When I was trying "JSON/XML Threat Protection for API Gateway" in WSO2 APIM 3.1.0, by adding a mediation policy. It isn't considering the custom policy that I've written, it's taking the default values which are 100.
Anything more I should be adding, please suggest!
Once a new mediation sequence is implemented, it needs to be upload and select as a mediation sequence in the "Message Mediation" section. Once selected need to republish to apply the changes.
You can confirm this by checking the generated sequences file in the <AM_HOME>/repository/deployment/server/synapse-configs/default/sequences. The file format will be <provider>--<API-Name>_v<Version>--<Direction>.xml
Related
I am working on one scenario where I have add a sequence in the API using restAPI of APIM2.6.0 [https://docs.wso2.com/display/AM260/apidocs/publisher/#!/operations#MediationPolicyCollection#apisApiIdPoliciesMediationPost]
Once the mediation policy is added to the respective API, do we have to publish the API once again. As when I am doing it from publisher once the sequence is added to direction IN, then I am saving it to get it reflected to synapse.
So, I believe if I am adding the same from restAPI, then also I have to republish it again to get it reflected to synapse.
Please let me know if the understanding is correct.
Thanks
Yes, you need to republish the API again to reflect the changes applied. You can check the code when adding a mediation policy for the API in [1].
[1] - https://github.com/wso2/carbon-apimgt/blob/85d02e1864bf77bd53bd269445995ab8e8e9641f/components/apimgt/org.wso2.carbon.apimgt.rest.api.publisher/src/main/java/org/wso2/carbon/apimgt/rest/api/publisher/impl/ApisApiServiceImpl.java#L796
Yes.
Normally, the once the API is published, all the changes will be auto deployed.
So, adding the mediation policies should also reflect without re-publishing the API.
Update
The answer above is for when using the UI. In REST API, we should republish the API.
Please suggest the possible techniques to validate(NULL, NOT NULL, TAG presence, length, etc.) incoming request JSON schema elements in API Manager before backend service is invoked.
Is it recommended to perform schema level validation in WSO2 API Manager?
As per my knowledge, schema validations(XML/JSON) should be done at client side before API deployed on API Manager in invoked.
Any comments would be appreciated.
Regards,
Abhishek
In order to validate the request json you can use OpenAPI validation specifications. apim facilitates you to edit the OpernAPI spec from the UI it self.
As per my knowledge you can do the validation in both places, but if you do the validation in the client it self you can prevent the API invocation to api manager.
I am trying to set up a cluster for WSO2 api manager and I am following https://docs.wso2.com/display/CLUSTER44x/Clustering+API+Manager+1.10.0
I am using seperate VMs for each of the component and currently in my setup I am able to
Publish an api using the publisher which gets published in the Gateway (Visible in the log)
Subscribe to this API from the store and generate keys
However when I am trying to access this api using the generated key I get the following response
<soapenv:Fault xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/">
<faultcode xmlns:axis2ns2="http://schemas.xmlsoap.org/soap/envelope/">axis2ns2:Client</faultcode>
<faultstring>Authentication Failure</faultstring>
<detail>Error while accessing backend services for API key validation</detail>
</soapenv:Fault>
In the gateway logs I can see only the below line. There is no further details in the logs
TID: [-1234] [] [2016-02-02 16:55:58,288] WARN {org.wso2.carbon.apimgt.gateway.handlers.security.APIAuthenticat
ionHandler} - API authentication failure due to Unclassified Authentication Failure {org.wso2.carbon.apimgt.gat
eway.handlers.security.APIAuthenticationHandler}
Please help me to resolve this issue.
That sounds like an issue with your API - API Manager doesn't actually "authenticate anything" unless you are using identity server see here for the difference between authentication and authorization (what WSO2 does through Oauth). Please try an API that is know to work such as http://petstore.swagger.io/ and report back the error.
This can happen due to many reason. Please check some of the reasons below
Key Manager's public certificate isn'y properly imported in the <GATEWAY_HOME>/repository/resources/security/client-truststore.jks
Open the api-manager.xml fie of the gateway and key manager nodes and change the <KeyValidatorClientType> to WSClient as bellow (default value is ThriftClient).
<KeyValidatorClientType>WSClient</KeyValidatorClientType>
The reason for this could be a result of misconfiguration between nodes. First you can double check the configurations (specially keyvalidator related configurations)
If you could not find any issue there, then you can enable debug logs and get some idea about the issue
add following entires in repository/conf/log4j.properties in gateway node
log4j.logger.org.wso2.carbon.apimgt.gateway.handlers.security=DEBUG
add following entires in repository/conf/log4j.properties in key manager node
log4j.logger.org.wso2.carbon.apimgt.keymgt=DEBUG
You might be able to find the issue by analyzing the logs
I've created a simple API and I'm trying to publish it using WSO2's API Publisher (aka API Cloud). I've gone through all the steps, but it seems to require an Authorization header to access my endpoint. In older documentation, it says that I can change the "Auth Type" at the resource level.
https://docs.wso2.com/display/AM160/API+Resources
However, this option doesn't seem to be there in the current version. I tried to make it so the Authorization header was not required. Unfortunately, I still get the following error:
<ams:fault xmlns:ams="http://wso2.org/apimanager/security">
<ams:code>900902</ams:code>
<ams:message>Missing Credentials</ams:message>
<ams:description>Required OAuth credentials not provided</ams:description>
</ams:fault>
Is it possible to disable authentication for my API? I don't need it at this point in my project.
The document you have referred is from APIM 1.6. From APIM 1.7, the APIM team changed the API creation process to a 3-step process. It involves API Design, Implement and Manage. I think you have experienced this by now. In the Manage section, at the very bottom, it lists down the available resources of the API, their auth type, allowed tier and the scope allowed.
Default auth type is application & application user. If you click on that, you will get a drop down where you will see "None" as an option. If you set the auth type as none, you will be able to invoke the API without providing the OAuth token.
See the following screenshot where I have selected different Auth types when creating an API.
Open the configuration related to your API in ${AM_HOME}/repository/deployment/server/synapse-configs/default/api/ and remove the following part.
<handler class="org.wso2.carbon.apimgt.gateway.handlers.security.APIAuthenticationHandler"/>
I read the post at WSO2 API Manager and XACML Entitlement which says that a configuration file in API Manager can be modified to use an entitlement mediator in "the in sequence".
I know how to edit this configuration through the web interface. But which file contains this configuration?
This configuration doesn't have a element or element (except for the elements in elements). Exactly where should I put the element?
If I create my own entitlement mediator, how do I plug it in or make it available to the API Manager?
Go to APIM distribution,HOME\repository\deployment\server\synapse-configs\default\api folder,where you will see the api configurations, which you create from publisher. Add your mediator there, by editing the configuration and restart the server.