Failover url configuration for Dynamic Endpoint - wso2-api-manager

Hi I am using Dynamic Endpoint feature in WSO2 API Manager - 2.6.0 to redirect to the appropriate backend service based on the parameter. Since I am using this feature, I have no option to configure my failover service. For instance, when one of my backend service is not responsive, then this failover service should be called. If I use fault flow mediator, how will I ask it to redirect to my failover service? Is it possible? Pls suggest. Thanks.

It may be helpful for someone. So I configured the fault flow mediator and used the below code snippet to achieve the failover. Thanks.
<send>
<endpoint name="dynamicApiCalls--v1.0_APIproductionEndpoint">
<http uri-template="https://myDomain.org.net/url"/>
endpoint>
</send>
Created a blog on how to achieve this.
https://letsknowthingsfromblog.wordpress.com/2020/06/23/dynamic-endpoints-with-failover-in-wso2-api-manager/

Related

ASP.NET Core Web API with Kerberos Ticket forwarding

I am building Web API with ASP.NET Core hosted on IIS that will act as proxy integrating a few services.
I need to forward user credentials/identity to specific services managed by my API and to do so i want to enable ticket forwarding in Kerberos.
What steps i need to take to make it work?
First of all I need to setup my service as trusted in KDC and after that should it will received forwardable tickets instead of regular ones (i need to specific services that my API can forwards tickets to), am i right?
How do i then forward that ticket to other service using HttpClient?
Does attaching received token to request will be enough?
Am i correct about listed by me steps and is there any thing more to do?
Thank you all for help.

Should Api Managers deal with backend authentication in place of the subscriber?

We currently use WSO2 Api Manager to reach some backends.
The thing is, the consumer must :
First authenticate to the API Manager (Oauth)
Then authenticate to the Backend api (Whatever security in place, as options provided by API Manager to handle it itself is quite poor)
Make the call
I find it heavy :
Many calls just to do one real call.
Loose the "loose coupling" advantage API Managers should provide
Do you think we are doing right ? Shouldn't Api Managers deal with backend authentication ?
Thanks in advance for your help !
This depends on how you want to do this. It is not mandatory to have Oauth2 protection and backend authentication. This can be done in the following ways.
If you want only to allow backend authentication
Then you can set the Authentication type to None. Then Oauth2 won't apply. - https://wso2.com/blogs/cloud/oauth-and-authentication-type-application-vs-application-user/
You can allow Oauth2 only
If your backend is insecure and needs a way to expose, this is the best option.
If you need both authentications
There can be some cases that your backend is used by some other parties and there is no option to remove backend authentication. Also, you need the Oauth2 protection for the API and make it secure in API gateway level. Then this is the option.
Hope this is clear. WSO2 has these capabilities and you can chose any option.

Secure REST API with HTTP Basic authentication

I have created data_service using WSO2DSS version 3.0.1.
Service works perfectly, but I have not found solution how to secure REST API
using HTTP Basic authentication.
Which is best way to secure REST messages using basic authentication?
I would like to use users/roles from WSO2 "User management", but that is not mandatory.
You can achieve your requirement easiest way is to use fronted Wso2 ESB. Through esb you can secure your service.
Documentation on Securing REST APIs can be found at [1] .
[1] http://docs.wso2.org/wiki/display/ESB460/Securing+REST+APIs
Thank You,
Dharshana.

Expose a WCF Service via Forms Authentication in IIS: how can I make the metadata (?wsdl) public, but the operations protected

We've got some WCF services we're hosting via IIS. The application in general uses Forms Authentication, and we'd like to continue making that available for web service clients. We just have a <authorization><deny users="?"> in our web.config and some authentication/redirection goodness that gets everything done.
The problem is we'd like for users to be able to access the metadata for the services without authentication. Can they visit /services/v1/ArtifactService.svc?wsdl anonymously and yet still require authentication for /services/v1/ArtifactService.svc/rest/GetArtifacts?studyId=123? If so, I can't figure out the right incantation in the configuration.
The best I can think of is to set an absolute URL in the metadata service behavior, but then I have to doctor the path on install anywhere we deploy. (<serviceMetadata httpGetEnabled="true" httpGetUrl="http://some/absolute/path">).
Any ideas?
I think this is not possible. If you require authorization on the resource by using allow and deny elements you can't specify different authorization level based on url query. You have to control authorization in the service - PrincipalPermission.

What ways can I hide the WSDL from end users that have the service URL

I have a .NET web service which is publically accessible since it needs to be accessible via Flex. It currently only has read operations.
http://www.example.com/webservices/weather.asmx?wsdl
I want to add some admin only web methods to the same webservice such as UpdateWeather and StartRainstorm. Obviously I don't want my end user being able to do change weather patterns.
So I just want to hide the wsdl so that it cannot be accessed via the standard ?wsdl parameter. Ultimately I'll add on better security etc. but I need a quick fix for now. I figure if they don't know the method name they won't be able to access it.
I want to be able to disable the WSDL generation - which I can do by adding <add name="Documentation" /> to my web.config. BUT I want to be able to access the WSDL in some other 'secret' way that only I know so I dont have to keep going to the server. How could I achieve this. I'm fine if its a secret URL or a secret parameter or whatever.
I'm fine with this security through obfuscation approach for now.
One thing you could do is expose another endpoint for the admin contract. Then turn off the WSDL publisher on that admin endpoint. Eventually you could configure security just on the administrative endpoint if you wanted.
This is assuming you are using WCF.
Update: Check out this WCF getting started tutorial. You'll like WCF more than ASP.NET/ASMX services once you learn a bit about it.
why won't you just create another web service? Seems simpler
For update references, you could use your development server.
The production server cannot expose wsdl docs unless you provide public access.
Or, if you have access to the wcf assembly, you can use svcutil against the wcf assembly. This will generate language code to be used in your application.
If you really, really want to expose wsdl to limited users, you can use the iis url rewriting to block access from unauthorized ip addresses.

Resources