5 tips for using JavaAPI?

This paper introduces some simple and easy-to-use skills about the security and performance of javaAPI, including some suggestions that Java course training institutions think about choosing a framework in ensuring the security of APIKey and developing WebService. ?

Programmers like to use APIs! For example, build an API for an app application or as part of a microservice architecture. Of course, the premise of using API is to make your work easier. Efforts to simplify development and improve work efficiency sometimes mean finding new class libraries or processes (or reducing processes). For many development teams, it takes a lot of time to manage the authentication and access control of their apps and APIs, so we need to share some skills, which can save your time, reduce the amount of code writing, and make your application more secure and easy to maintain. ?

Let me introduce the background knowledge mentioned in this article first: Okta is a Java application based on REST and JSONAPI, which is built with Spring framework. The application of our company is to save the user's identification and sensitive data of other companies, so for us, security is the most important. Therefore, my first requirement for these skills is that they can help your Java application to be more secure. ?

These suggestions should be that any type of Java application is universal. They will help you write code faster, but with less code, it is safer: this is a win-win situation! ?

1. Don't implement the security framework yourself?

Seriously, don't try to implement security code yourself, it's too difficult. ?

Almost everyone knows to avoid implementing encryption and other algorithms. For the same reason, the rest of your application's security stack is the same, which can be costly and risky. You may make some mistakes. Since 1999, 89373 CVEs (public vulnerabilities and exposures) have been published. And most of the discoverers are very smart people. ?

You may think that dealing with a simple use case (such as verifying a user's password) is a simple matter-all you do is compare a pair of strings. It's wrong to think like this. You need to verify the hash value of the password, check the number of login attempts, and reduce the attack on the dictionary. This is just the tip of the iceberg. Your best choice is to use existing mature libraries or frameworks, such as Shiro of Apache or SpringSecurity, and let these frameworks deal with various complex security issues. ?

2. Useful, always useful! Be sure to use TLS! ?

Now it's 20 17, and all websites should use HTTPS, even the company intranet. Let sencrypt make HTTPS easy, which means you can't use insecure self-signed keys any more! You can even set up a certified Tomcat or Nginx instance locally. ?