I need to disable receiving http packets in chunked format in wso2 api manager 3.2.0 in order to protect against HTTP Request Smuggling , web cache poising and other server attacks .how can I do this?
Disabling Message Chunking from official API Manager documentation.
You can also try
<property name="DISABLE_CHUNKING" value="true" scope="axis2" />
Related
I've read documentation of wso2am for http access logs in the link https://apim.docs.wso2.com/en/latest/observe/api-manager/monitoring-http-access-logs/
it's written that we should enable http access log only for troubleshooting errors because of performance reason. but i need to log information of every http call( not only for troubleshooting). what is your suggestion?
You can enable the HTTP Access Logs if you are in need to log the incoming API requests in your environment. However, as mentioned in the Docs this will affect the server's performance a little.
If you are looking to log any specific information about the incoming API requests, you can develop a Synapse mediator or a handler and engage with the APIs that you would like to log. You can also, use the same implementation to enable it globally to log the required information for all the API requests which API Manager receives. You can refer to the following sample Log Handler for reference: Custom API Log Handler.
Following are the documentations to write custom mediators and handlers
Writing Custom Handlers
Class Mediator
Hi I am using Dynamic Endpoint feature in WSO2 API Manager - 2.6.0 to redirect to the appropriate backend service based on the parameter. Since I am using this feature, I have no option to configure my failover service. For instance, when one of my backend service is not responsive, then this failover service should be called. If I use fault flow mediator, how will I ask it to redirect to my failover service? Is it possible? Pls suggest. Thanks.
It may be helpful for someone. So I configured the fault flow mediator and used the below code snippet to achieve the failover. Thanks.
<send>
<endpoint name="dynamicApiCalls--v1.0_APIproductionEndpoint">
<http uri-template="https://myDomain.org.net/url"/>
endpoint>
</send>
Created a blog on how to achieve this.
https://letsknowthingsfromblog.wordpress.com/2020/06/23/dynamic-endpoints-with-failover-in-wso2-api-manager/
Is there a way to validate the output of the json-to-xml policy against a schema?
one of our partner sents a request to APIM that is routed to backend biztalk and want to validate the request before to route it to biztalk
No. But...even you could, in a trading partner scenario, I wouldn't because you can better handle the issue in the BizTalk app vs. APIM.
Currently we have enabled ws-security in wso2 esb using policy file and role based authorization using Active Directory.
We would like to transition some of these services to wso2 api manager and implement the same security model.
How do we secure these APIs (that are facing web service client and not the backend web service) using ws-security on api manager?
To secure the APIs on API manager you can follow this guide. It provides various methods that can secure the APIs. Further if you need to implement role based authorization to the APIs in API manager you can refer to this tutorial.
Hope this helps.
I successfully configured WSO2 API Manager 1.8.0 [e.g. https://wso2am.com:9443] and WSO2 Identity Server 5.0.0 SP1 [IS] acting as Key Manager [e.g. https://wso2is.com:9443] in a clustered setup on 2 different servers.
I also configured a Service Provider in the IS using a SAML SSO Inbound Authenticator and tested it with travelocity.com sample app.
The sample app builds the SAML request in the right way, but https://wso2am.com:9443/samlsso?SAMLRequest=[base64stuff] returns an HTTP Status 405 - HTTP method GET is not supported by this URL.
Changing the url in https://wso2is.com:9443/samlsso?SAMLRequest=[base64stuff]
leads to successful authentication.
Basically I want to be redirected to wso2am login page and not wso2is login page.
In this way, I could deploy in DMZ WSO2AM only, leaving WSOIS in the internal network.
How can I do?
Thanks
In this scenario I think your authentication request must be directed to IS server, not APIM. The IS server is the one who does the authentication. Hence it acts as the IDP. APIM is just a service provider (SP). Even if you succeeded (even it's not the correct behaviour) with sending a SAML request to https://wso2am.com:9443/samlsso endpoint, it will redirect you to the login page in IS server. So you have to send the SAML request to the https://wso2is.com:9443/samlsso endpoint for successful authentication & for the correct behavior.