To prevent Log injection, I need to validate the query parameters (country, pesticide and crop) in WSO2 AM. the API looks like below,
http://172.17.100.149/api/mrldatabase/v1/reports?country=AUS&pesticide=ABew30000&crop=22020347
Really appreciate if someone can show me a way of validation.
You can write a custom mediation sequence for this. See docs.
You can read query params like this. See this for more details.
<sequence xmlns="http://ws.apache.org/ns/synapse" name="admin--Temp:v1.0.0--In">
<log level="custom">
<property name="SubPath" expression="$ctx:REST_SUB_REQUEST_PATH"/>
</log>
</sequence>
Related
I am implementing handler for REST API in Java (org.apache.synapse.rest.Handler interface). And there is a case, when I need to access Secure Vault and get a value.
I know that you are able to achieve this by expression="wso2:vault-lookup('YOUR.KEY.HERE')" in sequence, but can't find api to do this in handler. I believe that org.apache.synapse.MessageContext can help, but not sure how.
You can use below code segment in the custom handler.
public String getSecretPassword(String alias, MessageContext messageContext){
RegistrySecretRepository regRepo = new RegistrySecretRepository();
regRepo.setSynCtx(messageContext);
return regRepo.getSecret(alias);
}
Dependency for pom.xml, the version needs to be changed according to your product version.
<dependency>
<groupId>org.wso2.carbon</groupId>
<artifactId>org.wso2.carbon.mediation.security</artifactId>
<version>4.2.0</version>
</dependency
Please refer - http://malantech.blogspot.com/2016/10/basic-authentication-handler-with.html
Thanks
I believe you will not be able to get the value of the security vault directly from your handler so I advise you to recover the password and put it in a property and inside your handler to retrieve the property.
<property name="passwordvault"
expression="wso2:vault-lookup('YOUR.KEY.HERE')"
scope="default"/>
And use the MessageContext to get the propertie like this:
context.getProperty("passwordvault");
That's just a workaround which is not advisable , i believe you can try below code as i have used similar earlier as well and it worked
<property expression="wso2:vault-lookup('ei.training.userid')" name="UserID" scope="default" type="STRING"/>
<log>
<property expression="wso2:vault-lookup('ei.training.userid')" name="UID"/>
</log>
And I will answer my own question.
I've created a dummy sequence and placed it into Registry
<sequence name="SecureVaultSeq" trace="disable" xmlns="http://ws.apache.org/ns/synapse">
<property expression="wso2:vault-lookup('MY.PASS')" name="NAME"
scope="default" type="STRING"
xmlns:ns="http://org.apache.synapse/xsd" xmlns:ns3="http://org.apache.synapse/xsd"/>
</sequence>
Then in my handler i retrieved it like this:
messageContext.getConfiguration().getSequence("conf:Resources/sequences/SecureVaultSeq.xml").mediate(messageContext);
key = (String) messageContext.getProperty("NAME");
Hope this will help someone.
How to retrieve HTTP REST METHOD(GET,PUT,POST,DELETE,OPTIONS) in WSO2 Api Manager's Sequence at runtime? I tried to $ctx:REST_METHOD which returns 'null' value.
<sequence name="ec_rest_dynamic_ep" trace="disable" xmlns="http://ws.apache.org/ns/synapse">
<property expression="$ctx:REST_METHOD" name="restmethod"
scope="default" type="STRING"/>
<log>
<property expression="get-property('restmethod')" name="*******************REST_METHOD***********"/>
</log>
</sequence>
Basically, HTTP REST METHOD value of current service & URL context of that service needed to identify the service in order redirect the service to its endpoint dynamically at runtime.
Try the following property.
<property name="Http_Method" expression="get-property('axis2', 'HTTP_METHOD')"/>
You can find more useful properties in [1].
#Pubci's answer is correct. Here is another way.
<property name="Method" scope="transport" expression="$ctx:api.ut.HTTP_METHOD"/>
Some other properties can be found here.
I'm looking for a way to communicate the user and the subscribed application name from the WSO2 API Manager to specific API's. I already found documentation on using JWT for this, but that would imply that all connected API's get this information, something that is not desirable in our scenario.
Can the same be accomplished using some sort of mediation sequence? I can't find any proper documentation on what parameters and fields are available there.
Thanks in advance.
Yes you can write a custom mediation sequence like this.
<sequence xmlns="http://ws.apache.org/ns/synapse" name="admin--Temp:v1.0.0--In">
<property name="UserName" scope="transport" expression="$ctx:api.ut.userName"/>
<property name="AppName" scope="transport" expression="$ctx:api.ut.application.name"/>
<log level="custom">
<property name="User" expression="$trp:UserName"/>
<property name="App" expression="$trp:AppName"/>
</log>
</sequence>
Here I'm creating 2 transport headers with user name and app name.
I want to get a URI VAR value from request to call correct case in switch in WSO2 ESB API resource, like this:
<api name="apk" context="/apk"><resource methods="GET" uri-
template="/apk/{appName}"><inSequence><header name="App"
scope="transport" action="remove"/><switch source="get-
property('uri.var.appName')"><case regex="BEBE"><send><endpoint><http
method="GET" uri-template="http://localhost/apk/Bebe.apk></http>
</endpoint></send></case><case regex="CITAS"><send><endpoint><http
method="GET" uri-template="http://localhost/apk/Citas.apk></http>
</endpoint></send></case></switch></inSequence></resource></api>
In switch, source="get-property('uri.var.appName')" it's not correct.
Can I get this value using $url SynapseXpath valiables like $url?
What you have done is correct. Please try the same with a log mediator and see whether you get the value properly.
<log level="custom">
<property name="AppName" expression="get-property('uri.var.appName')"/>
</log>
Alternatively you can assign this to a property and use that inside your switch mediator.
Can some one point me to a working example of xsl transformation using the proxy services xslt mediator option.
Basically, my requirement is, i will have a request where i will get some data which determines the routing and after that from other elements of requested data i have to re frame soap request to trigger another bpel service.
Please let me know the better approach to this.
You can very well use XSLT transformation in your sequence, using XSLT Mediator.
In your sequence file you can specify the XSLT file to tranform the request. Sample sequence code snippet:
<sequence xmlns="http://ws.apache.org/ns/synapse" name="SampleInterceptorSequence">
<in>
<log level="full" category="DEBUG">
<property name="sequence" value="inSequence-Request Before XSLT" />
</log>
<xslt key="RequestTranformerXSLT" />
<log level="full" category="DEBUG">
<property name="sequence" value="inSequence-Request After XSLT" />
</log>
<send>
<endpoint key="MyActualServiceEPR" />
</send>
</in>
Your xslt would contain the style for the actual request to be formed for hitting the end point reference.
Further if you can check this nice article of web service chaining to get a real time idea of xslt mediation.
Web Service Chaining from WSO2 ESB Developers
Hope this helps.
Thanks.
Find the sample below..
http://wso2.org/project/esb/java/4.0.0/docs/samples/message_mediation_samples.html#Sample8