Implementing a public API in java. What framework?

views:

answers:

Implementing a public API in java. What framework?

Hi everyone,

I'm currently working on implementing the public API of our web application. The application is written in Java.

This is a financial application deployed on Tomcat. My users can manage their sales, customers, purchases, inventory, etc. It's a pretty huge application. The font-end is written in Java/GWT. The backend is written in Java s well. We use the GWT-RPC mechanism between.

What we want is to provide a way to access the financial data (read + write) via a public API. This way, developers will be able to better integrate their application (like a payroll application).

We don't use any framework. No Spring, grails, whatever. Also, no Hibernate, JPA, etc. It's a pretty old app, with lot of proprietary code for the ORM, XML-> javabean. authentication, etc. Cannot change all of that as the application is already in production and it just works that way.

The API infrastructure will be on a different sub-domain and on a different server.

The API should use Oauth to authenticate the users.

I looked into Grails, Play!Framework and Restlet to achieve my goals

Does anyone have some thought on them? Am I going in the wrong way with those frameworks? Is there another framework to look at?

Thank you all

I have some thoughts yes. Financial applications tend not to use OAuth. To be clear: nobody with vulnerable data uses OAuth. That includes privacy, medical and financial data.

Stephan Eggermont 2010-08-24 20:10:25

Is there a specific vulnerability in OAuth you are aware of?

Justin 2010-08-24 20:14:19

Hi Stephan,thank you for the answer.Clearly, I will not let my users authorize any application to access their data. The admin would grant certain application to access certain users' data.But maybe, I could use signed http calls to ensure security (ala AWS). Oauth is not that much of a requirement to me. If it's not the right way to go, I will use another way

Thomas 2010-08-24 20:18:15

http://news.slashdot.org/story/10/07/16/1753232/OAuth-OpenID-Password-Crack-Could-Affect-Millions

Stephan Eggermont 2010-08-24 20:24:28

A timing attack is more of an implementation detail then a protocol problem. I think you original point is that the basic problem which OAuth solves is not suitable for financial data. To that I would say constrained delegation is absolutely applicable for medical data, and exactly what every patient wants.

Justin 2010-08-24 20:38:34

+1 A:

I'd recommend following the example of Amazon and such and expose that API as web services, without regard for UI. Your have a further choice about SOAP versus REST. I think you'll find that REST will be simpler for your clients, because they only need to know about HTTP.

This doesn't mandate the use of any frameworks if you choose not to. The back end will work regardless of whether or not you use Spring, Hibernate, Grails, etc.

You'd have to rework the application you have to call the services if you wanted true reuse, but it might be worth it in the long run. Both your UI and clients would be using a common back end API that way.

duffymo 2010-08-24 20:14:54

thank for your thought. The amazon way was one of my option.Yes, we want to unify the back-end. The API would become the unique entry-point to the business logic. That's the plan.

Thomas 2010-08-24 20:27:42

If you're going to expose read/write to a Java-based financial services application over the public internet, I would look at SOAP-based web services with JAX-WS as there is a pretty mature security spec in WSS and the API is relatively easy to use and may not require much in the way of changes to your existing app.

REST is perceived as easier in general but for this type of application you might find your target audience is more familiar with SOAP anyway. All depends who your target audience is and exactly what you're trying to achieve, but worth considering.

Brabster 2010-08-24 20:15:31

Thank Brabster. But, since I started playing with the 3 frameworks I mentioned, JAX-WS looks over-complicated to me. Grails offers some pretty great security as well, isn't it?

Thomas 2010-08-24 20:21:43

I'm not familiar with Grails myself I'm afraid. If you've already looked at JAX-WS then that's great, if you hadn't it would be worth checking out.

Brabster 2010-08-24 20:25:33

I will check it more deeply. I don't want to put aside any option. And since we talk about financial data, security is one of the most (if not the most) important criteria.thank you

Thomas 2010-08-24 20:28:58

What kinds of deployment environments do you expect to use this API. That might narrow it down, the standard answer if you have absolutely no idea who your client is, is still supposedly SOAP (since so many people know and accept the buzzword).

Justin 2010-08-24 20:19:54

My Application is a Saas Application deployed on Amazon EC2/S3/SQS.Developer who might be interested in integrating their apps with mine use PHP mostly, Ruby and java.

Thomas 2010-08-24 20:24:01

Interesting ... OAuth has bindings for all those platforms, what is your security model? Is the user in control of the data or is it a back channel agreement between you and a service provider? For back channel stuff I would just use SSL mutual auth as the mechanism.

Justin 2010-08-24 20:41:21

The user is in the control of the data. Their is no such a thing as a backchannel agreement.

Thomas 2010-08-24 20:48:52

ansaurus

tags:

views:

answers:

Implementing a public API in java. What framework?

related questions