I have designed a Apigee TO-GO console I want it to be accessed only from my server is it possible. I gone through Apigee control policy but unable to understand how to achieve that. Here is link of Apigee access control policy.
http://apigee.com/docs/api-services/reference/access-control-policy.
It is not possible to make To-Go Console's URL private. Also it cannot be accessed by everyone unless you share the actual URL. The policy you are looking at refers to the APIs configured in the 'API Management' and has nothing to do with the To-Go Console.
Related
I have deployed the Spinnaker services and set its authentication by using google oauth2.0 services.
Now I wanna access the gate api by writing custom nodejs javascripts.
So the question is I donnot know how to let my request/http scripts access the gate apis without interactive google auth actions, like using something like setting a token in the request's header?.
I have read the docs about IAP part, but I really do not quite understand what I need to setup in Spinnaker and how can I write my request scripts.
Any help would be very appreciated.
Thanks in advance.
since you have already integrated OAuth in Spinnaker, verify if your Gate services open. Spinnaker Gate would open on port 8084 by default. The Spinnaker Gate url would be something like this https://:8084/swagger-ui.html#/ or use "http>://" if you are on http.
It would ask you to login. Try opening it and if it opens your Gate is working fine. you can try out any Spinnaker API too from this swagger page. It should work without any re-login as you are already logged in.
now, to run APIs from code (or any script) you need to have an access token passed in the header. follow any standard oauth 2 document to see the procedure. you can take cues from here. https://www.jhanley.com/google-oauth-2-0-testing-with-curl/
I have hosted a S3 static site into CloudFront. That site using rest api deployed into api gateway. API gateway has not access control.
I want to protect my api from being accessed by others. Only my static site can access it. I know I can use api key but that could expose by browser console which is not expected.
Is there other way to control my api access?
Thanks in advance
I have a similar issue as well. It seems like using referer or CORS restrictions are the best way to go. However, in practice I haven't been able to make it work after trying both CORS and referer restrictions. API Gateway has automatic protection against malicious behavior like DDOS attacks according to their FAQs, but it is disheartening that I haven't found a specific solution for protecting my API gateway that is only used for my S3/Cloudfront static site.
Google Cloud allows you to use their API keys on the frontend for integrations with services like Google Maps. The way they protect those keys is through restricting the API keys to certain domains. Unfortunately, I haven't found similar functionality for AWS keys. As you know, the only way to throttle or put quotas on API gateway is through API keys, so it looks like this would be useless for a static site that can't expose those API keys publicly on the frontend.
It defeats the whole purpose of going completely serverless if I am unable to configure my serverless API Gateway the same way I could congfigure a normal backend EC2 server. For now, I've created billing alarms so I don't get surprised with a huge AWS bill if something goes wrong with my unprotected API gateway.
I have an application that has a couple of features that I would like third parties business to avail of. for example the user information gets passed to us and we run ID checks and send back a token with information.
I think I can use a third party API management service like 3scale but what do I have to do on my end to 'expose' this API?
Thanks!
With AWS API Gateway, you can setup a simple http proxy to your application. Based on your needs, you can use features like auth, throttling, API keys management, client certificates etc.
Here is a blog explaining some of this.
Hope this helps, Ritisha.
As mentioned by Ritisha, API Gateway definitely can work, but it is sort of lock it.
I would recommend checking https://tyk.io/, which is an open source Gateway with commercial options. And for example it provides you Cloud version, where you do not need to expose any ports on your side at all. You just configure your API in dashboard and can just bind your CNAME record to the proxied API. This should work really well to try it out. And if you grow up this options, you can host it on your own, or use Hybrid environment, when all user requests come to your own server (no 3-rd parties), but on the other hand, have nice configuration dashboard in the cloud.
Hope it helps!
I have established a WebService on my weblogic 10.3 BEA server, and have tried accessing it through SOAtest only to find that it gives me the error: Recieved HTTP response Code: 403 Forbidden. I appreciate that weblogic is securing my webservice ;) but in the context of what I'm doing I would like to allow anonymous access to this specific webservice. This means that I would like any client to be able to access the SOAP communications of this webservice
Any help is greatly appreciated :)
R.
Here are a few things you could try:
From the weblogic console
Home -> Domain -> Web Applications -> Turn on "Allow All Roles"
From the weblogic console make sure no roles or policies are set in
Home -> Deployments -> <your deployment> -> Security
In your web.xml deployment descriptor set
role-name="*"
That said, the default behavior of weblogic (if you haven't changed it to a secure port, etc etc) is to allow anonymous access to web apps so maybe your deployment is specifying roles even though you don't think it should be. Check all of the .xml files in your .war/.ear to see if restrictions are in place.
As a last ditch effort you should check this link: How to make weblogic form authentication in wicket
Please look for 'security-constraint' tag inside web.xml to see if there is any CONFIDENTIAL user data constraint. If there is, SSL needs to be enabled on your application server.
I'm trying to construct a webapp to add events to an employee's google calendar and would like to use OAuth for authentication.
However, my webapp is forced to be on an intranet behind a firewall; the server has outbound internet access, but blocks in-bound access if you aren't on the intranet or VPNing into the intranet.
I'm reading up on OAuth, but can't figure out if part of the authentication-handshaking process would be blocked by my firewall. (And I'd like to know if its possible before spending time to implement if it isn't possible; and know so if I run into errors I can debug them).
To expand on planetjones's answer, as long as google can resolve the DNS for your application url oauth2 should work behind a fire wall. We had some issues getting getting oauth2 working behind our firewall because we were trying to use a non fully qualified domain name.
OAuth should work just fine over http, using POSTs and GETs and if your client can set the Authorizatioon header. The client should create all the requests and as long as it follows redirects this should be ok - there's never (to my knowledge) a case where an external server initiates an inbound connection.
For added confidence try OAuth with an existing third party service from behind your firewall to be sure. This looks like a good starting point and this is the definitive guide for following the flows of an OAuth call.