I am new to WSO2. We are trying to implement WSO2 api manager for our project. So I have downloaded wso2 api manager 3.0 and started to explore it. In that I have seen schema validation option and then referred the documentation of it. According to that I have added schema definition in my API as per Open API specification (v3.0). But after enabling the schema definition, it doesn't seem to validate the request against the schema defined. Is there anything that I am doing wrong? Please provide any any information related to this.
JSON schema validation in WSO2 api manager 3.0 documentation:
https://apim.docs.wso2.com/en/latest/Learn/APISecurity/APIRequestResponseSchemaValidation/json-schema-validator/
If you have provided a valid request payload/parameters or if the response you get is according to the schema you have provided you won't get any special notifications to indicate that the values have passed through the schema validation. If the req/response payload does not adhere to the schema, then you will get the error message.
Did you get any error message? Also, share your OpenAPI schema definition to see whether that has some issues.
Related
When I was trying "JSON/XML Threat Protection for API Gateway" in WSO2 APIM 3.1.0, by adding a mediation policy. It isn't considering the custom policy that I've written, it's taking the default values which are 100.
Anything more I should be adding, please suggest!
Once a new mediation sequence is implemented, it needs to be upload and select as a mediation sequence in the "Message Mediation" section. Once selected need to republish to apply the changes.
You can confirm this by checking the generated sequences file in the <AM_HOME>/repository/deployment/server/synapse-configs/default/sequences. The file format will be <provider>--<API-Name>_v<Version>--<Direction>.xml
I have a custom page where I obtain Published API list using WSO2 Store Restful API
https://docs.wso2.com/display/AM220/apidocs/store/#!/operations#APICollection#apisGet
The problem is the returned result does not includes API Rating and Business Information whereas the Jaggery API that has been used by the default API Manager UI does include it. Is there any way to configure it so the REST API returns that data?
If I use the jaggery API instead, it is cookie based while I am using OAuth2 OIDC Service Provider of the IS. I cant obtain API that has visibility to only its own domain by passing access token to the Authorization header.
APIM Version: 2.2
Please Advice. Thanks!
There is no such a way which will change the output response of defined APIs.
If you want to do that, get source code of wso2 from github & edit the APIs & use the edited source to deploy your application. (But this will add lots of maintenance issue)
The quickest way is to call the get details of api.
It will return the business information object as well as below:
"businessInformation": {
"technicalOwner": "John Doe",
"technicalOwnerEmail": "architecture#pizzashack.com",
"businessOwner": "Jane Roe",
"businessOwnerEmail": "marketing#pizzashack.com"
},
Here you will get the heavy response as it returns the complete swagger definition as well.
Please suggest the possible techniques to validate(NULL, NOT NULL, TAG presence, length, etc.) incoming request JSON schema elements in API Manager before backend service is invoked.
Is it recommended to perform schema level validation in WSO2 API Manager?
As per my knowledge, schema validations(XML/JSON) should be done at client side before API deployed on API Manager in invoked.
Any comments would be appreciated.
Regards,
Abhishek
In order to validate the request json you can use OpenAPI validation specifications. apim facilitates you to edit the OpernAPI spec from the UI it self.
As per my knowledge you can do the validation in both places, but if you do the validation in the client it self you can prevent the API invocation to api manager.
I've created a simple API and I'm trying to publish it using WSO2's API Publisher (aka API Cloud). I've gone through all the steps, but it seems to require an Authorization header to access my endpoint. In older documentation, it says that I can change the "Auth Type" at the resource level.
https://docs.wso2.com/display/AM160/API+Resources
However, this option doesn't seem to be there in the current version. I tried to make it so the Authorization header was not required. Unfortunately, I still get the following error:
<ams:fault xmlns:ams="http://wso2.org/apimanager/security">
<ams:code>900902</ams:code>
<ams:message>Missing Credentials</ams:message>
<ams:description>Required OAuth credentials not provided</ams:description>
</ams:fault>
Is it possible to disable authentication for my API? I don't need it at this point in my project.
The document you have referred is from APIM 1.6. From APIM 1.7, the APIM team changed the API creation process to a 3-step process. It involves API Design, Implement and Manage. I think you have experienced this by now. In the Manage section, at the very bottom, it lists down the available resources of the API, their auth type, allowed tier and the scope allowed.
Default auth type is application & application user. If you click on that, you will get a drop down where you will see "None" as an option. If you set the auth type as none, you will be able to invoke the API without providing the OAuth token.
See the following screenshot where I have selected different Auth types when creating an API.
Open the configuration related to your API in ${AM_HOME}/repository/deployment/server/synapse-configs/default/api/ and remove the following part.
<handler class="org.wso2.carbon.apimgt.gateway.handlers.security.APIAuthenticationHandler"/>
I'm running the wso2is-4.6.0
I've created a policy like allowing a user with a specific role to access a resource.
When I TryIt, the wso2is manager just propose me a Subject Name (urn:oasis:names:tc:xacml:1.0:subject:subject-id). I've seen in previous version of wso2Is see here that it was possible to define a Subject Attribute Name (in my case it would be http://wso2.org/claims/role).
The result is that I can't test my request with the current version as the attributeId generated by wso2 tryIt tool refer to a subject-id where I need a http://wso2.org/claims/role
Any way to have this Tryit page more customizable ?
Thanks for your help and support
Regards
Vpl
TryIt is a simple tool that you can create the XACML request. It can not support all options that are available. However when its some to new version, It seems to be that attribute Id selection has been removed. But you can file the attribute values and create the sample XACML request in XML view. Then you would find that the attribute id of created XACML request would be urn:oasis:names:tc:xacml:1.0:subject:subject-id. Therefore you can easily modify it to http://wso2.org/claims/role and try out the policy.