How many cross-cutting concerns need to be implemented in order to bring services built with other frameworks or
languages into light ecosystem?
As of today, light platform only supports Java but some big customers have multiple LOBs with different preferred
languages or frameworks. We were constantly asked how to bring services built with other languages or frameworks
to the light ecosystem so that these services can interact with each other.
We have a long term plan to provide Nodejs, Go, DotNet Core and Rust frameworks but it will take time. Meanwhile,
the following is a list of cross-cutting concerns that are mandatory.
Light platform utilize OAuth 2.0 JWT token with scopes for security. A security validator needs to be implemented
to verify the signature of the JWT token as well as comparing specification defined scopes with JWT token scopes.
This means that the service needs to load the specification during runtime in order to do the comparison. Also, it
needs to have a plugin architecture to support fine-grained authorization within business context based ont the
custom claims in the JWT token.
For maximum security, two tokens (subject token and access token) need to be supported at least. Token exchange and
token chaining are optional.
Before the request reaches the business handler, it needs to be validated based on the specification. Only valid
requests will reach the business handler. The error handling is fail fast and this reduce the attack surface and
won’t expose business handler to invalid request.
Traceability and Correlation
The service needs to generate correlationId and pass traceabilityId (If passed in) and correlationId to the next
service. All logging statements should have the traceabilityId and correlationId in order to diagnose production
Logging need to be sent to a centralized server for indexing, alert, monitor and search. TraceabilityId and correlationId
will help to link logs for the same external request together.
Metrics need to be collected and send to a centralized time serial database. The information needs to be collected
from both consumer perspective and provider perspective. Multiple dimensional data need to be collected in each category.
For enterprise level services, a centralized auditing is needed. It can be separate log file or database and it is
better to give an plugin interface so that different team can choose their implementation.
There must be an exception handler to capture all exceptions and convert them to formatted error messages. This include
both checked exception and runtime exception. It is not allowed to return 500 error with stacktrace to the caller.
Service needs to register itself to a centralized registry so that consumers can find it. There are vary tools for service
registration but Consul is the most popular one.
Need to provide a consumer module which can do service discovery, client side load balance and cluster support. The module
is responsible for retrieving/renewing JWT token from OAuth 2.0 provider. It is best for the consumer module to support
HTTP 2.0 in order to leverage the high performance with other services.
Every service needs to expose a health check endpoint so that registry service and pull to maintain a list of healthy
instances. If Kubernetes Ingress is used, it needs this endpoint as well for load balancing.
A pair of encryptor and decryptor to hide password or passphrase in config files.
Above are mandatory and here is a list with optional cross-cutting concerns. They are not mandatory for all services, but
nice to have for most of the services.
An utility that can mask sensitive info like credit card etc. before logging into file system based logs or database logs.
Remove cross site scripting risks from incoming request for certain APIs.
For Internet facing APIs
Cross-Origin Resource Sharing support to handle the in-flight options request.
To change the configuration of service outside of docker container.
There are a lot of details on each cross-cutting concerns. If you are working on a framework that want to integrate
with light-platform, we can help or work together with you.