref_23","doi-asserted-by":"crossref","first-page":"e23533","DOI":"10.2196\/23533","article-title":"Human Coaching Methodologies for Automatic Electronic Coaching (eCoaching) as Behavioral Interventions with Information and Communication Technology: Systematic Review","volume":"23","author":"Chatterjee","year":"2021","journal-title":"J. Med. Internet Res."},{"key":"ref_24","doi-asserted-by":"crossref","first-page":"e24656","DOI":"10.2196\/24656","article-title":"An Automatic Ontology-Based Approach to Support Logical Representation of Observable and Measurable Data for Healthy Lifestyle Management: Proof-of-Concept Study","volume":"23","author":"Chatterjee","year":"2021","journal-title":"J. Med. Internet Res."},{"key":"ref_25","doi-asserted-by":"crossref","unstructured":"Chatterjee, A., Gerdes, M.W., and Martinez, S. (2019, January 21\u201323). eHealth Initiatives for The Promotion of Healthy Lifestyle and Allied Implementation Difficulties. Proceedings of the 2019 IEEE International Conference on Wireless and Mobile Computing, Networking and Communications (WiMob), Barcelona, Spain.","DOI":"10.1109\/WiMOB.2019.8923324"},{"key":"ref_26","unstructured":"Chatterjee, A., Gerdes, M., Prinz, A., Martinez, S., and Medin, A.C. (2020, January 21\u201325). Reference Design Model for a Smart e-Coach Recommendation System for Lifestyle Support based on ICT Technologies. Proceedings of the Twelfth International Conference on eHealth, Telemedicine, and Social Medicine (eTELEMED), Valencia, Spain."},{"key":"ref_27","unstructured":"(2021, December 27). Keycloak Server Administration. Available online: https:\/\/www.keycloak.org\/docs\/latest\/server_admin\/."},{"key":"ref_28","doi-asserted-by":"crossref","unstructured":"Recordon, D., and Reed, D. (2006, January 3). OpenID 2.0: A platform for user-centric identity management. Proceedings of the Second ACM Workshop on Digital Identity Management, Alexandria, VA, USA.","DOI":"10.1145\/1179529.1179532"},{"key":"ref_29","doi-asserted-by":"crossref","first-page":"710","DOI":"10.1016\/j.procs.2015.07.458","article-title":"Vulnerability assessment & penetration testing as a cyber defence technology","volume":"57","author":"Goel","year":"2015","journal-title":"Procedia Comput. Sci."},{"key":"ref_30","doi-asserted-by":"crossref","first-page":"100415","DOI":"10.1016\/j.cosrev.2021.100415","article-title":"Securing microservices and microservice architectures: A systematic mapping study","volume":"41","author":"Hannousse","year":"2021","journal-title":"Comput. Sci. Rev."},{"key":"ref_31","doi-asserted-by":"crossref","unstructured":"Hussain, F., Li, W., Noye, B., Sharieh, S., and Ferworn, A. (2019, January 17\u201319). Intelligent service mesh framework for api security and management. Proceedings of the 2019 IEEE 10th Annual Information Technology, Electronics and Mobile Communication Conference (IEMCON), Vancouver, BC, Canada.","DOI":"10.1109\/IEMCON.2019.8936216"},{"key":"ref_32","doi-asserted-by":"crossref","first-page":"42","DOI":"10.1109\/MITP.2018.2876987","article-title":"Securing microservices","volume":"21","author":"Nehme","year":"2019","journal-title":"IT Prof."},{"key":"ref_33","doi-asserted-by":"crossref","unstructured":"Pahl, M.O., and Donini, L. (2018, January 23\u201327). April. Securing IoT microservices with certificates. Proceedings of the NOMS 2018-2018 IEEE\/IFIP Network Operations and Management Symposium, Taipei, Taiwan.","DOI":"10.1109\/NOMS.2018.8406189"},{"key":"ref_34","doi-asserted-by":"crossref","first-page":"1225","DOI":"10.1016\/j.procs.2021.01.320","article-title":"Security in Microservices Architectures","volume":"181","author":"Ferreira","year":"2021","journal-title":"Procedia Comput. Sci."},{"key":"ref_35","doi-asserted-by":"crossref","unstructured":"Pereira-Vale, A., M\u00e1rquez, G., Astudillo, H., and Fernandez, E.B. (October, January 30). Security mechanisms used in microservices-based systems: A systematic mapping. Proceedings of the 2019 XLV Latin American Computing Conference (CLEI), Panama City, Panama.","DOI":"10.1109\/CLEI47609.2019.235060"},{"key":"ref_36","unstructured":"(2021, December 27). Building Secure Microservices-Based Applications Using Service-Mesh Architecture, Available online: https:\/\/nvlpubs.nist.gov\/nistpubs\/SpecialPublications\/NIST.SP.800-204A.pdf."