Glen Mazza's Weblog Friday December 01, 2023


Posted by Glen Mazza in Salesforce CRM at 07:13PM Dec 01, 2023 | Comments[0] Monday November 06, 2023

Java Client for Adobe Marketo

I created a Spring OAuth2-based Marketo client, located in my blog-samples project on Github. Its format follows clients I had created previously for Salesforce CRM and Domo. While only a relatively small subset of the Marketo API is covered, the client covers some of its most important functionality, including:

  1. Lead maintenance, including querying, creating, updating, and deleting leads

  2. Activities - limited, just querying activity types supported

  3. Bulk Extracts - creating, enqueuing, polling, and downloading CSVs, both for leads and activities. Note there is a marketo.max.response.size.mb property used in the client's MarketoOAuth2Config class that can be increased beyond its default 2MB for larger downloads.

Should additional functionality be needed it should be reasonably straightforward to expand the client.

The functionality is well-tested by means of the integration tests provided in the project, which also serve as examples of how to work with the client. Note also the configuration instructions given in its properties file, needed for projects using this client.

Posted by Glen Mazza in Programming at 02:00AM Nov 06, 2023 | Tags:  marketo | Comments[0] Monday August 07, 2023

Java Client for Domo

At work we use Domo for analysis of customer behavior. We had a need to query data stored in Domo DataSets, which are its rough equivalent to database tables. While Domo offers their own Java SDK, it hasn't been updated lately, and so I thought it better to create my own client, leveraging what I had done earlier for a Salesforce CRM client, with its Spring OAuth client support. Note the client currently supports just DataSets. Domo offers several other APIs which the client can probably be expanded to support without too much difficulty, leveraging what the DataSets calls do.

The Java client is available in my blog-samples GitHub project. Steps to use:

  1. Follow the Domo documentation to create a client ID and secret, and also to create an access token. In both cases, just the "data" scope is needed. The access token will not be used by the Java client, but will be used next to test permissions.

  2. Confirm the client credentials have the permissions necessary to access the desired DataSets. Use the access token to list the DataSets you have access to and then query one or more. The list call will give you the DataSet ID needed for the subsequent query. If you cannot see the desired DataSet in the list call, or if the query is not returning the DataSet's rows, your account's permissions may need to be adjusted before proceeding further.

  3. Confirm the Java client can work with those credentials. Configure the RestServicesTest in the client's integration tests with your desired DataSet ID and update the query supplied to the DataSetQueryRequest object with actual column names from that DataSet. Also, follow the instructions in the resources/ file for adding your client credentials, making sure of course not accidentally move those to a public source control.

  4. Once all is configured, run the test class from either from your IDE debugger or from the command-line (./gradlew clean build integrationTest) to ensure connectivity working.

  5. The included integration test mostly queries the returned metadata as querying specific data would be dependent on the DataSet that you plugged in. By running the test in an IDE debugger you can see the actual data returned, but a sample format is already given as a comment in the client's DataSetQueryResponse. Note the returned data, given as the List<List<String>> rows in this class, shows that all data is returned as strings and must be queried via row and column to retrieve:

    // for each row of DataSet
    for (List<String> row : response.getRows()) {
        // query the row's columns, converting to different types as desired
        String col1 = row.get(0);
        int col2 = Integer.parseInt(row.get(1));

    Note the columns are ordered as they were in the query given in the DataSetQueryRequest.

  6. Notes

    1. Client credentials appear to be specific to the user creating them, and are hence limited to the DataSet access permissions that user has. Should the user lose access, another set of client credentials will need to be created.

    2. Domo does not appear to have any direct support for pagination. If you have a very large DataSet, adding a column with an incrementing number, and using the column in a WHERE clause, may be the best option.

    3. Another option for downloading large datasets, if your deployment has the memory available, there is also a domo.max.response.size.mb property used in the client's DomoOAuth2Config class that can be adjusted.

