5 tips for using java APIs

This paper introduces some simple and easy-to-use skills about Java API security and performance, including some suggestions on ensuring API key security and framework selection in developing web service.

Programmers like to use APIs! For example, build APIs for app applications or as part of a microservice architecture. Of course, the premise of using API is to make your work easier. Efforts to simplify development and improve work efficiency, Sometimes it also means looking for new class libraries or processes (or reducing processes). For many development teams, it takes a lot of time to manage, authenticate and access control their apps and APIs. Therefore, we need to share some skills, which can save your time, reduce the amount of code writing, and make your applications more secure and easy to maintain

First, let's introduce the background knowledge mentioned in this article: OKTA is a Java application based on rest and JSON API, which is built using the spring framework. Our company's application is to save the user's identity credentials and sensitive data of other companies, so security is the most important for us. So my first requirement for these techniques is that they can help make your Java applications more secure.

These suggestions should be common to any type of Java application. They will help you write code faster, but with less code and more security: it's really a win-win result! 　

1. Don't implement the security framework yourself

Seriously, don't try to implement security code yourself. It's too difficult.

Almost everyone knows to avoid implementing algorithms such as encryption. Similarly, the rest of your application's security stack is the same. It may cost a lot and risk a lot. You are likely to make some mistakes. Since 1999, 89373 CVEs (public vulnerabilities and exposures) have been released. Most of the public discoverers are very smart people.

You might think that dealing with a simple use case (for example, verifying the user's password) is a very simple thing - all you do is compare a pair of strings. This is wrong. You need to verify the hash value of the password, audit the number of login attempts, and reduce attacks against the dictionary. This is just the tip of the iceberg. Your best choice is to use existing mature libraries or frameworks, such as Apache Shiro or spring security , let these frameworks deal with all kinds of complex security problems.

2. Use TLS,Always! Always use TLS! 　

Now it's 2017. All websites should use HTTPS, even the company's intranet. Let's encrypt makes HTTPS easy and simple, which means you can no longer use insecure self signed keys! You can even set up Tomcat or nginx instances with certificate authentication locally.

It only needs a simple line of code to make your application need TLS (HTTPS / SSL), and everyone should do so! If you use the Apache Shiro framework, you only need to set the properties:

If you use spring security, you only need to simply call a method when setting httpsecurity.

In spring boot, you only need to set some properties, as follows:

3. Create web service using spring boot

Spring boot is a simplification of the spring platform, which can make it easy to write spring applications. For example, it can write the viewpoint mentioned in the article "12 factors to consider in app applications" with little code. If you are still coding by building war package, spring boot is worth learning. You can use spring boot to complex and different types of applications. For example, you can use simple annotations (@ enableresourceserver) to build an OAuth resource server, or change its port through simple attributes:

If you don't like using spring boot, you can use the dropwizard to build the jax-rs technology stack.

4. Monitor application and performance indicators

If there is no data, it is difficult to find program errors. Spring boot makes it easy to collect indicator data by using activator. It only needs to add a dependency in the application, as follows:

Then you can check the health status or indicators of the application by entering / health or / metrics after accessing the application address in the browser. The dropwizard framework implements the same function through / healthcheck and / metrics.

The following is the result of spring boot application output through / metrics:

5. Protect sensitive information

It is a fact that people think that API keys are not secure. The key is sent by e-mail or controlled by the source control system. Maybe that's why they look less secure than passwords, but they're just as sensitive. If you need to store the API key in a file, be sure to grant limited access to the file. For example, we recommend that OKTA's yaml file be stored in a private directory and the file owner be given read-only permission.

If you are creating an API for users who use your app, remember to remind them that if they do not have set permissions The SSH file is placed in your ~ / SSH directory, if the permissions are not set. GitHub puts them in a "dangerous area" to remind users, which is very useful.

The above is the whole content of this article. I hope it will be helpful to your study, and I hope you can support programming tips.