Secure REST API with HTTP Basic authentication - wso2-data-services-server

I have created data_service using WSO2DSS version 3.0.1.
Service works perfectly, but I have not found solution how to secure REST API
using HTTP Basic authentication.
Which is best way to secure REST messages using basic authentication?
I would like to use users/roles from WSO2 "User management", but that is not mandatory.

You can achieve your requirement easiest way is to use fronted Wso2 ESB. Through esb you can secure your service.
Documentation on Securing REST APIs can be found at [1] .
[1] http://docs.wso2.org/wiki/display/ESB460/Securing+REST+APIs
Thank You,
Dharshana.

Related

how to handle backend credentional in wso2 api manager?

I am using wso2 apimanager 3.2.0 and I am going to design some rest service that use my backend service. this backend service has basic authentication, so how to invoke and handle it in apim?
You can define endpoint security when you are developing the API the Endpoints section of the API in the Publisher portal.
For more information, see documentation.

Should Api Managers deal with backend authentication in place of the subscriber?

We currently use WSO2 Api Manager to reach some backends.
The thing is, the consumer must :
First authenticate to the API Manager (Oauth)
Then authenticate to the Backend api (Whatever security in place, as options provided by API Manager to handle it itself is quite poor)
Make the call
I find it heavy :
Many calls just to do one real call.
Loose the "loose coupling" advantage API Managers should provide
Do you think we are doing right ? Shouldn't Api Managers deal with backend authentication ?
Thanks in advance for your help !
This depends on how you want to do this. It is not mandatory to have Oauth2 protection and backend authentication. This can be done in the following ways.
If you want only to allow backend authentication
Then you can set the Authentication type to None. Then Oauth2 won't apply. - https://wso2.com/blogs/cloud/oauth-and-authentication-type-application-vs-application-user/
You can allow Oauth2 only
If your backend is insecure and needs a way to expose, this is the best option.
If you need both authentications
There can be some cases that your backend is used by some other parties and there is no option to remove backend authentication. Also, you need the Oauth2 protection for the API and make it secure in API gateway level. Then this is the option.
Hope this is clear. WSO2 has these capabilities and you can chose any option.

WSO2 API Manager Basic Authentication instead of OAuth

I am searching a way to use Basic Authentication on the API I expose through WSO2 API Manager.
As I could see by default it uses OAuth, and I didn't find a way to choose to use Basic Authentication instead.
Is it possible?
Thanks
There is no out of the box way to secure your APIs with basic authentication in WSO2 API Manager. But you can write a new authentication handler for your requirement.
However please note you need to evaluate the security mechanism and how it is applied via a handler first. For example, when the current handler receives an OAuth2 access token, it knows the user, application, subscription information. That's how it knows how to throttle and publish stats accordingly. You need to be able to find these information from your new handler you introduce for the throttling and stats to work accurately.

What is a simple way to secure api requests between uwp and asp core

I have a uwp application and an ASP Core server application. I want to perform Get and Post requests to the ASP server and I want to perform authorization on the server side.
According to the team, they don't want you to use Basic authentication nor seems there be a way to perform digest Authentication. I don't want my client app to show the user any ui: it should be able to perform a secure request by itself.
So: what is the most easy and secure protocol to use to perform api requests from UWP to an ASP Core server?
what is the most easy and secure protocol to use to perform api requests from UWP to an ASP Core server?
I'd like to say this is a open question and I will give some suggestions and hope it can help you. Basic authentication and digest authentication you mentioned are defined in rfc2617. Since you don't want to use them, besides HTTP Basic/Digest you may have other choices like OAuth, HMAC and Azure API Management.
Since you don't want the user to input username and password, to request an access token for authentication may meet your requirements. So I recommend you to use OAuth authentication which is popular. More details about OAuth2.0 please reference this. But it requires OAuth server, it may not be a easiest way.
Another way you can apply HMAC authentication to secure Web Api. HMAC authentication uses a secret key for each consumer. For more details about HMAC authentication please reference this thread. For more details about HMAC in uwp please reference MACs, hashes, and signatures.
You can also use third party tools from Azure. Azure API management can help secure and optimize your APIs. Details please reference the Publishing and securing access to REST APIs in uwp.

What's the easiest way to test a .NET SAML client?

I will soon need to add SSO to an ASP.NET app using SAML. The client will not provide access to their Shibboleth identity provider for testing, so I'll need to verify that SSO works myself.
What would be the easiest method to use/setup a SAML identity provider for testing? I'm not keen on having to setup an infrastructure myself if I don't have to.
I'm planning on using a SAML component from http://www.componentspace.com/
If you are a SaaS Provider - Check out "Getting Ping Certified"
http://www.pingidentity.com/partners/becomeapartner.cfm
All your suggestions look quite helpful.
For others who may find this page, the ComponentSpace SAML 2.0 component comes with an Identity Provider that appears to mimic Shibboleth. This appears to be the easiest way to test adding SSO to your own application.

Resources