Posted by Glen Mazza in Programming at 03:00AM Aug 07, 2023 | Tags:  domo | Comments[0] Saturday May 20, 2023

Using Micrometer to send custom metrics to Datadog

This entry provides a simple example of using Spring Shell (within Spring Boot) and Micrometer to send custom metrics to Datadog. For a fuller example with Docker and the Datadog Agent, I recommend Datadog Learning Center's free Datadog 101: Developer course. This course will also provide you a free two-week training Datadog account which you can use to receive custom metrics for this example, useful if you don't care to test against your company account. Note custom metrics ordinarily carry billing costs, requiring a paid Datadog account.

Spring Boot already provides numerous web metrics in several areas that can be sent to Datadog without explicit need to capture them. The jvm.* properties, for example, are readable in Datadog's Metrics Explorer, filtering by statistic:value for this example in the "from" field. For custom metrics, we'll have the Spring Shell app commands modify a Timer and a Gauge.

  1. Create the Spring Shell application. From Spring Initializr, choose a Java JAR app with Spring Shell and Datadog as dependencies. For some reason I needed to choose the Spring Boot 2.7.x series for an app to download. Prior to running the demo in your IDE (I use IntelliJ), the management.metrics.export.datadog.apiKey=... value needs to be added to the main/resources/ file. Your API key can be determined by logging into Datadog, and from the bottom of the left-side menu, click on your name, then Organization Settings, then Access, the API Keys.

  2. Create the shell commands to add to the timer and gauge values:

    package com.example.demo;
    import io.micrometer.core.instrument.MeterRegistry;
    import io.micrometer.core.instrument.Tags;
    import io.micrometer.core.instrument.Timer;
    import java.util.ArrayList;
    import java.util.List;
    import java.util.concurrent.TimeUnit;
    public class MyCommands {
        private final Timer timer;
        private final List<Integer> integerList;
        public MyCommands(MeterRegistry registry) {
            timer = registry.timer("demoapp.timer", Tags.empty());
            integerList = registry.gauge("demoapp.listsize", Tags.empty(), new ArrayList<>(), List::size);
        @ShellMethod("Note a timer event of given duration in seconds")
        public String timer(int seconds) {
            timer.record(seconds, TimeUnit.SECONDS);
            return "Timer event noted";
        @ShellMethod("Add an element to list")
        public String listAdd() {
            return "List has " + integerList.size() + " elements";
        @ShellMethod("Remove an element from list (if possible)")
        public String listRemove() {
            if (integerList.size() > 0) {
                integerList.remove(integerList.size() - 1);
            return "List has " + integerList.size() + " elements";

    For the above we're keeping a gauge on the size of the list, and for the timer, we provide the number of seconds that an arbitrary event took.

  3. Run the application and enter several timer #secs, list-add, and list-remove commands. Run -> Run Application from the IntelliJ menu should work fine to enter the commands in the IDE's Console view. To keep the connection with Datadog, keep the command-line app running, even if you're not entering commands. After 2 or 3 minutes, check Datadog's Metrics Explorer to confirm that the demoapp.timer and demoapp.listsize metrics are getting received:


    A dashboard can be created to show both properties at once (with separate average time and counts given for the Timer):



Posted by Glen Mazza in Programming at 03:00AM May 20, 2023 | Tags:  datadog | Comments[0] Sunday May 14, 2023

Using MySQL testcontainers with Spring Boot and Flyway

For a Spring Boot application accessing a Flyway-managed MySQL database, I updated its integration tests from using in-memory HSQLDB to Testcontainers' MySQL module. This was both to have testing be done on a database more closely matching deployment environments and also to have various tables pre-populated with standard data provided by our Flyway migration scripts. I'm happy to report that the cost of these benefits was only a slight increase in test running time (perhaps 10-15% more time), and that despite there being 170 Flyway migrations at that time of the conversion.

It is best to use Testcontainers when starting to develop the application, so any hiccups found in a Flyway migration file can be fixed before that migration file becomes final. Switching to testcontainers after-the-fact uncovered problems with some of our migration scripts requiring additional configuration of the MySQL testcontainer. The main problems were unnecessary explicit specification of the schema name in the scripts, and a suboptimal definition of a table that required explicit_defaults_for_timestamp to be configured in MySQL. This configuration was in our deployment my.cnf files but not in the default one used by the MySQL testcontainer.

