WSO2 ESB: Using Basic Authentication for a proxy service - basic-authentication

I need to expose a proxy service created on WSO2 ESB 4.3.0 using Basic Authentication.
How can that be possible?
Thanks in advance,
Alessandro

There are couple of article written around this chapter refer [1] [2]
[1] http://blog.facilelogin.com/2008/11/secure-your-service-with-http-basic.html
[2] http://blog.thilinamb.com/2011/04/how-to-access-web-service-using-http.html

Related

How to use the # character as a password in WSO2 API Manager 4.0.0?

I am currently using the latest version of WSO2 APIM(4.0.0).
I tried connecting to the ldap as a readonly userstore as per the documentation, but once I startup the server a JMS error occurs possibly due to the # character used in the password.
Is it possible to use the # character without breaking WSO2 APIM functionality?
Thanks in advance.
It is not possible to use # in JMS connection string. Please check - https://apim.docs.wso2.com/en/latest/install-and-setup/setup/security/logins-and-passwords/maintaining-logins-and-passwords/#change-the-super-admin-credentials
The following worked for me.
In deployment.conf file configure the password with the special character as below.
[super_admin]
username = "your-name"
password = "<![CDATA[your-password]]>"
[apim.throttling.jms]
username = "your-name"
password = "<![CDATA[your-password]]>"
Thanks #Pubci for referring the relevant documentation link.

WSO2 API manager -unable to connect secure websocket (WSS) in configured api publisher

i am using api manager 3.1.0 , i have configured web socket in api publisher , i m trying to access wss and ws . the problem is unable to access wss secure socket-.wss://localhost:8099/Notification/v1?access_token=xxx123 .
but i am able to access ws://localhost:9099/Notification/v1?access_token=xxx123.
can you please guide me, what i have to do configure to access wss,
please refer the screen clip shows unable to verify the first certificate.
enter image description here
enter image description here
Please use the command given in documentation [1] for wss://. I'll post the sample command here. I think you have missed '-n' in the command.
wscat -n -c wss://localhost:8099/echowebsocket/1.0.0 -H "Authorization: Bearer [accesstoken]"
[1] https://apim.docs.wso2.com/en/latest/learn/tutorials/create-and-publish-websocket-api/#step-3-invoke-a-websocket-api

How to setup HTTP Basic Authentication for SOAP Client within WebSphere Liberty

We are trying to deploy an EAR on WebSphere Liberty.
Our application contains an EJB-module, which contains and EJB that makes a call to another SOAP server.
The WSDL of the service defines a wsp:Policy with ExactlyOne of http:BasicAuthentication xmlns:http="http://schemas.microsoft.com/ws/06/2004/policy/http"/
After deployment when we send a request to our application, which would trigger that SOAP-call we get an error: None of the policy alternatives can be satisfied.
I found some java-code on how to solve this
HTTPConduit http = (HTTPConduit) client.getConduit();
http.getAuthorization().setUserName("user");
http.getAuthorization().setPassword("pass");
But I do not want to do this in the Java-code but I want to make it part of the server config.
I found several helpful links, but still could not get it working.
Does anybody have any suggestions on how I can set this up?
https://www.ibm.com/support/knowledgecenter/en/SSEQTP_8.5.5/com.ibm.websphere.wlp.doc/ae/twlp_wssec_migrating.html
https://www.ibm.com/support/knowledgecenter/en/SSEQTP_8.5.5/com.ibm.websphere.wlp.doc/ae/twlp_sec_ws_clientcert.html
You could use the JNDI feature to express the userid and password in server.xml, then have your java code pull it out of JNDI.
https://www.ibm.com/support/knowledgecenter/en/SSD28V_8.5.5/com.ibm.websphere.wlp.core.doc/ae/twlp_dep_jndi.html

WSO2-APIM/IS How to configure repository\conf\identity\identity-providers\default.xml

