Development of a custom, lightweight API gateway in Java for secure access management and routing in REST APIs.
Article Sidebar
Main Article Content
Abstract
This proposal outlines the design and development of a Java-based software artifact implementing a custom API Gateway to manage security and access control, replacing the need for JWT token systems. The proposal encompasses the definition of functional requirements, software design and architecture, implementation, and system deployment, aiming to offer a secure and efficient solution for communication and control between clients and a REST API. The Design Science Research (DSR) methodology was applied, focusing on the design and implementation process of the software product, which enables secure integration between a client and a REST API. Security in web applications and REST API architectures is essential to protect system integrity, confidentiality, and availability in an increasingly threat-exposed digital environment. Additionally, the Scrum methodology facilitates agile and collaborative project management, ideal for iteratively and adaptively implementing security solutions. During the design and coding phases in Java, the custom API Gateway is defined to manage incoming requests and safely route traffic to REST APIs. The custom API Gateway incorporates features such as authentication, user role validation, and request logging. Simple endpoints are created on the REST API to ensure seamless communication with the gateway. This proposal provides a robust solution for managing security and access control in distributed applications. By using the API Gateway instead of JWT tokens, the system centralizes security and authentication efficiently, enhancing fault tolerance and maintaining stable performance.
Downloads
Article Details
Section
This work is licensed under a Creative Commons Attribution-NonCommercial-NoDerivatives 4.0 International License.
Authors retain the copyright of their works and grant the journal IDEAS the right of first publication. Articles are published under the Creative Commons Attribution–NonCommercial–NoDerivatives 4.0 International License (CC BY-NC-ND 4.0), which allows reading, downloading, copying, distributing, and sharing the content for non-commercial purposes, provided that proper credit is given to the author(s) and the original publication in the journal, without making modifications or creating derivative works. The journal IDEAS does not charge fees for submission, processing, or publication of manuscripts and guarantees open access to its contents.
How to Cite
References
M. Saad, A. Zia, M. Raza, M. Kundi, and M. Haleem, “A comprehensive analysis of healthcare websites usability features, testing techniques and issues,” IEEE Access, vol. 10, pp. 97 701–97 718, 2022.
I. Ahmad, E. Suwarni, R. I. Borman, Asmawati, F. Rossi, and Y. Jusman, “Implementation of RESTful API web services architecture in takeaway application development,” in 2021 1st International Conference on Electronic and Electrical Engineering and Intelligent System (ICE3IS), Oct. 2021, pp. 132–137.
M. J. Haber, B. Chappell, and C. Hills, “Attack vectors,” in Cloud Attack Vectors: Building Effective CyberDefense Strategies to Protect Cloud Resources, M. J. Haber, B. Chappell, and C. Hills, Eds. Berkeley, CA: Apress, 2022, pp. 117–219.
J. Gough, D. Bryant, and M. Auburn, Mastering API Architecture: Design, Operate, and Evolve API-Based Systems. O’Reilly Media, Inc., 2021.
M. Tomi´c, V. Dimitrieski, M. Vjeˇstica, R. Zupunski, A. Jeremi´c, and H. Kaufmann, “Towards applying api gateway to support microservice architectures for embedded systems,” 2020.
C. K. Rudrabhatla, “Security design patterns in distributed microservice architecture,” arXiv, Aug. 2020.
E. Unsal, B. ¨ Oztekin, M. C¸ avu¸s, and S. ¨ Ozdemir, “Building a fintech ecosystem: Design and development of a ¨
fintech api gateway,” in 2020 International Symposium on Networks, Computers and Communications (ISNCC), Oct. 2020, pp. 1–5.
X. Zuo, Y. Su, Q. Wang, and Y. Xie, “An api gateway design strategy optimized for persistence and coupling,” Advances in Engineering Software, vol. 148, p. 102878, Oct. 2020.
S. K. Shivakumar, “Modern web integration patterns,” in Modern Web Performance Optimization: Methods, Tools, and Patterns to Speed Up Digital Platforms, S. K. Shivakumar, Ed. Berkeley, CA: Apress, 2020, pp. 327–357.
Eclipse Foundation, “Jakarta servlet specification,” [Online], 2025, accedido: 14 de marzo de 2025. [Online]. Available: https://jakarta.ee/specifications/servlet/6.0/jakarta-servlet-spec-6.0
B. J. Chelliah, K. Sathish, and S. A. Kumar, “Service selection in service oriented architecture using probabilistic approach and asynchronous queues with interceptor validation,” International Journal of Electrical & Computer Engineering (2088-8708), vol. 10, no. 1, 2020.
J. vom Brocke, A. Hevner, and A. Maedche, “Introduction to design science research,” in Design Science Research. Cases, J. vom Brocke, A. Hevner, and A. Maedche, Eds. Cham: Springer International Publishing, 2020, pp. 1–13.