Solving the first issue involved explicit specification of the username, password, and database name when creating the Testcontainers instance. Initializing the MySQL container just once for all integration tests is sufficient for our particular application, so TC's Manual container lifecycle control which uses Java configuration was used:

public class MyAppIntegrationTest {

    private static final MySQLContainer MY_SQL_CONTAINER;

    static {
        MY_SQL_CONTAINER = new MySQLContainer("mysql:5.7")

    public static void containersProperties(DynamicPropertyRegistry registry) {
        registry.add("spring.datasource.username", MY_SQL_CONTAINER::getUsername);
        registry.add("spring.datasource.password", MY_SQL_CONTAINER::getPassword);
        registry.add("spring.datasource.url", MY_SQL_CONTAINER::getJdbcUrl);

The containersProperties call dynamically populates the given Spring boot config values with those provided from the MySQL testcontainer. Note the spring.datasource.url will be a "regular" MySQL URL, i.e., Spring Boot and Flyway are unaware that the database is a Testcontainers-provided one.

When doing Java-based instantiation of the MySQL instance as above, I've found adding the standard property file configuration of the MySQL testcontainer to be unnecessary and best avoided -- doing so appeared to create a second, unused, container instance, slowing down builds. However, if you choose to use properties-only Java configuration (perhaps wishing to instantiate and initialize MySQL testcontainers more frequently during the integration tests), configuration similar to the below should work. Note the "myappdatabase", "myuser" and "mypass" values given in the url property are used to tell Testcontainers the values to set when creating the database and the user. In turn, whatever values placed here should go into the standard Spring username and password properties as shown:


Fixing the second issue involved using a different my.cnf for the MySQL testcontainer. To accomplish that I copied the mysql-default-conf/my.cnf directory and file from the org.testcontainers.mysql:1.17.6 library (easily viewable from IntelliJ IDEA) and pasted it as src/itest/resources/mysql-default-conf/my.cnf in the Spring Boot application. From the latter location I added my needed change.


  • The Gradle dependencies used to activate the MySQL testcontainer in the integration test environment:

    configurations {
        integrationTestImplementation.extendsFrom testImplementation
        integrationTestRuntimeOnly.extendsFrom testRuntimeOnly
    dependencies {
        integrationTestImplementation 'org.springframework.boot:spring-boot-starter-test'
        integrationTestImplementation 'org.testcontainers:mysql'
        integrationTestImplementation 'org.testcontainers:junit-jupiter'
  • As the migrations are kept in the main/resources folder, in the standard db/migration subdirectory, I thought I could perhaps just create overriding migrations in the corresponding itest/resources subdirectory for the few migrations with problems, and that Flyway would use the overrides over the ones in the main/resources folder. That did not work, though, Flyway halts with a complaint about duplicate filenames between the two folder locations.

Further resources:

Posted by Glen Mazza in Programming at 03:00AM May 14, 2023 | Comments[0] Friday May 12, 2023

Composite API added to Salesforce CRM Java Client

I've added support for the Composite API to my Salesforce CRM Java client, in particular for updates and inserts. This API method allows for up to 25 subrequests at the cost of just one API call (with a few other limitations depending on the types of calls made). For insertion-only requests, where the items being inserted are not related to each other, the Multiple Record Insertion technique added earlier to the client is probably best, as it allows for up to 200 insertions in one API call.

For tl;dr; purposes, reviewing the testMultipleEntityRecordInsertionsAndCompositeCalls() test case shows how a Composite API call can be made with this client. The sample makes one request consisting of one insert and two updates, and shows how to obtain the fields returned in both success and error scenarios. An example Multiple Record Insertion technique is in the same test.

