I'm using WSO2 Enterprise Integrator 6.5.0 (last-release).
We need to put some access control to our vendors
Let's say there are three vendor company that connect to our services.
Things that i wanted to do are :
I wanna put restrict or access control to these vendor companies
Only first company can access to this URL (SOAP or REST services) and others can connect to each URL that they can access
Does WSO2 EI have this kind of feature? Thanks
You may try out the Throttle Mediator for this purpose. In where you may define throttle policies to restrict the access to a service ( URL ) based on IP addresses or domains.
Here , you may find an example policy to throttle based on IP addresses.
Related
I am pretty new to the WSO2 IS and my object is to understand how ( whether its possible ) to enable simultaneous login of 2 different service provider applications.
For instance : token from one service provider is to be accessed and used to login to the other app.
Any help on this topic is appreciated.
how ( whether its possible ) to enable simultaneous login of 2 different service provider applications.
From this question, I understand that you want to try Single Sign on with Identity server. WSO2 Identity Server enables users to access multiple applications using the same set of credentials. For an example, if users log into application A, they would automatically have access to application B as well for the duration of that session without having to re-enter their credentials. WSO2IS provides the capability for SSO using different protocols such as OpenIDConnect, SAML, etc.
If this is your requirement, you can refer to this doc to know about Single sign-on. If you use OAuth apps you can get access tokens. Refer to this doc to know about SSO with OpenID Connect.
Iam not able to see the service bus features like API,sequences and inbound end points etc...
may i know the reason why its happening like that?
enter image description here
Thanks and regards
sai kumar
Only the required features to run analytics are installed on API manager analytics server.
If you want to use API, sequences and inbound endpoints you should use a wso2ei server.
Many third-party services providers allow you to configure a "Webhook" (aka HTTP POST) to your system when an event occurs in their system. Service providers will use various methods of authentication (HMAC, OAuth, TLS, etc.).
For example, Company1 configures ServiceABC to send notification to http://company1.com/eventlistener when an event occurs in the service provider (eg transaction approved):
ServiceABC.com -> HTTP POST -> http://company1.com/eventlistener
http://company1.com/eventlistener is in the DMZ. It will authenticate the message and forward to back end service as appropriate.
[DMZ] http://company1.com/eventlistener -> | [Behind] http://backendUrl/service
In this example, assume the service provider does not support OAuth. Authentication is performed using a custom header scheme.
Can/Should the WSO2 API Manager be used in this scenario?
If not the API Manager, can the WSO2 ESB be used ?
API Manager is the right solution here. API Manager has 5 main components, gateway, publisher, store, keymanager and traffic manager. In the basic distributed setup these 5 components can run on 5 machines. API Publisher publishes APIs to gateway (real artifact of API are here) and store (virtual representation of API, to which can be subscribed, are here). Gateway exposes your APIs to outside. So it resides in DMZ. API Store also can be on DMZ depending on what you want. Keymanager handles authentication (eg. OAuth2) and should be in MZ. Traffic manager is used for request throttling.
Backend authentication can be done with a simple customization.
You can find clustering documentation here. APIM deployment patterns are here.
Hope this helps.
Such as two factor authentication, 3rd party OAuth, Connecting to LDAP.
I have added the above security to Wso2 Identity Server. But please help me achieve the same with Wso2 ESB.
Thanks
Where you want to add the security? What you want to secure?
I see two parts where the user security may play role in ESB:
For the carbon (management) console, I may disappoint you, that may not be so simple. See the Custom carbon authentication . It seems you need to enable other authenticators or add your own (see the file authenticators.xml, they are disabled by default) and "patch" the carbon to use it. However - for our best practices the management console (and the management services) should be not accessible from untrusted network .
If you're talking about securing the web services, this is not something an end user (person) is accessing. Ok - excluding the REST services. There are multiple options available to secure web services. From basic authentication (and username token), to STS (security token service), signing and encrypting the payload. See Securing web services, however here we assume some knowledge about the service security.
I am evaluating the WSO2 API Manager. From a security perspective I have a couple of question on the API Manager capabilities, which I was not able to find through the documentation:
Does WSO2 API Server support security features by detecting/checking the content on incoming messages for attacks, redirection/traffic routing? If yes, how does it support?
Do the GUI portals offered by WSO2 (API Portal, API Publisher, etc) enable protection against cross-site scripting, SQL injection and XML content or structural threats and viruses?
Thanks in advance.
Regards,
Ritwik
Yes, WSO2 API Manager's API Gateway is essentially an ESB and can check the content of incoming requests and detect message attacks. It is also possible to route traffic. You can direct access the API definition from the admin console of the API Manager (or directly from the file system)
Yes both the API Store and Publisher is secured against cross site scripting, SQL injection and XML content threats