security TLS

mTLS everywhere!

Security in one’s information system has always been among the most critical Non-Functional Requirements. Transport Secure Layer, aka TLS, formerly SSL, is among its many pillars. In this post, I’ll show how to configure TLS for the Apache APISIX API Gateway. TLS in a few words TLS offers several capabilities: Server authentication: the client is confident that the server it exchanges data with is the right one. It avoids sending data, which might be confidential, to the wrong ac

gRPC Spring Boot Apache APISIX

gRPC on the client side

Most inter-systems communication components that use REST serialize their payload in JSON. As of now, JSON lacks a widely-used schema validation standard: JSON Schema is not widespread. Standard schema validation allows delegating the validation to a third-party library and being done with it. Without one, we must fall back to manual validation in the code. Worse, we must keep the validation code in sync with the schema. XML has schema validation out-of-the-box: an XML document can declare a gr

authentication OpenID Connect OAuth Apache APISIX

Authenticate with OpenID Connect and Apache APISIX

Lots of companies are eager to provide their identity provider: Twitter, Facebook, Google, etc. For smaller businesses, not having to manage identities is a benefit. However, we want to avoid being locked into one provider. In this post, I want to demo how to use OpenID Connect using Google underneath and then switch to Azure. OpenID Connect The idea of an authorization open standard started with OAuth around 2006. Because of a security issue, OAuth 2.0 superseded the initial version. OAuth 2

Spring Security Open Policy Agent Architecture Solution Architecture

Make your security policy auditable

Last week, I wrote about putting the right feature at the right place. I used rate limiting as an example, moving it from a library inside the application to the API Gateway. Today, I’ll use another example: authentication and authorization. Securing a Spring Boot application I’ll keep using Spring Boot in the following because I’m familiar with it. The Spring Boot application offers a REST endpoint to check employees' salaries. The specific use case is taken from the Open

Architecture Software Architecture System Architecture Solution Architecture

The right feature at the right place

Before moving to Developer Relations, I transitioned from Software Architect to Solution Architect long ago. It’s a reasonably common career move. The problem in this situation is two-fold: You know perfectly well software librariesYou don’t know well infrastructure components It seems logical that people in this situation try to solve problems with the solutions they are most familiar with. However, it doesn’t mean it’s the best approach. It’s a bad one in most ca

Java Kotlin

Null safety: Kotlin vs. Java

Last week, I was at the FOSDEM conference. FOSDEM is specific in that it has multiple rooms, each dedicated to a different theme and organized by a team. I had two talks: Practical Introduction to OpenTelemetry Tracing, in the Monitoring and Observability devroomWhat I miss in Java, the perspective of a Kotlin developer, in the Friends of OpenJDK devroom The second talk is from an earlier post. Martin Bonnin did a tweet from a single slide, and it created quite a stir, even attracting Brian Goe

Apache APISIX security

Securing Admin access to Apache APISIX

API Gateways are critical components in one’s infrastructure. If an attacker could change the configuration of routes, they could direct traffic to their infrastructure. Consequences could range from data theft to financial losses. Worse, data theft could only be noticed after a long time by mirroring the load. Hence, protecting your API Gateway is of utmost importance. In this short blog post, I’ll list a couple of ways to secure your Apache APISIX admin access. Change admin toke


Learning by doing: An HTTP API with Rust

When I started working on this post, I had another idea in mind: I wanted to compare the developer experience and performance of Spring Boot and GraalVM with Rust on a demo HTTP API application. Unfortunately, the M1 processor of my MacBook Pro had other ideas. I'm trying to compile a *very* simple #SpringBoot #Kotlin webapp with #GraalVM native image. I'm using Liberica NIK via Docker on a M1 Mac. Compilation seems to be stuck. Anybody has a clue about what happens/how to pinpoint the


The quest for REST

Since I started working for Apache APISIX, I have tried to deepen my understanding of REST via various means. Did you read my review of API Design Patterns book? In the current literature, REST is generally promoted as the best thing since sliced bread. Yet, it comes with lots of challenges. In 2010(!), Martin Fowler wrote a post on the glory of REST. He lists three steps for an API to become truly REST: In each of these steps, issues lurk. This blog post focuses on listing some of them an

API design pattern

API Design Patterns

I already mentioned how I’m trying to get to speed in the API world: reading books, viewing relevant YouTube videos and reading relevant IETF RFCs. Facts 30 chapters, $35.00The author is a Principal Software Engineer at GoogleHe’s also the author behind Chapters IntroductionDesign principlesNamingResource scope and hierarchyData types and defaultsFundamentalsResource identification: How to identify resources in an APIStandard methods: The set of standard