I have created a custom federated authenticator in WSO2-APIM/IS and have enable Just-In-Time Provisioning.
Since in API Manager when an application is created a corresponding service provider will be created as well. I want to have all service provider be using my custom authenticator as default which, I think, can be done by editing the file repository\conf\identity\identity-providers\default.xml
However I can not find the information in the documentation on the format of this file which I need to configure my custom federated authenticator and enable JIT Provisioning. Can anyone please guide me to the configuration detail of this file.
Below is the default repository\conf\identity\identity-providers\default.xml
<IdentityProvider>
<IdentityProviderName>default</IdentityProviderName>
<DisplayName>default</DisplayName>
<IdentityProviderDescription></IdentityProviderDescription>
<Alias></Alias>
<IsPrimary></IsPrimary>
<IsFederationHub></IsFederationHub>
<HomeRealmId></HomeRealmId>
<ProvisioningRole></ProvisioningRole>
<FederatedAuthenticatorConfigs></FederatedAuthenticatorConfigs>
<DefaultAuthenticatorConfig>
</DefaultAuthenticatorConfig>
<ProvisioningConnectorConfigs>
<!--<ProvisioningConnectorConfig>
<ProvisioningProperties>
</ProvisioningProperties>
</ProvisioningConnectorConfig>-->
</ProvisioningConnectorConfigs>
<!--<DefaultProvisioningConnectorConfig></DefaultProvisioningConnectorConfig>-->
<ClaimConfig></ClaimConfig>
<Certificate></Certificate>
<PermissionAndRoleConfig></PermissionAndRoleConfig>
<JustInTimeProvisioningConfig></JustInTimeProvisioningConfig>
</IdentityProvider>
Thank you very much in advanced.
As per the code here, It should be in the following format.
<JustInTimeProvisioningConfig>
<UserStoreClaimUri></UserStoreClaimUri>
<ProvisioningUserStore>PRIMARY</ProvisioningUserStore>
<IsProvisioningEnabled>true</ProvisioningEnabled>
</JustInTimeProvisioningConfig>
Change the ProvisioningUserStore to reflect yours.

symfony2 behind Amazon ELB: always trust proxy data?

I'm running a Symfony2 web application on AWS, and am using an Elastic Load Balancer.
In a controller method, I need to do the following to get the IP of a user requesting a web page:
$request->trustProxyData();
$clientIp = $request->getClientIp(True);
Does this present any security risks? I'm not using the client IP for privilege escalation, I'm just logging it.
Is there some way to force trustProxyData() always, or otherwise reconfigure $request->getClientIp() to DWIM? My app will always be behind a load balancer (except while I do development on my desktop).
Related: http://fabien.potencier.org/article/51/create-your-own-framework-on-top-of-the-symfony2-components-part-2 (but it doesn't say if there's some global config so I don't have to call trustProxyData() everywhere).
You can configure the framework bundle to do this: http://symfony.com/doc/2.0/reference/configuration/framework.html#trust-proxy-headers
framework:
trust_proxy_headers: true
I am not sure about any general security risks, but I can give you a tip how to avoid calling this method in each controller action.
In your app.php just before the $kernel->handle(...); you should set:
Request::trustProxyData();
Cheers ;)
Note:
The trust_proxy_headers option is deprecated and will be removed in Symfony 2.3.
See a trusted_proxies and a Trusting Proxies for details on how to properly trust proxy data.
I used
Request::setTrustedProxies(array($request->server->get('REMOTE_ADDR')));
in web/app.php to solve the problem.
See my answer here: https://stackoverflow.com/a/28793609/2030937
In modern symfony versions: https://symfony.com/doc/current/deployment/proxies.html#but-what-if-the-ip-of-my-reverse-proxy-changes-constantly
If your elb is behind a cloudfront proxy you should take a look at this package too:
https://packagist.org/packages/fmaj/cloudfront-trusted-proxies

Resources