As shown in the Salesforce docs, composite calls consist of a series of objects with four fields: method, url, referenceId, and body:

"compositeRequest" : [{
  "method" : "POST",
  "url" : "/services/data/v57.0/sobjects/Account",
  "referenceId" : "refAccount",
  "body" : { "Name" : "Sample Account" }
  "method" : "POST",
  "url" : "/services/data/v57.0/sobjects/Contact",
  "referenceId" : "refContact",
  "body" : { 
    "LastName" : "Sample Contact",
    "AccountId" : "@{}"

The method will be POST for inserts and PATCH for updates, while the url field refers to the object being inserted/updated. Example URL formats for Accounts:

  • Inserts: /services/data/vXX.X/sobjects/Account

  • Updates: /services/data/vXX.X/sobjects/Account/id/(SF ref ID of Account)

To provide these fields, the client provides an abstract CompositeEntityRecord, taking care of all fields but the body, the latter to be provided by subclasses the developer creates.

public abstract class CompositeEntityRecord {

    private final String entity;
    private final String referenceId;
    private final Method method;
    // URL dynamically generated when making request
    private String url;

    // getters and setters

The entity is @JsonIgnored as it is not part of the JSON object sent to Salesforce. As the URL contains the Salesforce API version and other call-specific data, it will be dynamically generated by the SalesforceCompositeRequestService at the time of the call. A sample CompositeEntityRecord subclass, to update an Account's site and number of employees:

public class AccountUpdateCompositeRecord extends CompositeEntityRecord {

    private Body body = new Body();

    public AccountUpdateCompositeRecord(String referenceId) {
        super("Account", Method.PATCH, referenceId);

    public Body getBody() {
        return body;

    public static class Body {
        public int numberOfEmployees;
        public String site;

        // getters and setters

For updates, the id should not be placed in the body, that will instead be placed in the url field at the time of the service call (below). The referenceId needs to be a unique value for all subrequests of the composite request. For updates, the SF ID of the object being updated (unless you're updating one item multiple times in the same call) would be an excellent fit.

Insertions will normally involve more fields, so it will be usually necessary to create another subclass with its additional fields. Also, there won't be a SF ID yet, so just choose a unique string for each reference ID in the composite call. In the response coming back, use the same ID to obtain the subrequest's results.

public class AccountInsertCompositeRecord extends CompositeEntityRecord {

    private final Body body = new Body();

    public AccountInsertCompositeRecord(String referenceId) {
        super("Account", Method.POST, referenceId);

    public Body getBody() {
        return body;

    public static class Body {

The client provides a CompositeEntityRecordRequest to hold all the subrequests:

public class CompositeEntityRecordRequest {

    boolean allOrNone;

    List<? extends CompositeEntityRecord> compositeRequest;

    public CompositeEntityRecordRequest(boolean allOrNone) {
        this.allOrNone = allOrNone;

    // getters and setters


See the Salesforce Docs for the usage of allOrNone, due to its importance it is placed in the constructor to require it to be specified. For the response returned by the Composite API call, the CompositeEntityRecordResponse class below is used. The format of the result body returned from Salesforce is unfortunately different in the success (Map) and failure cases (List of Map), so the Result.body field is declared as an Object. However, there are helper methods getSuccessResultsMap() and getErrorResultsList() in the Result object to help you parse the body (see the client test case mentioned above for an example of both). By first reading the Result's httpStatusCode you can determine the proper method to call.

package net.glenmazza.sfclient.model;

import java.util.List;
import java.util.Map;

public class CompositeEntityRecordResponse {

    List<Result> compositeResponse;

    // getters and setters

    public static class Result {
        private int httpStatusCode;
        private String referenceId;
        private Map<String, String> httpHeaders;
        private Object body;

        // getters and setters 

        public Map<String, Object> getSuccessResultsMap() {
           // ...

        public List<Map<String, Object>> getErrorResultsList() {
           // ...


As shown in the test case, once the CompositeEntityRecordRequest object is created, a call to the client's SalesforceCompositeRequestService is straightforward:

CompositeEntityRecordResponse cerr = scrs.bulkProcess(cerReq);

Further Resources:

Posted by Glen Mazza in Salesforce CRM at 03:00AM May 12, 2023 | Comments[0] Sunday May 07, 2023

Java Client for Salesforce CRM API calls

Updated May 2023.

