This article mainly introduces simple and easy-to-use techniques in Java API security and performance in detail. It has certain reference value. Interested friends can refer to it.
This article introduces some related Easy-to-use tips for Java API security and performance, including suggestions for keeping API keys secure and framework choices for developing Web services.
Programmers love using APIs! For example, building APIs for app applications or as part of a microservices architecture. Of course, the premise of using APIs is to make your work easier. Efforts to simplify development and improve work efficiency sometimes mean finding new libraries or processes (or reducing processes). For many development teams, managing authentication and access control for their APPs and APIs takes a lot of time, so we would like to share some tips that can save you time, reduce the amount of code writing, and make your applications More secure and easier to maintain.
Let me first introduce the background knowledge mentioned in this article: Okta is a Java application built based on REST and JSON API, built using the Spring framework. Our company's applications store users' identity credentials and other companies' sensitive data, so security is the most important thing for us. Therefore, my first request for these tips is that they can help make your Java applications more secure.
These suggestions should be common to any type of Java application. They'll help you write code faster, but in less code, and more securely: it's really a win-win-win!
1. Don’t implement the security framework yourself
Seriously, don’t try to implement security code yourself, it’s too difficult.
Almost everyone knows to avoid implementing algorithms such as encryption. By the same token, the rest of your application's security stack can be costly and risky. You will most likely make some mistakes. Since 1999, 89,373 CVEs (Public Vulnerabilities and Exposures) have been released. And the discoverers of most of them are very smart people.
You might think that handling a simple use case (such as validating a user's password) is trivial - all you do is compare a pair of strings. It would be wrong to think so. You need to verify password hashes, audit login attempts, mitigate dictionary attacks, and that’s just the tip of the iceberg. Your best option is to use existing mature libraries or frameworks, such as Apache's Shiro or Spring Security, and let these frameworks handle various complex security issues.
2. Use TLS, Always! Always use TLS!
It’s already 2017, and all websites should use HTTPS, even the company’s intranet. Let's encrypt makes HTTPS easy and simple, which means you can no longer use insecure self-signed keys! You can even set up a local Tomcat or Nginx instance with certificate authentication.
It only takes one simple line of code to make your application require TLS (HTTPS/SSL), and everyone should do it! If you use the Apache Shiro framework, you only need to set the properties:
[urls]/** = ssl
If you use Spring Security, you only need to simply call a method when setting HttpSecurity.
http.requiresChannel() .anyRequest().requiresSecure();
In Spring Boot, you only need to set some properties, as follows:
server.port=8443 server.ssl.key-store=classpath:keystore.jks server.ssl.key-store-password=secret server.ssl.key-password=another-secret
3. Use Spring Boot to create Web Service
Spring Boot is a simplification of the Spring platform, which makes it easy to write Spring applications. For example, you can write "app applications" with very little code. Points mentioned in the article 12 Factors to Consider. If you are still coding by building War packages, then Spring Boot is worth learning. Spring Boot can be used to create complex and different types of applications. For example, you can use a simple annotation (@EnableResourceServer) to build an OAuth resource server, or change its port through a simple attribute:
server.port = 8090
If you don’t like to use SpringBoot, you can use Dropwizard to build a JAX-RS technology stack.
4. Monitor applications and performance indicators
It is difficult to find program errors without any data. Spring Boot makes it easy to collect indicator data by using Actuator. You only need to add a dependency to the application, as follows:
<dependency> <groupId>org.springframework.boot</groupId> <artifactId>spring-boot-starter-actuator</artifactId> </dependency>`
Then you can use the browser, After accessing the application address, enter /health or /metrics to check the health or metrics of the application. The Dropwizard framework implements the same functionality through /healthcheck and /metrics.
The following is the result output by the Spring Boot application through /metrics:
{ "classes": 7704, "classes.loaded": 7704, "classes.unloaded": 0, "counter.status.200.metrics": 1, "gauge.response.metrics": 99.0, "gc.ps_marksweep.count": 2, "gc.ps_marksweep.time": 272, "gc.ps_scavenge.count": 8, "gc.ps_scavenge.time": 136, "heap": 3728384, "heap.committed": 470016, "heap.init": 262144, "heap.used": 207793, "httpsessions.active": 0, "httpsessions.max": -1, "instance.uptime": 25020, "mem": 529086, "mem.free": 262222, "nonheap": 0, "nonheap.committed": 60608, "nonheap.init": 2496, "nonheap.used": 59067, "processors": 8, "systemload.average": 5.56103515625, "threads": 24, "threads.daemon": 22, "threads.peak": 28, "threads.totalStarted": 32, "uptime": 37182}
5. Protect sensitive information
人们都认为API密钥是不安全的,这是事实。密钥通过电子邮件发送或源代码管理系统控制。也许这是它们看起来比密码更不安全的原因,但它们也一样敏感。如果需要将API密钥存储在文件中,请确保授予文件有限的访问权限。例如,我们建议在私人目录中存放Okta的YAML文件并且赋予文件所有者只读权限。
$ chmod u=r,go-rwx ~/.okta/okta.yaml
如果你正为使用你的APP的用户创建API,记得提醒他们,如果无设置好权限的话,.SSH的忽文件是放在你的~/.ssh目录下,如果无设置好权限的话。GitHub 把它们放在“危险区域”,以提醒用户,这是十分有用的。
The above is the detailed content of Five tips for using Java API. For more information, please follow other related articles on the PHP Chinese website!