logging information of a http request (api call) in wso2am - wso2-api-manager

I've read documentation of wso2am for http access logs in the link https://apim.docs.wso2.com/en/latest/observe/api-manager/monitoring-http-access-logs/
it's written that we should enable http access log only for troubleshooting errors because of performance reason. but i need to log information of every http call( not only for troubleshooting). what is your suggestion?

You can enable the HTTP Access Logs if you are in need to log the incoming API requests in your environment. However, as mentioned in the Docs this will affect the server's performance a little.
If you are looking to log any specific information about the incoming API requests, you can develop a Synapse mediator or a handler and engage with the APIs that you would like to log. You can also, use the same implementation to enable it globally to log the required information for all the API requests which API Manager receives. You can refer to the following sample Log Handler for reference: Custom API Log Handler.
Following are the documentations to write custom mediators and handlers
Writing Custom Handlers
Class Mediator

Related

Apache Cloudstack Console Proxy access via API

I make use of the cloudstack API, to integrate into a 3de party portal. I would like to access the console proxy via the API, cant find the API methods to do so.
Ie get the session token for the specific virtual machine and open up the ajax window from our 3de party portal.
The management server should expose the Console Proxy to use via the API, then I assume you should acquire a token based on login credentials, or via the API for the specific Virtual Machine you have access to.
If someone done this before, would be appreciated to share some detail related to this request.
Looking at the source for Console Proxy I solved this problem per below :
Use the same authentication procedure the normal cloudstack api use defined her - http://docs.cloudstack.apache.org/en/latest/developersguide/dev.html
Use the same API Key and sign the request with API Secret provided from Cloudstack:
The Console proxy endpoint are as follow - /console?cmd=access&vm=xxx, on success a Url will be returned with a token to access the virtual machine.
Test Results -
Request:
CloudstackRequestClientFilter -> cmd=access&vm=29603248-6d8a-4582-aa9a-4d1bfb4d7714&apikey=3NRrdrhDTwggQ_oQny11dD39-XRWJxCd0dh2xqtMNShrz_jb4ZdhHtmRh7NYiOfRzLNwPcBVAfT9FHh9v96vzg&response=json&signature=u4c7QZNQNcN+2s3fhRNSHTyl7+Q=
Response :
frame src="http://172.16.90.99/ajax?token=TCbfnguNvsHEkga3jPJEfZctqiPHTEynM6sAG2K8iIuioKHU8UU1QAWuQLHATd0dznP9vXPggHJp9km_1bmmStiD1PPKr6nZeid0NVI7kUt8_vOGkOK4vdM2d388KFj8oA280mQ-ZjPHWPgU4gCn47nLVb-2cVxNgOijOjdgDEDj5vlqFkzz2YhcqkLt6CIVdFcAJ1g1gqvhrO530ubjLZsiQvxs_kn9X8eXMafhRm_qugu3k6lLuG38zXsK9jKNWkmqoAV2EBBZh-r6agm4dQ">
Hope this helps, took met sometime to figure this out, source for the console proxy can be found here :
https://github.com/apache/cloudstack/blob/master/server/src/main/java/com/cloud/servlet/ConsoleProxyServlet.java

Oauth Jmeter Load testing

I am performing the Jmeter load testing. Our application is on Oauth authentication. How can i logging using Jmeter so that we can perform load testing on our application.
Right now we are not able to set parameters on "HTTP Authorization Manager" for login.
You won't be able to use HTTP Authorization Manager, you need to pass the Bearer token via HTTP Header Manager.
With regards to the token value - there are several ways of getting it, they depend on OAuth version and your application configuration, you need to contact your application developers in order to learn how you can obtain the token.
You can also check out How to Run Performance Tests on OAuth Secured Apps with JMeter article for several workarounds listed and explained.