I've made available on GitHub a Spring Security-based client library for making OAuth2-enabled REST calls to Salesforce CRM's API. The library supports use of Salesforce's:

For authentication, supported are Salesforce's JWT Bearer Token and username/password flows discussed in my earlier blog post. Spring Security's OAuth 2 client are used to obtain access tokens necessary for making these calls.

The integrated test cases give examples of the client in action. As they involve creating, updating, and deleting Salesforce Accounts they should be run against a non-production instance. Salesforce offers free developer instances. Note the test case for the Apex REST functionality will require installing this Apex REST endpoint from the Salesforce documentation. To run the tests, first create an file in the itest resources folder with the configuration necessary for the flow you are using. There is a template file in that folder specifying what is needed for each OAuth2 flow type. For usage of this library by other applications, this configuration would be placed in the importing application's properties file. The library's SalesforceOAuth2Config class reads that configuration, and will halt on startup with informational messages if anything needed is missing. Once done, the integrated tests can be run from IntelliJ or command-line via ./gradlew integratedTest.

The Username/Password flow is supported out of the box by Spring, but the JWT bearer token flow requires some extra classes implemented in the client:

What happens when access tokens expire? The WebClient calls have a retry(1) setting that allows for one additional call to the resource server in case of an error such as using an expired access token. In such cases, for the first call, the failure handler in SalesforceOAuth2Config removes the authorized client instance (which has the invalid access token) from memory. For the retry call, SalesforceJwtBearerOAuth2AuthorizedClientProvider notes that there is not an authorized client instance anymore so proceeds to obtain a new access token to allow the second call to proceed. This functionality can be verified by revoking the access token from either Salesforce Setup's Session Management screen or from Connected Apps usage, and confirming that a subsequent resource API call still provides the data. Code breakpoints can also be used to confirm another access token was requested.

Additional Resources

Posted by Glen Mazza in Salesforce CRM at 03:00AM May 07, 2023 | Comments[0] Friday May 05, 2023

Adding a custom grant type to Spring Authorization Server

Basit-Mahmood Ahmed has provided a nice example of adding a custom grant to Spring Authorization Server, providing a replacement for the "resource owner" grant removed from the OAuth 2.1 standard. I was able to leverage that for providing our own resource owner implementation. At work we've needed to create several types of custom grants, thankfully what started off as perplexing to implement, due to repetition became rather routine. Best starting advice I can to examine the out-of-the-box provided grant types and follow along with them. The Reference Guide of course and YouTube videos are also valuable, for example Getting Started with Spring Authorization Server and Configuring and Extending Spring Authorization Server.

For each custom grant type to support under Spring Auth Server, I've normally found five extra source files needed, as well as adjusting a couple of others. Most classes are limited in responsibilities helping keep their creation straightforward. Providing links to Basit-Mahmood's example where applicable, as well as some unrelated additional code samples:

  1. The custom grant Token class (example): Extending OAuth2AuthorizationGrantAuthenticationToken, this class holds the properties used by the Provider (discussed below) to authenticate the client. For the resource owner grant, it would have username and password. For a grant based on incoming IP Address, it would be an IP address string. This class is also a good place to define the custom token grant_type parameter used in the OAuth2 token request.

  2. The custom grant Converter class (example): This class takes the incoming HttpServletRequest and, by reading its properties, creates an instance of the Token class. Parameter validation for obvious shortcomings (missing param values, etc.) are good to do here, to help keep the Provider uncluttered.

  3. The Provider class (example): This class takes the Token created by the Converter and authenticates and authorizes the grant. In general, there are two parts to this: authentication of the token, frequently handled by two other classes, discussed below, followed by construction of the JWT, partly in the Provider and partly in the OAuth2TokenCustomizer discussed below.

