Basic Concepts

API gateway is simplified solution for developing, managing and deploying APIs for your enterprise. API Gateway allows you to create an API on the fly with services wrapped around like Authentication, Authorization, Security, Analytics, Provisioning, Orchestration, Mediation, Auditing and client SDK generation.

API Type

With App42 API Gateway you can create different type of APIs. Following points will explain these types in details.See Here for Creating API

Proxy Type

If you have any internal API running inside your organization or any other backend server, you can configure Proxy API for the same. Here API Gateway will sit between your backend API/internal API and your end user and will provide all the configured services of API Gateway. Client will call the end point of API Gateway without knowing any internal details of your backend/internal API. Once API Gateway will receive request, it will validate the request against all configured Rules and Policy applied (For Example, Checking Authentication). If request is validated, Gateway Server will make a call to your internal API on behalf of your client and send the received response back to client.

JAVA API Type

If you want to make your own API by writing the code, you can use this type of API. This API can be created by passing your Java Code inside a JAR File to API Gateway. You can write your business logic inside the Java source by implementing com.shephertz.app42.paas.customcode.Executor interface. After creating this type of API, it will get deployed on API gateway as an HTTP End Point and can be accessed from your client. When client will make a call to this API, API gateway will first validate the request against all your configured rules and Policies. If request is validated, API Gateway will invoke JAVA method and will return the response received from the method to client.

Database Connector Type

If you have legacy database and want to expose that data to outside world through API, you can use this type of API for the same. This API supports MySQL/Oracle/MSSQL and MongoDB type of database. You can pass your db query and other configurations while creating the API. API gateway will make a database call for given Query for validated client request. It will give the response back in JSON/XML format of your query result set back to client.

SOAP API Type

SOAP API Type is similar to Proxy type. This will accept WSDL URL of your internal SOAP API and will expose its operation through API Gateway. All SOAP request will first fall on API Gateway and validation will be done on the same. If request is validated, API Gateway will make a call to internal SOAP operation and pass the response back to client.

IAM

IAM (Identity Access Management) is logically a subscriber of your API which will be uniquely identified through its IAM credentials. These credentials will be passed while making an API. API Gateway will use these credentials to identify the caller and will validate the request accordingly. IAM credentials include API Key , Secret Key and redirection URL. See Here for Creating IAM

Policies

API Policies can be used to apply certain set of behavioural configurations on your APIs. These policies include mainly Authentication and Traffic type of policy and are explained below.See Here for Creating Policy

Authentication Policy

Authentication Policy can be used to apply authentication on your API. Currently App42 supports Key, OAuth and SAML type of authentication.

Key based Authentication Policy

Key based Authentication policy uses API Key and Secret Key to validate your request received at API Gateway. API Key is passed in the request from client while making the call. This API Key will be used to identify the caller on Gateway. Also, secret Key will be used to sign and validate the data. (If Signature validation is enabled in policy). It also has option to validate the timeStamp passed in the request to protect this from replay attack. (You have to enable time stamp validation option for the same and pass the timeStamp(in UTC format) in the request header while making the API call.)

OAuth based Authentication Policy

App42 API gateway supports OAuth 2.0 type for authentication. One can use Authorization Code or Client Credential as a Grant Type for your API. If Grant Type is set as Client Credentials, you have to pass IAM APIkey/Secret key as client Id and Secret key to get the access token., This can be done through any OAuth client library or you can also make a direct REST call to URL (http://$GATEWAYURL/api/$ORGID/$VERSION/$APINAME/token) to get the access token.

For Authorization Code Grant Type, you have to first get the authorization code (http://$GATEWAYURL/api/$ORGID/$VERSION/$APINAME/authorize) and then using this code you can get access token.

Once you got the access token, you can pass this in your API call to App42 API gateway for authentication. API gateway will do all the validation and authentication on it and allow the API call if it is valid access token.

See here for step by step guide to get the access token.

Traffic Policy

Policy helps you impose certain business rules on your API. For example, you wan to block all the traffic coming from certain IP, or you want to allow burst limit on your API call to be set 10 Request/Sec. Below are the parameters on which traffic policy can be applied.

Burst Limit : Allowed peak request/sec on your API. If you set the value 10, it will only server 10 request per second API calls. 11th onward calls received in the same window of time will be dropped by the server. (Default Value : -1 (No limit at all))

Allowed Request Time : Maximum allowed request time for API. Request taking more time will be cancelled by Gateway and error response would be send to client. (Default Value : 10 Seconds)

White List IP : IPs which are allowed to access to API. Specify 0.0.0.0 to white list all. (Default Value : 0.0.0.0)

Black List IP : IPs which are not allowed to access to API. Only applicable if White List value is 0.0.0.0 (Default Value: None)

Request Size : Allowed maximum request size on API. (Default Value : -1 (No Limit))

Rules

Rules can be used to do pre process or post process on your API. For example, you want to validate the input coming from Android devices(Client) before sending it to your API for processing. Or, you want to convert the format of response received from your API before sending it to Android devices (Client). See here for creating rules

Pre Rules

Pre Rules can be used to apply pre processing on your API. Pre Rules can be written in JAVA language by implementing com.shephertz.app42.paas.customcode.PreProcessRuleExecutor interface. You have to override the method preProcessExecute(HttpRequestObject arg0, HttpResponseObject arg1) to do the pre processing. . Once you have written you Pre rule, you can apply your pre rule by passing the JAR file containing your Pre Rule class. You have to also give the condition for calling this class. For example, you want to call this pre processing only for mobile devices. In this case you have to pass the user-Agent values on request header for which this Pre Rule will be called.

Post Rules

Post Rules can be used to apply post processing on your API. Post Rules can be written in JAVA language by implementing com.shephertz.app42.paas.customcode.PostProcessRuleExecutor interface. You have to override the method postProcessExecute(HttpRequestObject arg0, HttpResponseObject arg1) to do the post processing. . Once you have written you Post rule, you can apply your Post rule by passing the JAR file containing your Post Rule class. You have to also give the condition for calling this class. For example, you want to call this post processing only for mobile devices. In this case you have to pass the user-Agent values on request header for which this Pre Rule will be called.