You now have a working model of the web site running as an SPA calling for data via RESTful APIs hosted on AWS Lambda, and served from Amazon API Gateway. These data feeds are considered public because the user does not need to be signed-in and provide credentials for the call to the API. In this exercise, we will take a look at how we can require authentication to make the API calls, and the use of API Keys to enforce call-rate throttling and quota management. To demonstrate, we will use a Java client application, to show how you can consume the auto-generated Java SDKs in your applications.
Create Response Model for the TripSearch API
In order for the SDK generator to create the appropriate classes for a strongly-typed language like Java (as opposed to Javascript, for example) we need to tell API Gateway what the shape or schema of the request/response objects looks like. In the TripSearch API, we are using the GET method for each of the three API calls. Therefore, there is no schema for inbound requests because the city parameter is passed on as part of the URL. If we instead changed the method to POST, we would need to pass in the city parameter in the body payload, and would need to create a model for this object schema for the code generator to create a Java class for us to bind to.
The result data from the API calls is returned in the body of the response. In order for the code generator to create an appropriate class to represent this response, we need to create a response model, and set it as the method response model.
The example API consumer will time how long each call to the API takes, and display the results. It will make a maximum of 100 calls as quickly as it can.
If we had many of these clients consuming the API rapidly, we could overwhelm the provisioned infrastructure, so we need some way of throttling calls. We can use Usage Plans to do this.
Since you have set the /tripsfromcity/{GET} endpoint to require an API Key, but have not actually set an API in the client application, you will see a Forbidden error
Set the API Key in the client code and re-run the API consumer application with throttling enabled
Click API Keys
Click SDKClient
In the API Key section, click show to show the auto-generated API key
Save the API key in the API key section
In the Eclipse IDE, open the file whose the path is /src/main/java/idevelop/api/tripsearch/sdk/app/App.java
Replace <REPLACE_WITH_API_KEY> with the API key value we saved in step 30
In the same file, locate the commented out call to apiKey(API_KEY) in the TripSearch builder call. You may have to run a Maven Update on the project to pick up the .apiKey as we updated the jar in the last step and Eclipse may not have picked it up. Now that you have required an API Key in the API Gateway call, the SDK created for you will contain a call to allow the key to be set. If you have no API Key requirements, the code generator does not emit this functionality so in the provided code, it is commented out. You need to enable the call in the client code to allow the API Key to be set correctly.
Save
In the Eclipse IDE, right-click on the TripSearch-sdkClient project
Click Maven
Click Update Project…
In the Command Prompt, execute the following command
mvn package
34. In the Command Prompt, execute the following command
35. You will now periodically start receiving errors requesting you slow down the call-rate. This is because we set a maximum call-rate of 1 call per second per API key. You will see a output
36. As an experiment, edit the API_KEY you have set in the App class (for example, add a period at the end) which will cause it to be invalid. Re-run the app and notice that you now receive a Forbidden message. This is because you set the API Key as required for calls to the /tripsfromcity call.
37. In the Command Prompt, execute the following command