  4. A token to represent the resource owner. This class will extend from AbstractAuthenticationToken, and will be used both to authenticate a user and to represent the user after authentication.

    package ...;
    public class MyInnerAuthenticationToken extends AbstractAuthenticationToken {
        private final MyAccessUser myAccessUser;
        // constructor for user-to-validate	
        public MyInnerAuthenticationToken(String propertyToCheck) {
            this.myAccessUser = new MyAccessUser(propertyToCheck);
        // constructor for validated user
        public MyInnerAuthenticationToken(MyAccessUser myAccessUser,
                                           Collection authorities) {
            this.myAccessUser = myAccessUser;
            super.setAuthenticated(true); // must use super, as we override
        public Object getPrincipal() {
            return this.myAccessUser;
        public void setAuthenticated(boolean isAuthenticated) throws IllegalArgumentException {
                    "Cannot set this token to trusted - use constructor which takes a GrantedAuthority list instead");
        public String getName() {
            return this.myAccessUser.getName();
  5. Another Provider to authenticate the above token. This would be called by the OAuth2 grant Provider during authentication. This Provider implements the standard authenticate(Authentication) method, returning a new Token populated with the principal and its authorities.

    public class MyInnerAuthenticationProvider implements AuthenticationProvider {
        private static final Logger LOGGER = LoggerFactory.getLogger(MyInnerAuthenticationProvider.class);
        private MyAuthenticator authenticator;
        public Authentication authenticate(Authentication authentication) throws AuthenticationException {
            MyAccessUser unvalidatedUser = (MyAccessUser) authentication.getPrincipal();
            String ip = unvalidatedUser.getIpAddress();
            MyAccessUser validatedAccessUser = authenticator.checkIpAddress(ip);
            if (validatedIPAccessUser != null) {
                Collection<GrantedAuthority> authorities = authenticator.toGrantedAuthorities(
                return new MyInnerAuthenticationToken(validatedAccessUser, authorities);
            } else {
                LOGGER.warn("Could not validate user {}", unvalidatedUser);
                return null;
        public boolean supports(Class<?> authentication) {
            return MyInnerAuthenticationToken.class.isAssignableFrom(authentication);
  6. Spring Authorization Server allows for creating an OAuth2TokenCustomizer implementation for adding claims to a JWT common to multiple grant types. It should get picked up automatically by the framework's JwtGenerator. If you've created one, good to review at this stage any adjustments or additions that can be made to it as a result of the new custom grant.

    public class MyTokenCustomizer implements OAuth2TokenCustomizer {
        public void customize(JwtEncodingContext context) {
            JwtClaimsSet.Builder claimsBuilder = context.getClaims();
            claimsBuilder.claim(ENVIRONMENT_ID, environment);
            // Spring Auth Server's JwtGenerator does not provide JTI by default
            claimsBuilder.claim(JwtClaimNames.JTI, UUID.randomUUID().toString());
            Authentication token = context.getPrincipal();
            // can add principal-specific claims:
            if (token.getPrincipal() instanceof MySubjectClass chiefJwtSubject) {

Once completed, now time to wire new grant support within the authorization server. To wire up the grant-level Converter and Provider, within a WebSecurityConfigurerAdapter subclass:

List converters = new ArrayList<>();

        .tokenEndpoint(tokenEndpoint -> {
            tokenEndpoint.accessTokenRequestConverter(new DelegatingAuthenticationConverter(
                // lots more providers

The mini-level Provider, used for the actual authentication of the User, can be configured separately as a @Bean:

public MyInnerAuthenticationProvider myInnerAuthenticationProvider() {
    return new MyInnerAuthenticationProvider();

Once developed, easy to test with Postman. Spring Auth Server uses an oauth2_registered_client table where the client_id and client_secret for clients are defined. Within Postman, Authorization tab, choose Basic Auth type and enter the client ID and secret as the credentials:


Then the new grant type can be tested with a POST call to the standard oauth/token endpoint using that grant_type:


Posted by Glen Mazza in Programming at 03:00AM May 05, 2023 | Comments[0]

« December 2023
Sun Mon Tue Wed Thu Fri Sat
About Me
Java Software Engineer
TightBlog project maintainer
Arlington, Virginia USA
glen.mazza at pm dot me
GitHub profile for Glen Mazza at Stack Overflow, Q&A for professional and enthusiast programmers
Blog Search

Blog article index
About Blog
Blog software: TightBlog 3.7.2
Application Server: Tomcat
Database: MySQL
Hosted on: Linode
SSL Certificate: Let's Encrypt
Installation Instructions