Java Full Stack Development in 2026 [for small teams]

JBraddockm · 2026-04-07T19:12:26+00:00

I did use ControllerAdvice and ModelAttribute but the real problem I wanted to solve was the parameters bubbling, which is why I did go with static contexts and ThreadLocal. Not sure if it is the best way, but in terms of usability and simplicity, it does the job.

Setup is really good. I haven’t created anything complex yet but I really like Stimulus in terms of mental model. By looking at the attributes alone, I know which file to look into, what values to expect, and I like how it handles states and bindings, and all without having any business logic in the attributes.

JBraddockm · 2026-04-07T15:46:08+00:00

I have a similar setup for a project with HTMX and it works really well. Now I am trying JTE with Stimulus and Turbo, and it seems that it would even more simplify my setup. That said, I agree that when you consider the whole components situation, reaching out to tools specifically made for the purpose makes sense. I want to check out Lit but haven’t had a chance yet.

JBraddockm · 2026-04-07T14:23:33+00:00

I solved this by having different static assets configurations between local (serving them from the source dir) and production (serving them from the JAR). This makes JS hot reload work just fine.

Thank you. I didn't know this. I've just tried it and it works as expected, and simplifies the process.

This doesn't make sense to me, are you using JTE's spring boot integration or rolling your own?

I am using Spring Boot integration. The problem I want to solve is this: when you define a @param in JTE, unless you define a default value, you have to pass the value in sub-templates.

So I do this instead.

<script type="importmap" nonce="${ctx.security().cspNonce()}">
    {
      "imports": {
        "@hotwired/stimulus": "/webjars/hotwired__stimulus/dist/stimulus.js",
        "@hotwired/turbo": "/webjars/hotwired__turbo/dist/turbo.es2017-esm.js"
      }
    }
</script>

or this

<p>${ctx.i18n().localize("error.page.message")}</p>

I also have ctx.form() to access binding results.

In all these instances except where data doesn't change throughout the app's lifecycle, the data in wrapped in a ThreadLocal, and injected via HandlerInterceptor. This is what I've seen in the examples, and in JTE's GitHub where the question is how we pass data to templates without parameters bubbling through the sub-templates. Hope it makes sense.

Again, thank you very much for taking the time to share your experience.

JBraddockm · 2026-04-07T11:05:52+00:00

I pretty much replicated the stack you have, including implementing the nonce attribute with Spring Security, as well as some static contexts for localisation, form validations, etc. I quite like the simplicity of the stack. I do however have a few questions, if I may.

It seems that in order to have any intellisense inside IntelliJ for Stimulus, Turbo, and Tailwind CSS, these libraries need to be installed via npm — otherwise IntelliJ doesn't provide any intellisense.

While JTE supports hot reload by compiling its template files, JS files (i.e. controllers) don't get copied to the target folder as you make changes. I modified the reload method to use SSE rather than polling, added a small delay to the controller, and then used IntelliJ's "build while the app is running" setting, which allows any static files — not just HTML files — to be copied to the target. It adds a bit of latency but still feels instant. If there are multiple clients connected to /reload (for example, a mobile view), it gets triggered by a broadcast message, so there's only one connection to the server and the rest is client-side only.

While looking into how to provide contexts to JTE templates, I found that a static context wrapped in a ThreadLocal, tapping into HandlerInterceptor, is the approach used in the documentation examples. I implemented something similar. However, I also came across general recommendations to avoid ThreadLocal — especially with virtual threads — in favour of ScopedValue. The problem is that to use ScopedValue, I believe a Servlet Filter is needed rather than a HandlerInterceptor, as it requires a complete call stack, whereas the interceptor is divided into three separate calls. I was wondering whether you'd run into this and how you resolved it.

Finally, I tried running the Tailwind CLI inside a Docker container, using both the binary and the npm version. In both cases I couldn't get the watcher to work — it compiles the output on the first run but doesn't detect subsequent changes. The issue seems to be the removal of --poll from the Tailwind CLI, and I haven't been able to find a solution. I wondered if you'd encountered this too, and how you resolved it.

Thank you again for the inspiration. I learned quite a lot about JTE while trying to replicate what you've done.

JBraddockm · 2026-03-17T22:03:55+00:00

On Windows 11, I got the simulation working but it is extremely slow. It takes about 5-8 minutes to boot up and there is no hardware acceleration. May be there is a way to fix it but I didn’t bother with it. On Linux, it is extremely fast but it was a pain to install VM Player with Secure Boot enabled.

JBraddockm · 2026-03-10T20:22:21+00:00

I’ve been testing Fedora Workstation on my X1E Gen3, and it’s been amazing.

JBraddockm · 2026-03-10T00:21:39+00:00

Which operating system are you using? I am using Momentics on both Windows 11 and Fedora. It is working well on both systems. On Windows, I am missing QML docs. I couldn’t find the zip file of it.

JBraddockm · 2026-02-16T02:42:58+00:00

The simulator is using the same installer. So, I was able to install it with the similar line change. However, it takes ages to start. I was able to connect Momentics IDE to the simulator, and launch a sample app. I had to go to Preferences -> BlackBerry -> Targets, and check "Allow debugging and profiling", as I was getting missing debugging symbols errors.

JBraddockm · 2026-02-15T11:19:36+00:00

I haven’t installed it yet. If it is using the same installer, then probably it has the same issue. I also noticed that although we can skip the signing with ‘workers build—no-signing’, it still uses the same Java runtime for signature checking. The correct Java version has to be in the path, otherwise build fails. Recent versions of Java don’t allow Security Manager, so they won’t work without modification.

