I have below policy flow in apigee proxy
verifyapi-key --> fualt-handle --> verify-access-token --> fault-handle --> javascript policy --> fault-handle ---> remove access_token
now i get all details like access-token,custom-attributes till java script policy.
But in remove access_token policy i am not getting any values.
In this policy i want to remove access_token and pass all values as it is.But this step is not receiving any values
Related
I am using Apigee as gateway to our application. Several applications will hit Apigee and Apigee will in-turn route the request to backend servers. Every incoming request will have a JWT token.
I want Apigee to pass that token to a auth server and auth server will validate if the token is valid or not.
If token is invalid(if auth server return any status other then 200) , I want Apigee to return 403 error as response to request else pass the request to backend server.
How can I implement this kind of shared flow? Is it even possible with Apigee ? Is there any better way to achieve this?
You can do that.
Create a shared flow for Authentication/Authorization which includes ServiceCallout policy which will make a call to auth server.
Based on result for Unauthorized/Bad request you can raise a fault response with help of RaiseFault.
If the response is OK it will proceed smooth to backend.
Sample shared flow.
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<SharedFlowBundle revision="1" name="Auth">
<Policies>
<Policy>AssignVariableJwks</Policy> <!-- Assign Input values if needed via AssignMessage policy -->
<Policy>RequestAuthServer</Policy> <!-- Extrnal auth server call using ServiceCallout policy -->
<Policy>TokenNotFoundValidation</Policy> <!-- Validate response and raise fault if needed using RaiseFault policy -->
</Policies>
<Resources/>
<Spec/>
<subType>SharedFlow</subType>
<SharedFlows>
<SharedFlow>default</SharedFlow>
</SharedFlows>
</SharedFlowBundle>
For above shared flow create & attach required policies with logic and you're good to go.
We have deployed an all-in-one instance of WSO2 API Manager. We have got ssl working and you can log in and see published APIs.
We have set up the carbon.xml to have the external-facing address (apidev.example.com) and both /store/ and /publisher/ can be accessed from that address.
However, the problem is the APIs published in the store are using the local hostname of dev.company.interal.
This means that a user will sign to
https://apidev.example.com/store
click on an API and get redirected to
https://dev.company.interal:9443/store/apis/...
which is no good as that address isn't accessible to people outside our network. so I want the store to use the external-facing address.
I've included the config files, shorten to the edits which have been made.
carbon.xml
<HostName>apidev.example.com</HostName>
<!-- Host name to be used for the Carbon management console-->
<MgtHostName>apidev.example.com</MgtHostName>
api-manager.xml
<APIManager>
<DataSourceName>jdbc/WSO2AM_DB</DataSourceName>
<GatewayType>Synapse</GatewayType>
<EnableSecureVault>false</EnableSecureVault>
<AuthManager>
<!-- Server URL of the Authentication service -->
<ServerURL>https://dev.company.interal:${mgt.transport.https.port}${carbon.context}services/</ServerURL>
<!-- Admin username for the Authentication manager. -->
<Username>${admin.username}</Username>
<!-- Admin password for the Authentication manager. -->
<Password>${admin.password}</Password>
<!-- Indicates whether the permissions checking of the user (on the Publisher and Store) should be done
via a remote service. The check will be done on the local server when false. -->
<CheckPermissionsRemotely>false</CheckPermissionsRemotely>
</AuthManager>
...
<APIGateway>
<!-- The environments to which an API will be published -->
<Environments>
<Environment type="hybrid" api-console="true">
<Name>Production and Sandbox</Name>
<Description>This is a hybrid gateway that handles both production and sandbox token traffic.</Description>
<!-- Server URL of the API gateway -->
<ServerURL>https://apidev.example.com${carbon.context}services/</ServerURL>
<!-- Admin username for the API gateway. -->
<Username>${admin.username}</Username>
<!-- Admin password for the API gateway.-->
<Password>${admin.password}</Password>
<!-- Endpoint URLs for the APIs hosted in this API gateway.-->
<!--GatewayEndpoint>http://${carbon.local.ip}:${http.nio.port},https://apidev.linkedsystems.uk:${https.nio.port}</GatewayEndpoint-->
<GatewayEndpoint>http://apidev.example.com,https://apidev.example.com</GatewayEndpoint>
</Environment>
</Environments>
</APIGateway>
...
