Five skills of using JavaAPI

5 tips for using JavaAPI Don't implement the security framework yourself.

Everyone knows to avoid implementing encryption and other algorithms. For the same reason, the rest of your application's security stack is the same, which can be costly and risky. You may make some mistakes. Since 1999, 89373 CVEs (public vulnerabilities and exposures) have been published. And most of the discoverers are very smart people.

You might think that dealing with a simple use case (such as verifying a user's password) is very simple-all you do is compare a pair of strings. It's wrong to think like this. You need to verify the hash value of the password, check the number of login attempts, and reduce the attack on the dictionary. This is just the tip of the iceberg. Your best choice is to use existing mature libraries or frameworks, such as Shiro of Apache or SpringSecurity, and let these frameworks deal with various complex security issues.

2. Always use TLS! Be sure to use TLS!

It only takes a simple line of code to make your application need TLS(HTTPS/SSL), and everyone should do it! If you use the Apache Shiro framework, you only need to set the property: [urls]/**=ssl. If you use Spring Security, you only need to call one method when setting HttpSecurity. Http。 requirechannel () anyrequest()。 In Spring Boot, you just need to set some properties. As follows: server.port = 8443server.ssl.key-store = classpath: keystore.jksserver.ssl.key-store-password = secretserver.ssl.key-password = another-secret.

3. Create a Web service using Spring Booti.

Spring Boot: It is a simplified version of the Spring platform, which makes it very easy to write Spring applications. For example, the ideas mentioned in the article "Factors to be considered in the application of 12 app" can be written with very little code. If you are still coding by building war packages, then Spring Boot is worth learning. Using Spring Booti can be used for complex and different types of applications, for example, simple comments can be used.

(@EnableResourceServer)) Just build an OAuth resource server, or change its port through simple properties: server.port 8090 If you don't like using SpringBoot, you can use the Dropwizard to build a JAX-RS technology stack.

4. Monitor applications and performance indicators

If there is no data, it is difficult to find the error of the program. By using Actuator, Spring Booti can easily collect indicator data, and only need to add a dependency in the application, as shown below:

& ltartifact LD > Spring Boot Starter Actuator ; .

& lt/dependency & gt； .

Then, after accessing the application address, you can enter /health or /metrics through the browser to check the health status or indicators of the application. The Dropwizard framework achieves the same function through healthcheck and /metrics.

5. Protect sensitive information

It is a fact that API keys are not secure. The key is sent by email or controlled by the source code management system. Maybe that's why they look less secure than passwords, but they are just as sensitive. If you need to store the AP key in a file, make sure to grant the file limited access.

For example, we suggest storing the YAML file of Okta in a private directory and giving the file owner read-only permission. Chmod u = r，go-rwx ~/。 Okta/okta.yaml If you are creating an API for users who use your application, remember to remind them to put the SSH file in your ~/. Ssh directory without setting permissions. GitHub puts them in the "danger zone" to remind users that this is very useful.