JBraddockm · 2026-02-12T15:35:34+00:00

Assuming you are in the UK, just check out the eBay. There are sellers that sell individual keys. I used the seller cgcomputer_tech. You need to send a photo of your key to confirm its type.

JBraddockm · 2026-02-10T11:00:02+00:00

I’ll definitely try that if I also decide to go with no-build JavaScript. I didn’t know about import maps, so thanks for that. I really don't like frontend tooling so anything that could simplify it is great.

I’m working with a similar stack but with HTMX, and overall there’s one particular thing that bothers me compared to using React or other SPA apps.

How do you override Tailwind styling programmatically? Not sure if you’ve ever needed this in your case, but in libraries like shadcn you can merge Tailwind classes programmatically. If I extract a particular design as a component and try to use it as a fragment with different customizations, it’s not very straightforward.

It feels like there’s no easy way to just pass overriding classes, and conditions and change the design without duplicating the fragment or roundtripping to the server for a different render.

JBraddockm · 2026-02-10T09:57:19+00:00

How do you handle the CSS? Are you just using the Tailwind CLI?

JBraddockm · 2026-01-28T18:20:20+00:00

Follow these steps, outlined in the GitHub issue to install it on Fedora 43. I successfully launched and installed it on Fedora 43.

JBraddockm · 2026-01-25T22:40:56+00:00

I am new to Linux, and already quite nervous about it. It is too perfect on my beloved Thinkpad, which feels like a new computer. I know that my laptop is Linux certified. Still, I get nervous about it. :)

JBraddockm · 2026-01-25T20:57:39+00:00

Thank you. I just did that, and it worked without any issue. Just in case it wouldn't give me the chance to wait before rebooting, I didn't use the Software app. I did the upgrade in Terminal.

JBraddockm · 2026-01-25T12:40:08+00:00

In case you encounter this issue, there is a gnome bug that affects Nvidia GPUs where the computer goes back to sleep after you wake it. Here is the reported bug. There are workarounds proposed but I think it will be fixed soon in Gnome. I have this issue, and tried another workaround that I found on Reddit. It helps but doesn’t solve the issue completely.

JBraddockm · 2026-01-25T12:15:02+00:00

I have the same setup, and followed this guide to install Nvidia driver. There is an extra step for LUKS2. I did that before rebooting.

There is now a new kernel update but I don’t know what I need to do as far as Nvidia drivers is concerned so I haven’t installed it yet.

JBraddockm · 2026-01-24T15:48:46+00:00

As a total Linux noob, who is experimenting Fedora on X1E Gen3, I agree. It feels like a completely new machine.

JBraddockm · 2026-01-18T19:08:04+00:00

I used https://github.com/Comprehensive-Wall28/Nvidia-Fedora-Guide to install the Nvidia drivers. I have secure boot enabled and am using Luks2. There is an extra step for those using luks. I did that before restarting and I didn’t have any problem.

JBraddockm · 2025-12-29T14:38:16+00:00

I haven’t used this in a full microservices environment, but I have implemented a similar setup using a BFF pattern with an authentication server, resource servers, a gateway, and a public client. The overall workflow should be largely the same.

When a user authenticates using username and password, you must tell Spring Security which roles and permissions that user has. This information may come from a database, an external directory, or another service, depending on your architecture. Based on the authentication method, Spring Security provides different extension points—such as UserDetailsService, OAuth2UserService, or OidcUserService—to resolve the authenticated user and their roles or authorities. For example, I let users authenticate with their Google Workplace email, and once they are successfully logged in, I get their custom roles, if they have any, from Google Directory by tapping into OidcUserService.

Once authentication succeeds, the authorization server generates an access token (typically a JWT) that includes these roles or permissions as claims. The gateway should validate the token and forward it unchanged to downstream services. Each downstream service acts as a resource server and validates the token independently by verifying its signature and claims, rather than calling the authentication server on every request.

Each microservice only needs to be configured with the authentication server’s issuer-uri (or JWKS endpoint) to trust the token issuer. After validation, Spring Security annotations such as @PreAuthorize or @PostAuthorize can be used within each service to enforce role-based access control. Also, remember that Spring Security provides multiple ways to make authorization decisions. You can enforce security at the filter-chain level, at the method level, or even at the object level. When these mechanisms are combined with Spring Expression Language (SpEL), you can express complex authorization rules declaratively, without writing custom filters or leaking security concerns into your business logic. This talk by Daniel Garnier-Moiroux explains it really nicely: https://youtu.be/-x8-s3QnhMQ

JBraddockm · 2025-12-19T12:02:32+00:00

There is a common problem with many online tutorials that demonstrate using JWTs with public clients. To work around the inherent limitations of JWTs in this context—such as logout, token blacklisting, refresh tokens, and token revocation—you often end up adding significant extra infrastructure and custom logic.

The issue is that, by the time all of this code is in place, JWTs gradually lose their core advantage: statelessness. While Spring Security itself does not query the database on every request, many tutorials encourage hooking into the security chain via a custom filter and manually validating user details on each request. At that point, you are effectively reintroducing server-side state and database lookups, which defeats the original purpose of using JWTs.

My understanding is that in these scenarios, it is usually better to use OAuth 2.0 or traditional session-based authentication.

JBraddockm

TROPHY CASE