OWASP, “Introduction - owasp top 10:2021,” [Online], 2021, accedido: 1 de noviembre de 2024. [Online]. Available: https://owasp.org/Top10/A00_2021_Introduction/
R. A. Muzaki, O. C. Briliyant, M. A. Hasditama, and H. Ritchi, “Improving security of web-based application using modsecurity and reverse proxy in web application firewall,” in 2020 International Workshop on Big Data and Information Security (IWBIS), Oct. 2020, pp. 85–90.
A. F. Nugraha, H. Kabetta, I. K. S. Buana, and R. B. Hadiprakoso, “Performance and security comparison of json web tokens (jwt) and platform agnostic security tokens (paseto) on restful apis,” in 2023 IEEE International Conference on Cryptography, Informatics, and Cybersecurity (ICoCICs), Aug. 2023, pp. 15–22.
U. Kishnani and S. Das, “Securing the web: Analysis of http security headers in popular global websites,” arXiv, Oct. 2024.
Y. Dawei, G. Yang, H. Wei, and L. Kai, “Design and achievement of security mechanism of api gateway platform based on microservice architecture,” Journal of Physics: Conference Series, vol. 1738, no. 1, p. 012046, Jan. 2021.
A. Kondam, “Event-driven api gateways: Enabling real-time communication in modern microservices architectures,” no. 2, 2024.
E. D. H. Rafael, “Implementación de sistema de biblioteca basado en scrum para el manejo de libros en la facultad de ciencias de la comunicación de la universidad nacional del centro del perú - huancayo, 2024,” Tesis de maestría, Universidad Nacional del Centro del Perú, Aug. 2024, accedido: 1 de noviembre de 2024. [Online]. Available: http://repositorio.uncp.edu.pe/handle/20.500.12894/11296
G. S. Lampe, M. Olaru, M. Mafte, and C. Ilie, “Information security management system and cyber security strategy implementation in the context of scrum,” in 7th BASIQ International Conference on New Trends in Sustainable Business and Consumption, Aug. 2021, pp. 811–819.
C. Patrício, R. Pinto, and G. Marques, “A study on software testing standard using iso/iec/ieee 29119-2: 2013,” in Recent Advances in Intelligent Systems and Smart Applications, M. Al-Emran, K. Shaalan, and A. E. Hassanien, Eds. Cham: Springer International Publishing, 2021, pp. 43–62.
F. D. Cas, “A practical approach to enhance web apis security using a stateless, open-source, pluggable api gateway,” Master’s thesis, Politecnico di Milano, Oct. 2023, accedido: 1 de noviembre de 2024. [Online]. Available: https://www.politesi.polimi.it/handle/10589/208974
X. Wang, Z. Yan, R. Zhang, and P. Zhang, “Attacks and defenses in user authentication systems: A survey,” Journal of Network and Computer Applications, vol. 188, p. 103080, Aug. 2021.
L. F. Eliyan and R. D. Pietro, “Dos and ddos attacks in software defined networks: A survey of existing solutions and research challenges,” Future Generation Computer Systems, vol. 122, pp. 149–171, Sep. 2021.
K. F. M. Córdova and L. G. S. Ortiz, “Evaluación del rendimiento de firewalls de aplicaciones web open source,” Master’s thesis, Universidad Nacional Pedro Ruiz Gallo, Mar. 2024, accedido: 1 de noviembre de 2024. [Online]. Available: http://repositorio.unprg.edu.pe/handle/20.500.12893/13572
C. Richardson, “Microservices pattern: Pattern: Api gateway / backends for frontends,” microservices.io, 2024, accedido: 1 de noviembre de 2024. [Online]. Available: http://microservices.io/patterns/apigateway.html
Q. Xiong and W. Li, “Design and implementation of microservices gateway based on spring cloud zuul,” in CIBDA 2022; 3rd International Conference on Computer Information and Big Data Applications, Mar. 2022, pp. 1–5, accedido: 24 de abril de 2025. [Online]. Available: https://ieeexplore.ieee.org/abstract/document/9899125
J. T. Zhao, S. Y. Jing, and L. Z. Jiang, “Management of api gateway based on microservice architecture,” Journal of Physics: Conference Series, vol. 1087, no. 3, p. 032032, Sep. 2018.
Apache Foundation, “Apache jmeter - apache jmeter,” [Online], 2024, accedido: 1 de noviembre de 2024. [Online]. Available: https://jmeter.apache.org/
JakartaEE, “Jakarta servlet - jakarta ee tutorial - jakarta ee documentation,” [Online], 2024, accedido: 1 de noviembre de 2024. [Online]. Available: https://jakarta.ee/learn/docs/jakartaee-tutorial/current/web/servlets/servlets.html
F. Montesi and J. Weber, “Circuit breakers, discovery, and api gateways in microservices,” arXiv, Sep. 2016.