I was curious how can see the revoke api end point exists.The url configured is
https://localhost:9443/revoke
But I could see the api listed under the started application or under api.
I even tried retrieving the wadl from the url but it did not return anything.
Do we need to explicitly publish it or it gets done automatically when we start the wso2server ? Or Do we need to install something other than the wso2 api manager to get this api?
When I browse the endpoint https://localhost:9443/revoke/?_wadl , I get error
405 - method not allowed
The port should be 8243.
And it's not a SOAP service.
Ref: https://docs.wso2.com/display/AM260/Token+API#TokenAPI-Revokingaccesstokens
Related
I need to manage a Registry Resource deployed into the Enterprise Integrator.
Using the REST API like this:
https://localhost:9443/registry/resource/_system/governance/EstrattoContoEnti/xml/EstrattoContoEntiConf.xml
I can GET the resource, but...how can I modify this or create a new one?
Calling a PUT o POST I get Error 405 - Method Not Allowed.
Is there any API to manage the registry entries on the WSO2 EI?
Or may I need to use something else?
This is not possible out of the box via a REST API.
There is a AdminService for Registry and you may access that AdminService and get the related functionality via SOAP.
But in your case, since you are expecting a REST API, you can create a web-app client which will use this Admin-service, so that you have a REST API to the registry via this client.
There is already such a client written. Have a look at the steps on how to get this and configured from the following blog.
http://abeykoon.blogspot.com/2015/04/wso2-gov-registry-using-registry-api.html
Cheers.
I created an application that's calling Oracle RESTful Webservices and i want to secure them with Oauth 2.0. I followed this tutorial 'Accessing the RESTful Services from a Third Party Application'
But when I try to get the access token, I get the error below: https://server:port/i/oauthdemo/gallery.html#error=access_denied&state=STATE
This document mentions that this error happens if the user denies the request. How can i approve the request? Is there any extra configuration that I need to make?
I'm trying to use WSO2 API Manager 1.10.0 on an existent micro-services project with REST APIs following WSO2 tutorial.
I have installed it on my computer as well as a copy of my application and configured AM to manage requests (GET, POST and DELETE) to my resource but I always obtain a "Response code 0" with Response Header
{
"error": "no response from server"
}
Trying to contact my application using Advanced REST Client I obtain 200 with the correct result.
My APIs use a token inside the header to authenticate the user passed so I have implemented a dummy API without authentication but I still have the same issue.
I have tried also the Cloud version with our test server but still obtaining the same result.
I found this guide http://wso2.com/blogs/cloud/video-setting-up-custom-url-for-api-store-and-gateway/ but I don't know if this can be a solution for the problem in localhost.
Setting up the custom url in WSO2 API Cloud wont help. Thats there for a different purpose. There are two things you can do.
If you are interested in going ahead with the cloud version, you can get help from them. You can send a support request and the cloud team will help.
You can troubleshoot your local instance. When doing so, first, try to invoke your api via curl and see whether it gets a response. Sometime, your api can work fine, but due to some reasons, the result might not reach the api console.
If the curl works fine or not, you can check the logs to see whether there are any errors printed. Some more questions:
Is your backend service exposed via http or https?
If it is https, then if its certificate is not a CA signed one, API Manager will fail during the handshake. If so, you will have to add the cert to api managers client-truststore.jks
In the cloud scenario, your backend should be accessible from internet and the certificate story is valid for cloud too.
Are you trying to access the api using swagger console (or any web application). There are couple of reasons you could encounter this issue. one could be certificate not installed in the browser.
If this happens you should see some error log in the api manager console (something related to CA not found). for that first you can copy the backend url (swagger console shows the url it used to send the request) and paste it on a new browser window and install the certificate to the browser.
also you can get an idea about the issue by using a tool like firebug and check the request. (it will show the error for not connecting the AM)
Finally I have found the issue: the API Manager does not accept plain text response, responding using a JSON solves the problem.
Using other mediatype such as XML or TEXT/HTML it reports 406, with text plain it returns Error 0.
I'm researching WSO2 API Manager and I discover that if I use WSO2 API Publisher and API Store, I would meet XSS and CSRF security errors. With XSS, I see that WSO2 didn't encode HTML character input. With CSRF, I see that WSO2 didn't create token when I request from client to server and vise versa.
Does everyone know how to config WSO2 to prevent these security error or how to fix them.
Thanks in advanced.
On our side, there are a few things we do when publishing/consuming APIs via the API Publisher and API Store:
Set the Transports property to just HTTPS so that we can limit API availability to just HTTPS.
For each HTTP method, we set the Auth Type to either Application, Application User or both, but never none. This will force the client to utilize the WSO2 Access Token scheme to invoke the APIs hosted on the API Store.
On the client side, we have been invoking the Token API to generate and renew user and application access token so that we don't have to manually re-generate keys in the API Store.
Utilize API in-sequence to escape special characters.
We fix these type of security issues in our next release AM V 1.7.1. You can expect it in 3rd week of September.
A backend service needs to know the user for the service call. Reading through the API 1.6.0 documentation I have configured it to generate JWT and removed and republished my services as stated. Running tests, I am not seeing the JWT being passed to the backed service in the response headers in Fiddler. I am not using the ESB or Identity services from WSO2.
What am I missing?
JWT information should be passed in the header under the parameter X-JWT-Assertion. The Content is been encoded. Use TCPMon to intercept the request and see if the API Manager is actually passing the JWT. This would be a good starting point to debug.