I need to add multiple credentials for one API in wso2 MI. How to achieve this?
If you want to allow a selected set of users to access an API you may have to use role-based authorization. Where you can create a role in MI and assign this role to the users you wish to give access to, then white list this role in the API. For this, you can use this Custom Handler and engage it like shown below.
<handler class="com.ycr.auth.handlers.AuthorizationHandler">
<property name="roles" value="admin,test" />
<property name="authorize" value="true" />
</handler>
You can read more on this here.
Related
we have javaee application running on wildfly 18. authentication is done by kerberos security-domain (com.sun.security.auth.module.Krb5LoginModule). this works just fine.
now we need to know, whether authenticated user belongs to certain usergroup in LDAP.
any idea how to do that? i assume we need to configure LDAP connection and then somehow map LDAP usergroups to wildfly roles, but i have clue where to start.
for any help or direction thank you very much.
I had similar problem like you.
In my case I first needed to migrate from legacy security to elyctron. In elyctron loading users and groups is first step, and then you have opportunity to map roles to whatever you want using role-mappers.
<security-domain name="ApplicationDomain" default-realm="ApplicationRealm" permission-mapper="default-permission-mapper">
<realm name="ApplicationRealm" role-decoder="groups-to-roles" role-mapper="KeepMappedRoleMapper"/>
<realm name="local"/>
</security-domain>
...
<mapped-role-mapper name="KeepMappedRoleMapper" keep-mapped="false" keep-non-mapped="false">
<role-mapping from="SOURCE_GROUP" to="TARGET_GROUP"/>
</mapped-role-mapper>
I have created an API using WSO2 EI that looks like https://localhost:8243/services/ABC.
Then I want to create another API that gets above API as the endpoint in order to add authentication. So how can I pass value to URL pattern and endpoint to get that?
When URL pattern is /xyz, and the endpoint is https://localhost:8243/services/ABC. It points to https://localhost:8243/services/ABC/xyz that not my endpoint.
Thank you so much!
You can attach a custom sequence to the API.
<sequence xmlns="http://ws.apache.org/ns/synapse" name="header_sequence">
<property name="REST_URL_POSTFIX" scope="axis2" action="remove"/>
</sequence>
This drops the resources and not appending to the path.
Please refer - https://apim.docs.wso2.com/en/latest/deploy-and-publish/deploy-on-gateway/api-gateway/message-mediation/mapping-the-parameters-of-your-backend-urls-with-the-api-publisher-urls/#mapping-the-parameters-of-your-backend-urls-with-the-api-publisher-urls
As per my understanding, you are trying to invoke the backend https://localhost:8243/services/ABC via the API created in APIM. You can try out the following to achieve it,
In the API created in APIM, you can simply add the URL https://localhost:8243/services as the endpoint and then create a resource path as /ABC.
I have one API replicated in multiple backends. I don't have any condition that can differentiate between backends. I tried to use dynamic endpoints and change the message mediation flow:
https://apim.docs.wso2.com/en/latest/deploy-and-publish/deploy-on-gateway/api-gateway/message-mediation/changing-the-default-mediation-flow-of-api-requests/
However, the only difference between requests is the IP address of the backend server:
https://{uri.var.host}/resource
I'm thinking to create every time the API and change the endpoint address but this solution can be complex as I will have the same API replicated many times (around 100) in the wso2 api manager. There is any other solution that can fit my use case?
We can make use of Dynamic Endpoints to achieve your requirement. But, it is required that the client applications need to either send a param or a Header to filter and construct the BE server URL in the mediation sequence to route the requests in the API Manager.
If the client applications can send a header specifying a unique (server) name or any other value while invoking the API, we can use the key to filter (or perform a switch case operation) and construct the BE server URL in the mediation sequence and route them to the respective BE services. Refer to the following Docs for more information.
A sample mediation sequence will be as follows (the client application will be sending a header named as X-ServerName with a name)
<sequence xmlns="http://ws.apache.org/ns/synapse" name="dynamic-endpoint-seq">
<!-- extract the name from the header -->
<property name="server_name" expression="$trp:X-ServerName" />
<!-- switch case for all applicable names -->
<switch source="$ctx:server_name">
<case regex="server-one">
<property name="service_ep" value="http://server-one-ip/resource"/>
</case>
<case regex="server-two">
<property name="service_ep" value="http://server-two-ip/resource"/>
</case>
<default>
<property name="service_ep" value="http://server-default-ip/resource"/>
</default>
</switch>
<header name="To" expression="get-property('service_ep')"/>
</sequence>
Dynamic Endpoints in API Manager
Switch Mediator in WSO2
I am creating app and I have added Android, Mobile webapp as an Worklight Environment that means I want to use same App as webapp(by using its URL). I am creating 2 seperate security test one is Mobile security test and other one is Web security test, but my Adapters procedure are common(for eg:procedure1), **So is it possible to apply two security test to one single procedure.**This is what I tried but it didn't worked.
Following is my Mobile security Test
<mobileSecurityTest name="BankingTest">
<testDeviceId provisioningType="none" />
<testUser realm="BankingRealm" />
<testDirectUpdate mode="perSession" />
</mobileSecurityTest>
Following is my Web security Test
<webSecurityTest name="BankingWebTest">
<testUser realm="BankingWebRealm"/>
</webSecurityTest>
Following is how procedure is protected in xml file
<procedure name="getDetail" securityTest="BankingTest"/>(Its working).
But when I tried
<procedure name="getDetail" securityTest="BankingTest"/>
<procedure name="getDetail" securityTest="BankingWebTest"/>
--OR--
<procedure name="getDetail" securityTest="BankingWebTest;BankingTest"/>
its not working.
My requirement is: I want to protect 1 same procedure with 2 different security test. So Please suggest me what is better approach and how.
I dont think that you can use more than one securityTest to protect the same procedure or resource.
I don't think that you need a separate realm for web and mobile.
Additionally, you cannot set more than one securityTest per procedure.
Consider not using two realms if not required and then use a custom securityTest instead of one for web and one for mobile.
I know there are hell lot of docs about Spring Security. However, I am unable to find answer to my problem.
As I understand, below configuration will make authentication manager to traverse through each authentication provider unless a match is found.
<bean id="authenticationManager" class="org.springframework.security.providers.ProviderManager">
<property name="providers">
<list>
<ref local="ldapAuthenticationProvider"/>
<ref bean="${bean.daoAuthenticationProvider}"/>
<ref bean="anonymousAuthenticationProvider"/>
</list>
</property>
</bean>
However, I want to switch among available providers based on a request parameter, instead of trying all of them. I was wondering if its possible to switch using a filter or any other way?
Subclass ProviderManager and override getProviders(). Because getProviders() doesn't take any params you'll need to set a ThreadLocal somewhere in the filter chain with either the request or a flag that the request has the parameter you want.