The latest from the Apiman Blog

The Apiman blog presents the latest Apiman release news and insights. We also share relevant API and software engineering content that we think you will find interesting.

Republishing


layout: post title: "Re-Publishing Your API(s)" date: 2016-02-24 09:30:00 author: eric_wittmann tags: apiman 1.2.x gateway ---

Re-Publishing Your API(s)

An early design decision we made in apiman was to not allow APIs to be re-published to the Gateway. The reasoning was that Client Apps may have established Contracts with the API, and thus have agreed to specific terms and conditions (whether implicit or explicit). Therefore, we shouldn’t allow the API provider to modify those terms and re-publish the API, as it may violate the agreement.

However, we later added the concept of a Public API, which allows any client to invoke it without first creating a Contract. It is clear that API providers should be able to re-publish a Public API (presumably after changing the API’s configuration).

Apiman 1.2 - Improvements to Plugin Management

Apiman is not only preconfigured with a rich set of policies that you can use, right out of the box, but, from its earliest releases, apiman has also included a mechanism that you can use to define your own custom policies through plugins. This article describes the improvements introduced in apiman release 1.2.x that enable you to better manage your custom policy plugins.

apiman, introduction, overview, plugin, management

Apiman 1.2.1 Export and Import

The Question you Dread

If you use a computer at home or at work, you’ll eventually find yourself in a situation where you lose some important data and, while you are trying to recover it, someone asks you a question that is simultaneously annoying and terrifying:

"Did you make a backup?"

Happily, the 1.2 release of apiman includes a new feature that enables you to export and import your apiman data and provides you with an easy means to create apiman data backups. In this post, we’ll take a look at the new export/import feature, and how you can use it for a variety of tasks to protect your data, make your life easier, and enable you to avoid annoying and terrifying questions.

apiman, introduction, overview, backup, export, import

Apiman Names Have Been Changed to Protect the Guilty

Recently we released version 1.2 of apiman and part of that release includes an effort to rename some concepts to make them more clear (or to better align them with industry standard terminology). Read on below the fold to find out what changed!

apiman, 1.2.x

Cover yourself up! Protecting your APIs with mutual auth

The last thing you want after carefully setting up your system with apiman is for someone to be able to call around the gateway and hit your APIs directly. The typical solution for this is to lock down your network so that the only publicly accessible part is the apiman gateway, whilst APIs are hidden in the private part of the network, which apiman can access, but not someone in the outside world. However, in some situations fine-grained network controls may not be available, such as the cloud; or, you may wish to have an additional layer of security to be reassured that no funny business is going on (such as imposters).

The class of solutions to this problem generally falls under the banner of mutual authentication. One such mutual auth offering apiman supports is Mutually Authenticated TLS[1].


1. Also, commonly referred to as MTLS, MSSL, 2WAY, client authenticated TLS/SSL, two-way SSL, amongst other names!
gateway, security, mutual-auth, ssl, mtls, 1.2.x

Keycloak and dagger: Securing your APIs with OAuth2

One great advantage of API Management is centralising auth concerns, thereby avoiding burdensome reimplementation issues and streamlining your security processes. The good news is that you can easily configure apiman to handle many common auth use-cases, such as OAuth2 with our popular Keycloak OAuth2 policy which I’ll outline in this blogpost.

gateway, security, oauth2, keycloak, authentication, authorization, 1.2.x

CORS? Of Course!

If you’re looking to define CORS policies in your API Management layer, then we have an official plugin that should be perfect for the job.

For those unfamiliar with CORS, it’s a way of precisely defining who and how a remote origin may invoke an API’s resources. Generally, due to the same-origin policy, a web browser will only allow the invocation of resources that reside on the same origin as the requesting page. This mitigates a range of malicious script attacks by preventing interaction with remote resources.

However, if we want our resource to be callable by some (or all) other origins, then we need to define a CORS policy which lets user agent know what’s allowed.

security, plugin, policy, cors, 1.2.x

Finally! Apiman 1.2.1.Final is released!

It’s been ages since apiman had a new release! Well the reason for that is we’ve been pushing to get the first version of 1.2.x out the door. I’m here to tell you - that day has finally arrived.

We’re happy to announce apiman 1.2.1.Final. Our goal is now to go back to our previous, more frequent, release schedule.

apiman

The More You Know: apiman microservices?

Let’s spend a bit of time learning more about one of the newer ways you can run apiman: as a set of microservices.

Running apiman in this way has several advantages, including (but not limited to):

  • Fast startup time

  • Fully decoupled

  • Easily debuggable from an IDE

  • Quick to test different configurations

  • Independently scale (esp. via fabric8/openshift/kubernetes)

microservices, development

Apiman Limiting Policies

In this, the sixth article in the series on apiman, JBoss' new API Management framework, we’ll examine how apiman enables you to govern access to managed APIs through the use of rate limiting policies.

The runtime core of apiman is the API Gateway and the policies that it applies to incoming requests to APIs. apiman is configured out of the box with a variety of policies that can be used to govern access to APIs managed by the API Gateway based on IP address, user authentication, and usage levels. From its first release, apiman has supported rate limiting policies, where the upper limit for use of an API could be governed by a policy. In its new 1.1.6 release, apiman has expanded this support to include quota based limiting policies.

policies

apiman Policy and Endpoint Security

In this, the fifth article in the series on apiman, JBoss’ new API Management framework, we’ll examine how apiman enables you to provide security for your managed APIs at the policy level, and at the endpoint level for its managed and unmanaged endpoints.

security

Plugins - Not Just For Policies Any More

As you may know, apiman has long supported custom policies provided by users. If you aren’t familiar with apiman plugins, you can find more about them by clicking here.

As of version 1.1.5.Final, plugins are now even more useful. You can provide custom implementations of various core apiman system components via plugins. This allows users to customize apiman easily, without any changes to the classpath and without rebuilding the core apiman application.

In this blog post I’ll explain how it works.

api-manager, api-gateway, plugins, development, maven