Practical Tips for Securing and Optimizing Java APIs

This article introduces simple, practical tips for improving Java API security and performance, including safeguarding API keys and recommendations for framework choices when developing web services.

Developers love using APIs, whether building app‑level APIs or integrating them into microservice architectures. Managing authentication and access control for APIs can be time‑consuming, so the following techniques aim to save time, reduce code, and increase security and maintainability.

The background: Okta is a REST/JSON‑based Java application built with the Spring framework, handling user credentials and sensitive data, making security paramount.

These suggestions are applicable to any Java application, helping you write less code while enhancing safety.

1. Do Not Implement Your Own Security Framework

Seriously, avoid writing your own security code; it’s extremely difficult.

Everyone knows to avoid implementing cryptographic algorithms themselves, and the same applies to the rest of the security stack. Since 1999, over 89,000 CVEs have been disclosed, highlighting the risks of custom implementations.

Even simple use cases like password verification involve hashing, login‑attempt tracking, and dictionary‑attack mitigation. Use mature libraries or frameworks such as Apache Shiro or Spring Security to handle these complexities.

2. Use TLS, Always! 永远使用TLS！

In 2017 and beyond, all sites should use HTTPS, even internal networks. Let’s Encrypt makes HTTPS easy, eliminating the need for insecure self‑signed certificates. You can configure Tomcat or Nginx with certificate authentication locally.

Enabling TLS in your application can be done with a single line of code. For Apache Shiro, set the property:

<code>[urls]/** = ssl</code>

For Spring Security, simply call a method when configuring HttpSecurity:

<code>http.requiresChannel() .anyRequest().requiresSecure();</code>

In Spring Boot, configure the following properties:

<code>server.port=8443 server.ssl.key-store=classpath:keystore.jks server.ssl.key-store-password=secret server.ssl.key-password=another-secret</code>

3. Use Spring Boot to Create Web Services

Spring Boot simplifies Spring applications, allowing you to write less code. For example, you can set up an OAuth resource server with @EnableResourceServer or change the port via a simple property:

<code>server.port = 8090</code>

If you prefer not to use Spring Boot, Dropwizard can be used to build a JAX‑RS stack.

4. Monitor Application and Performance Metrics

Without data, detecting errors is difficult. Spring Boot’s Actuator makes metric collection easy; just add the dependency:

<code>&lt;dependency&gt; &lt;groupId&gt;org.springframework.boot&lt;/groupId&gt; &lt;artifactId&gt;spring-boot-starter-actuator&lt;/artifactId&gt; &lt;/dependency&gt;</code>

Then access /health or /metrics in a browser to check health and metrics. Dropwizard provides similar endpoints via /healthcheck and /metrics.

Example output from a Spring Boot /metrics endpoint:

<code>{ "classes": 7704, "classes.loaded": 7704, "classes.unloaded": 0, "counter.status.200.metrics": 1, "gauge.response.metrics": 99.0, "gc.ps_marksweep.count": 2, "gc.ps_marksweep.time": 272, "gc.ps_scavenge.count": 8, "gc.ps_scavenge.time": 136, "heap": 3728384, "heap.committed": 470016, "heap.init": 262144, "heap.used": 207793, "httpsessions.active": 0, "httpsessions.max": -1, "instance.uptime": 25020, "mem": 529086, "mem.free": 262222, "nonheap": 0, "nonheap.committed": 60608, "nonheap.init": 2496, "nonheap.used": 59067, "processors": 8, "systemload.average": 5.56103515625, "threads": 24, "threads.daemon": 22, "threads.peak": 28, "threads.totalStarted": 32, "uptime": 37182 }</code>

5. Protect Sensitive Information

API keys are often less protected than passwords, making them a security risk. Store keys in files with restricted permissions, e.g., keep Okta’s YAML file in a private directory with read‑only access for the owner:

<code>$ chmod u=r,go-rwx ~/.okta/okta.yaml</code>

When creating APIs for your app’s users, remind them to set proper permissions on files like ~/.ssh configuration, as platforms like GitHub flag insecure files as dangerous.