Prairie.Code() Sessions tagged java

Secure by Design

As an industry we stand no chance against modern threats with our currently development process and mindset. In this session we’ll learn how good design drives security and can help mitigate some vulnerability to outside threats. This includes putting security at the forefront when designing an application by ensuring dependencies are up to date, performing server side validation and sanitation for all inputs, and running checks against our repository regularly, if not on every pull request.

Speaker

Matt Busche

Matt Busche

Consultant, Nationwide Insurance

Beautiful SDK Design in Java for APIs

Abstract

Often times Java SDKs for APIs look more like the API they represent than idiomatic Java.

This talk examines how great SDKs are built using design patterns.

It covers: enforced separation of Java api and implementation, use of generics, a caching layer and hiding network traffic.

Description

The (now defunct) Stormpath SDK had a great design approach from its original author, Les Hazlewood.

It has an enforced separation of api and implementation. It does this by using the api module as a compile time dependency and the implementation module as a runtime dependency.

It has a DataStore interface that makes heavy use of generics to support CRUD operations for all objects represented in the API. The implementation hides the actual network traffic and includes rich support for retry with backoff and error handling. Developers only ever have to deal with the DataStore, POJOs and method calls to "interact" with the API.

It also has a rich, interface-based caching layer. The default implementation is robust and suitable for single-JVM environments. It's easy to drop in a distributed caching layer, such as Redis or Hazelcast.

All of this combined makes this one of the best designed SDKs in Java. In this talk, all these secrets are revealed against a completely different API: DigitalOcean's Droplet API. There's a few slides and lots of code, including some live-coding.

Speaker

Micah Silverman

Micah Silverman

Senior Developer Advocate, Okta

Securing Java Microservices with Java JWT

Abstract

Micah will take you on a token based journey. The talk covers what tokens are, looking at cryptographically signed tokens, using the JJWT library to create JWTs, mitigating CSRF attacks using JWTs and establishing trust between microservices using JWTs. Some slides and lots of code.

Description

"Microservices are awesome, but they're not free" - Les Hazlewood, CTO Stormpath

This is a popular talk that I gave during my motorcycle road trip up and down the east coast. While I work for Stormpath, there are no Stormpath dependencies in the code. It's an example that uses Spring Boot with Spring Security and the open-source JJWT.

In the first part of the talk, I introduce JWTs and their utility by replacing the default CSRF functionality in Spring Security with a custom one that uses JWT. It demonstrates how, in addition to doing a "dumb" equals match for the submitted token and the one on record, a JWT can be inspected for expiration. This makes it so that you can have a form, protected by CSRF, that must be submitted within a certain period of time.

In the second part of the talk, I have a Spring Boot microservices example. I run two instances of the example and demonstrate how they initially do not trust signed JWT messages between each other. I then discuss how to establish trust between these microservices (by registering the public keys of each with each other) and then show how they now will trust messages. Finally, I talk about and demonstrate a more modern approach to microservices using Kafka messaging as the backbone rather than HTTP.

Here's a blog post I wrote on the subject as well.

Speaker

Micah Silverman

Micah Silverman

Senior Developer Advocate, Okta

Reactive for the Impatient (A Gentle Intro to Reactive Programming and Systems)

As Java is an object-oriented language that inherently supports the imperative programming style, asynchronicity presents a challenge that can turn the code into nightmare. One way to deal with the complexity of asynchronicity is to introduce reactivity onto the coding level (reactive programming), and/or to handle it on the design and architecture level (reactive systems design).

This talk presents to the audience a few of the major Java-based reactive frameworks and toolkits in the market today, such as RxJava, Spring Reactor, Akka, and Vert,x. It will start by going over the basic tenets of reactive systems, and some examples of the problems that these systems aim to solve. It will discuss the 2 most commonly used Java frameworks for implementing reactive coding - RxJava and Spring Reactor, and will show some code samples. It will then bring the audience to the next level of "reactivity' by introducing 2 reactive frameworks - Akka and Vert,x, which are usually used for implementing reactive microservices. It will draw some comparisons between these 2 frameworks and cite some real-life examples of their usages.

The takeaways for the audience will be an understanding of the key differences between reactive programming versus reactive systems, and the strength and weaknesses of each of the surveyed frameworks.

Speaker

Mary Grygleski

Mary Grygleski

Developer Advocate, IBM