Reputation: 325
Expose Web Services to third party applications?
I've been asked in tech discussions how do we write an application to use internally in the firm, and also expose it as an API to third party clients?
I am assuming this is in context of Web Services. I am thinking, won't the third party simply call the end point and consume the response?
Clearly, that answer is raw, and I am missing the point.
- Is there a known approach, or any Frameworks to do this?
- What are the considerations here? And how do we address them?
Upvotes: 4
Views: 1518
Answers (2)
Reputation: 4002
You would write and expose the RESTful services for internal and external users same way however when you do it for external clients then you have to careful about some of the following points
Security - If your API is secured then how are we going to achieve this ? We can leverage external identity providers to secure our APIs like (Azure AD, Auth0 (https://auth0.com))
Limit call rate - If you want to cap number of call from external Users ? e.g. free tier would only allow 100 req/min etc .
Sign up process - For external users you need to take care how do they have to sign up to your services (acquire token) to access your services.
Scaleable - Your APIs should be scaleable.
HATEOAS - This is very important REST principal. IF you follow this pattern your external users can explore your API in a better way by just following links (https://en.wikipedia.org/wiki/HATEOAS).
Open API Your API should be very well documented and Open API (swagger) is very much a standard now (https://swagger.io/specification/)
You can do all these tasks by your self or you can use Any API manager to do that.
Upvotes: 2
Reputation: 42926
One concrete way to achieve this is with a REST API secured using Json Web Tokens (JWT). On each REST endpoint, you can specify the roles that are allowed to call that endpoint.
For your use case, you could achieve this with a "system" role for internal callers, and unauthorized (i.e. no role) for external callers.
A framework you can use to achieve this is MicroProfile JWT, which might look something like this:
@Path("/rank")
@ApplicationScoped
public class RankingService {
@GET
@Path("/{playerId}")
public long getRank(@PathParam("playerId") String id) {
// get the ranking info for a player
// anyone is allowed to do this
}
@POST
@RolesAllowed({ "system" })
@Path("/{playerId}")
public void recordGame(@PathParam("playerId") String id,
@QueryParam("place") int place,
@HeaderParam("Authorization") String token) {
// update player ranking information
// only internal users are allowed to update ranks!
}
}
Here is a link to a talk that I gave at conference that walks through securing a REST endpoint using MicroProfile JWT.
Upvotes: 0
Related Questions
- Microservice, service registry, API gateway and data sharing
- REST API Java microservice available inside same application server
- Exposing servlet-based web services using JAX-WS
- Java WebService technologies
- Webservice communication between Java EE applications
- Design Decision for Creating/Exposing Webservices for thrid party
- Simple web services in Java applications
- Webservice Design - intermediate webservice between a external webservice and clients
- Creating a web service for use in an internal application and exposing it to others
- Exposing .NET WebService to Other Platform (Java)