<APIKeyValidator>
<!-- Server URL of the API key manager -->
<ServerURL>https://dev.company.interal:${mgt.transport.https.port}${carbon.context}services/</ServerURL>
<!-- Admin username for API key manager. -->
<Username>${admin.username}</Username>
<!-- Admin password for API key manager. -->
<Password>${admin.password}</Password>
<KeyValidatorClientType>ThriftClient</KeyValidatorClientType>
<ThriftClientConnectionTimeOut>10000</ThriftClientConnectionTimeOut>
<!--ThriftClientPort>10397</ThriftClientPort-->
<EnableThriftServer>true</EnableThriftServer>
<ThriftServerHost>localhost</ThriftServerHost>
<!--ThriftServerPort>10397</ThriftServerPort-->
<!--ConnectionPool>
<MaxIdle>100</MaxIdle>
<InitIdleCapacity>50</InitIdleCapacity>
</ConnectionPool-->
<!-- Specifies the implementation to be used for KeyValidationHandler. Steps for validating a token can be controlled by plugging in a
custom KeyValidation Handler -->
<KeyValidationHandlerClassName>org.wso2.carbon.apimgt.keymgt.handlers.DefaultKeyValidationHandler</KeyValidationHandlerClassName>
</APIKeyValidator>
...
<!-- API Store Related Configurations -->
<APIStore>
<!--GroupingExtractor>org.wso2.carbon.apimgt.impl.DefaultGroupIDExtractorImpl</GroupingExtractor-->
<!--This property is used to indicate how we do user name comparision for token generation https://wso2.org/jira/browse/APIMANAGER-2225-->
<CompareCaseInsensitively>true</CompareCaseInsensitively>
<DisplayURL>true</DisplayURL>
<!--URL>https://localhost:${mgt.transport.https.port}/store</URL-->
<URL>https://apidev.example.com/store</URL>
<!-- Server URL of the API Store. -->
<ServerURL>https://apidev.example.com:${mgt.transport.https.port}${carbon.context}services/</ServerURL>
<!-- Admin username for API Store. -->
<Username>${admin.username}</Username>
<!-- Admin password for API Store. -->
<Password>${admin.password}</Password>
<!-- This parameter specifies whether to display multiple versions of same
API or only showing the latest version of an API. -->
<DisplayMultipleVersions>false</DisplayMultipleVersions>
<!-- This parameter specifies whether to display all the APIs
[which are having DEPRECATED/PUBLISHED status] or only display the APIs
with having their status is as 'PUBLISHED' -->
<DisplayAllAPIs>false</DisplayAllAPIs>
<!-- Uncomment this to limit the number of APIs in api the API Store -->
<!--APIsPerPage>5</APIsPerPage-->
<!-- This parameter specifies whether to display the comment editing facility or not.
Default is "true". If user wants to disable, he must set this param as "false" -->
<DisplayComments>true</DisplayComments>
<!-- This parameter specifies whether to display the ratings or not.
Default is "true". If user wants to disable, he must set this param as "false" -->
<DisplayRatings>true</DisplayRatings>
<!--set isStoreForumEnabled to false for disable forum in store-->
<!--isStoreForumEnabled>false</isStoreForumEnabled-->
</APIStore>
...
<ThrottlingConfigurations>
<EnableAdvanceThrottling>true</EnableAdvanceThrottling>
<DataPublisher>
<Enabled>false</Enabled>
<Type>Binary</Type>
<ReceiverUrlGroup>tcp://${carbon.local.ip}:${receiver.url.port}</ReceiverUrlGroup>
<AuthUrlGroup>ssl://${carbon.local.ip}:${auth.url.port}</AuthUrlGroup>
<Username>${admin.username}</Username>
<Password>${admin.password}</Password>
<DataPublisherPool>
<MaxIdle>1000</MaxIdle>
<InitIdleCapacity>200</InitIdleCapacity>
</DataPublisherPool>
<DataPublisherThreadPool>
<CorePoolSize>200</CorePoolSize>
<MaxmimumPoolSize>1000</MaxmimumPoolSize>
<KeepAliveTime>200</KeepAliveTime>
</DataPublisherThreadPool>
</DataPublisher>
<PolicyDeployer>
<ServiceURL>https://dev.company.interal:${mgt.transport.https.port}${carbon.context}services/</ServiceURL>
<Username>${admin.username}</Username>
<Password>${admin.password}</Password>
</PolicyDeployer>
<BlockCondition>
<Enabled>true</Enabled>
<!--InitDelay>300000</InitDelay>
<Period>3600000</Period-->
</BlockCondition>
<JMSConnectionDetails>
<Enabled>true</Enabled>
<ServiceURL>tcp://${carbon.local.ip}:${jms.port}</ServiceURL>
<Username>${admin.username}</Username>
<Password>${admin.password}</Password>
<Destination>throttleData</Destination>
<!--InitDelay>300000</InitDelay-->
<JMSConnectionParameters>
...