},{"key":"ref_37","doi-asserted-by":"crossref","unstructured":"Alshuqayran, N., Ali, N., and Evans, R. (2016, January 4\u20136). A systematic mapping study in microservice architecture. Proceedings of the 9th International Conference on Service-Oriented Computing and Applications (SOCA), Macau, China.","DOI":"10.1109\/SOCA.2016.15"},{"key":"ref_38","doi-asserted-by":"crossref","first-page":"259","DOI":"10.1089\/tmj.2014.0097","article-title":"Concurrent validity of the MOX activity monitor compared to the ActiGraph GT3X","volume":"21","author":"Essers","year":"2015","journal-title":"Telemed. e-Health"},{"key":"ref_39","doi-asserted-by":"crossref","first-page":"12","DOI":"10.1016\/S1353-4858(11)70026-5","article-title":"A web engineering security methodology for e-learning systems","volume":"2011","author":"Aljawarneh","year":"2011","journal-title":"Netw. Secur."},{"key":"ref_40","doi-asserted-by":"crossref","unstructured":"Ismail, A.A., Hamza, H.S., and Kotb, A.M. (2018, January 5\u20137). Performance evaluation of open source iot platforms. Proceedings of the 2018 IEEE Global Conference on Internet of Things (GCIoT), Alexandria, Egypt.","DOI":"10.1109\/GCIoT.2018.8620130"},{"key":"ref_41","doi-asserted-by":"crossref","first-page":"108047","DOI":"10.1016\/j.comnet.2021.108047","article-title":"Software defined networking architecture, traffic management, security, and placement: A survey","volume":"192","author":"Priyadarsini","year":"2021","journal-title":"Comput. Netw."},{"key":"ref_42","doi-asserted-by":"crossref","first-page":"052021","DOI":"10.1088\/1742-6596\/664\/5\/052021","article-title":"Modular and scalable RESTful API to sustain STAR collaboration\u2019s record keeping","volume":"664","author":"Arkhipkin","year":"2015","journal-title":"J. Phys. Conf. Ser."},{"key":"ref_43","unstructured":"(2021, December 27). JWT Web Token. Available online: https:\/\/jwt.io\/."},{"key":"ref_44","unstructured":"(2021, December 27). Java Passay. Available online: https:\/\/www.baeldung.com\/java-passay."},{"key":"ref_45","unstructured":"Provos, N., and Mazieres, D. (2021, December 27). Bcrypt Algorithm. USENIX. Available online: https:\/\/www.usenix.org\/legacy\/publications\/library\/proceedings\/usenix99\/full_papers\/provos\/provos_html\/node5.html."},{"key":"ref_46","doi-asserted-by":"crossref","unstructured":"Khatiwada, P., Bhusal, H., Chatterjee, A., and Gerdes, M.W. (2020, January 12\u201314). A Proposed Access Control-Based Privacy Preservation Model to Share Healthcare Data in Cloud. Proceedings of the 2020 16th International Conference on Wireless and Mobile Computing, Networking and Communications (WiMob), Thessaloniki, Greece.","DOI":"10.1109\/WiMob50308.2020.9253414"},{"key":"ref_47","unstructured":"Tanenbaum, A.S. (1996). Computer Networks, Prentice-Hall International Editions."},{"key":"ref_48","unstructured":"Acharya, S. (2014). Mastering Unit Testing Using Mockito and JUnit, Packt Publishing Ltd."},{"key":"ref_49","unstructured":"Arnold, K., Gosling, J., and Holmes, D. (2005). The Java Programming Language, Addison Wesley Professional."},{"key":"ref_50","unstructured":"(2021, December 27). GDPR Checklist for Data Controllers. Available online: https:\/\/gdpr.eu\/checklist\/."},{"key":"ref_51","doi-asserted-by":"crossref","first-page":"81","DOI":"10.1109\/MITP.2020.2973852","article-title":"Enterprise API security and GDPR compliance: Design and implementation perspective","volume":"22","author":"Hussain","year":"2020","journal-title":"IT Prof."}],"container-title":["Sensors"],"original-title":[],"language":"en","link":[{"URL":"https:\/\/www.mdpi.com\/1424-8220\/22\/5\/1703\/pdf","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2025,10,10]],"date-time":"2025-10-10T22:24:44Z","timestamp":1760135084000},"score":1,"resource":{"primary":{"URL":"https:\/\/www.mdpi.com\/1424-8220\/22\/5\/1703"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2022,2,22]]},"references-count":51,"journal-issue":{"issue":"5","published-online":{"date-parts":[[2022,3]]}},"alternative-id":["s22051703"],"URL":"https:\/\/doi.org\/10.3390\/s22051703","relation":{},"ISSN":["1424-8220"],"issn-type":[{"value":"1424-8220","type":"electronic"}],"subject":[],"published":{"date-parts":[[2022,2,22]]}}}