Solved: Which language should be used for Custom policies?

amitkhosla · 08-06-2023 09:14 AM

Hi,

I am trying to figure out which all languages I can write a policy. I could see we have java callout, javascript policies available.

Can you please guide me which language should be used in which scenario?

Is there any performance impact based on the language being used?

As APIGEE is written in Java, does Java callout thus have a benefit over other languages?

How much is performance implication in choosing any language?

Also please let me know how does it change with APIGEE Edge vs APIGEEX.

Thanks & Regards

Amit

dchiesa1

Hi Amit

You can use any of those languages. If I were an architect, I would make my decision on which language to choose, based on readability and maintainability of the team managing the platform.

JS and Python are scripts, which means you can "see" the code as it is, when attached to an API Proxy. It's simple and "transparent". Want to know what the code does? just look in the resource file. Java, by contrast, uses a JAR packaging. Which means you need to compile and pre-package whatever logic you're using. You cannot "see" what the Java code is doing, unless you have access to the source code, which in any case is not part of the API proxy.

If you are performing encryption or other compute-intensive work, then Java is preferred, because it will perform better. For example, HMACs, or derivatives of same. Or any RSA-based crypto (signing or encrypting). If you are performing string manipulation, payload validation, or other simple tasks, then the performance difference between scripting (JS or Python) and Java, will not be great.

In summary, Base your selection decision on readability and performance, but consider performance only if you're doing numerically intensive computations.

why is it still not recommended to use java in first place?

Because it's more work to package up a Java jar, than it is to simply write a script. Script is more readable.

Is it because of the risk people can add fat jars (including many third party) or is there any other reason?

I wouldn't say "there is a risk". If you use Java, then the responsibility to create small JARs is on you, and your team. So in that regard, there is a "cost" to using Java. It's more responsibility, YOUR responsibility, to ensure that the Java code is correct, efficient, and has minimal dependencies. It's not difficult to do, but it's a non-zero effort.

View solution in original post

amitkhosla

I tried exploring more and found (at https://docs.apigee.com/api-platform/fundamentals/best-practices-api-proxy-design-and-development#po...) that we can have custom policies in JavaScript, Python & Java.

Kindly correct if that is incomplete.

Also, It is mentioned that if performance is concern, we should use java.

I am a little confused, why is it still not recommended to use java in first place?

Is it because of the risk people can add fat jars (including many third party) or is there any other reason?

Thanks & Regards

Amit

dchiesa1

Hi Amit

You can use any of those languages. If I were an architect, I would make my decision on which language to choose, based on readability and maintainability of the team managing the platform.

JS and Python are scripts, which means you can "see" the code as it is, when attached to an API Proxy. It's simple and "transparent". Want to know what the code does? just look in the resource file. Java, by contrast, uses a JAR packaging. Which means you need to compile and pre-package whatever logic you're using. You cannot "see" what the Java code is doing, unless you have access to the source code, which in any case is not part of the API proxy.

If you are performing encryption or other compute-intensive work, then Java is preferred, because it will perform better. For example, HMACs, or derivatives of same. Or any RSA-based crypto (signing or encrypting). If you are performing string manipulation, payload validation, or other simple tasks, then the performance difference between scripting (JS or Python) and Java, will not be great.

In summary, Base your selection decision on readability and performance, but consider performance only if you're doing numerically intensive computations.

why is it still not recommended to use java in first place?

Because it's more work to package up a Java jar, than it is to simply write a script. Script is more readable.

Is it because of the risk people can add fat jars (including many third party) or is there any other reason?

I wouldn't say "there is a risk". If you use Java, then the responsibility to create small JARs is on you, and your team. So in that regard, there is a "cost" to using Java. It's more responsibility, YOUR responsibility, to ensure that the Java code is correct, efficient, and has minimal dependencies. It's not difficult to do, but it's a non-zero effort.