</APIManager>
any help/pointers would be appreciated
So the answer is;
the file at {AM_HOME}/repository/deployment/server/jaggeryapps/store/site/conf/site.json
needs changing to reflect the reverse proxy settings. Following the example laid out in the question, the new setting would be;
"reverseProxy" : {
"enabled" : true, // values true , false , "auto" - will look for X-Forwarded-* headers
"host" : "apidev.example.com", // If reverse proxy do not have a domain name use IP
"context":"/store",
//"regContext":"" // Use only if different path is used for registry
},
Thats all folks
For an html type google gadget with module pref:
<Require feature="osapi" />
initially defined in file gadget1.xml, it will properly execute RPCs. However, if you remove it from your calendar, change its filename to gadget2.xml and then add gadget2.xml to your calendar, you'll get 401 errors with description:
Malformed security token e=AEY54zciGYGPUeNVsaxlD19nATK4jqm6LqusewGP%2FFg4ILfkGu5bSh3ThxITog%2B3m6FVSy2HsVToSyQGDzXQxBgpM5LF%2F%2BRaw2FOswxfdpgm7GgK0zpGyC9BRI1KCsURqZM0%2F%2FYLhnEN&c=calendar
com.google.gadgets.auth.AuthTokenException: com.google.gadgets.gaia.GaiaConverterException:
Request for GaiaClientConst::INVALID_USERID
The RPC call doesn't require any additional authorization beyond Google Calendar's default Add Gadget dialog and this problem occurs even when any prior authorizations have been removed via https://myaccount.google.com/security#connectedapps. What does user ID refer to and how to change it?
I customized the tutorial http://assets.spring.io/wp/WebSocketBlogPost.html into my application . When sending message from the application to the server using SimpMessageSendingOperations.convertAndSendToUser("fabrice","/stayawakews2/shakebaby", "mano") the log show :
/stayawakews2/shakebaby*-userltmei5cm* .I dont know why it add the value -userltmei5cm .
thanks
this is explained in the reference docs, see the section on user destinations and also these slides.
ltmei5cm - this is a websocket session id. This value generates on client side.
One logined user can have some websocket sessions.
For each webscocket connection(session) spring create individual queue.
If you send message to specific user, message will be added to some queues.
For this reason, the user name is replaced with the webcoket session id.
From JavaDoc comment to DefaultUserDestinationResolver.java:
When a user attempts to subscribe to "/user/queue/position-updates",
the "/user" prefix is removed and a unique suffix added, resulting in
something like "/queue/position-updates-useri9oqdfzo" where the suffix
is based on the user's session and ensures it does not collide with
any other users attempting to subscribe to
"/user/queue/position-updates". When a message is sent to a user
with a destination such as "/user/{username}/queue/position-updates",
the "/user/{username}" prefix is removed and the suffix added,
resulting in something like "/queue/position-updates-useri9oqdfzo".
This question is of two parts
Is it possible to provide Path Variables for Spring Web Flow?
Is it possible to hide the execution key in the URL
The current URL is as follows: http://localhost/bugs/ticket/?execution=e2s1
Here, the associated Web Flow location pattern is
<flow:flow-location-pattern value="/**/flow.xml" />
where the Folder Structure is: bugs/ticket/flow.xml
Is it possible to provide the ticket ID in the URL itself and point to the appropriate flow - i.e. the URL should be http://localhost/bugs/ticket/102?execution=e2s1, but still the flow is taken from bugs/ticket/flow.xml
I tried with the following patterns - value="/**/*/flow.xml", flow-path id="bugs/ticket/*" etc, but to no avail.
Also, is it possible to hide the execution key also in the URL? Is it possible to send it via say HTTP header which can be pulled in at Spring Web Flow ?
This does not answer all your questions
This is how I send parameters into the flow
External Page
Enter Flow
Flow
<view-state>
<on-entry>
<set name="variable2.field" value="requestParameters.uid"/>
</on-entry>
</view-state>