WSO2 API Manager Basic Authentication instead of OAuth

I am searching a way to use Basic Authentication on the API I expose through WSO2 API Manager.
As I could see by default it uses OAuth, and I didn't find a way to choose to use Basic Authentication instead.
Is it possible?
Thanks
There is no out of the box way to secure your APIs with basic authentication in WSO2 API Manager. But you can write a new authentication handler for your requirement.
However please note you need to evaluate the security mechanism and how it is applied via a handler first. For example, when the current handler receives an OAuth2 access token, it knows the user, application, subscription information. That's how it knows how to throttle and publish stats accordingly. You need to be able to find these information from your new handler you introduce for the throttling and stats to work accurately.

Basic Authentication

I have one VS application named Dotnetpanel, which provides a lot of webservices.
I created another another VS application say TestModule in which I need to create the webservice client. But when I try to create a client and call the webservice in TestModule, an error occured"The request failed with HTTP status 401: Unauthorized." From one of articles I have read that
DotNetPanel API implemented as a set of SOAP Web Services.
Requirements:
WSE 3.0 or Basic Authentication
****Each API call should have user’s credentials provided****
Basic Authentication:
For interacting with DotNetPanel API you should use Basic Authentication. DotNetPanel recognizes “Authorization” header with the user credentials provided in the following format: username:password.
So my question is I have a user credentials which can pass to the TestModule and after that how can I call the DotnetPanel webservices from the TestModule with Basic Authentication.
Regards
Fenix
Sounds to me that you have to send those credentials as a parameter to the web service.
Try to call the web service url to see its methods. When calling to the web service directly from the browser, you have to be able to see a list of methods, then search for the method you're trying to use and click on it. You'll see the SOAP request and response definitions. You can take a look at what parameters is the web service expecting. I think if it asks you for credentials, there has to be a couple of param for that there.
Hope it helps.

How do you debug an ASP.Net application accessing an OAuth secured API?

I know there has to be an obvious solution to this problem and I am missing it, so I would much appreciate someone enlightening me so I don't spin my wheels...
I am writing an ASP.Net application that will interact with a service API (Evernote specifically). Evernote requires OAuth for security and before I can actually interact with the objects I need to obtain a token.
The workflow goes like this (explaining it to myself as much as anyone else!):
Build a url with my development api key and secret key and some other OAuth stuff, send it to Evernote to request an access token.
Send the url as a request to Evernote and pull the new access token out of the response
Build another url with the access token to request an authentication token for the user. This url goes to a page the user must interact with to login (if they haven't already) and then authorize my application to access their account. The last param of the url I build is a callback url which will be called from Evernote's servers.
If all goes well, Evernote will request the callback url and include the new authentication token as a param.
Once my server receives the callback with the embedded token I can use it so that my app can interact with the users' notes on subsequent requests.
The problem is that I'm writing this app on a local box, not an ISP under a public domain. So my callback is to the localhost server. Of course, localhost is relative, so Evernote can't resolve my callback... I can't ever receive an authentication token and debug at the same time.
There has to be a way around this problem because this authentication model is not unique to Evernote (by a longshot... Flickr uses it as do a lot of other services). So can someone tell me how to set things up so I can get the authentication token and still be able to debug on my local box?
Help is much appreciated!
OAuth is quite tough to implement. It may not be the answer you're looking for, but this is how I managed to get the job done:
Write some code on my local dev machine.
Run a bat file (or alternatively hook a post-build event in VS) that executes a msbuild deploy script and deploys the application to a test server.
Run the application on the test server. After obtaining the request token and requesting for authorization it redirects to the Evernote website.
After successful authorization the Evernote website redirects back to my test server and the authorized request token is exchanged for an access token.
Instead of debugging (I don't have VS on the test server) I examine the logs of the application (the logging I used was as simple as writing to a text file).
Rinse and repeat
For the purposes of testing I registered a temporary public subdomain (e.g. testing.oauth.mydomain.com) so that Evernote will be able redirect to that url.
According to this (How do I develop against OAuth locally?) the callback is issued by the browser, so it should be able to hit localhost.

Resources