Disable Case sensitive URLs for wso2 am - wso2

I created an api in wso2 api manager 2.0 publisher. When I publish this api, I have some resource /Some/things In the wso2 store. If I keep the case as is in the URL, then my api works. If I use any other tool to call and change the case in url to then I get a 202 error.
I know the WSO2 API Manager is handling the API URL correctly but i want to disable these feature.
how can i do this??

There is no option to disable case-sensitive in api manager. But you can rewrite the request url by any reverse proxy and send the request to apim.
e.g nginx url redirect[1]
[1] https://www.nginx.com/blog/creating-nginx-rewrite-rules/

Related

Authorization Code grant generates 405 in WSO2 APIM

I'm trying to implement OAuth2 Authorization Code flow with WSO2 APIM 2.6 but I get a 405 method not allowed. Here is what I did
Intall WSO2 APIM (no WOS2 IS nor IS-KM is in my environment. only APIM is present)
Create a spring boot REST service with #Restcontroller. This leads to base path as http://localhost:8080
Create an API in API publisher. This point to the REST service
As admin create an application in API store and subscribe to the API. The call back URL is simply http://localhost:8080 as shown in the image below
Call the authorize method of WSO2 APIM with the following URL
https://localhost:9443/authorize?response_type=code&redirect_uri=http://localhost:8080&client_id=EaTfmmwQT4fWciN4WnU1YyyYYYsa
When I call this URL, I'm redirected to the login page of WSO2 APIM like below
I just log in with admin/admin
Upon login, I though I'd be redirected to a authorize page, but instead I'm redirected to the following error page
Coul you guyz help me here ?
You are trying with https://localhost:9443/authorize which is wrong. That is why it is redirecting to the carbon console. You can use one of the following URLs.
https://localhost:9443/oauth2/authorize
https://localhost:8243/authorize
This will prompt you to a different login page where you can use your login credentials.
https://docs.wso2.com/display/AM260/Authorization+Code+Grant

WSO2 revoke api

I was curious how can see the revoke api end point exists.The url configured is
https://localhost:9443/revoke
But I could see the api listed under the started application or under api.
I even tried retrieving the wadl from the url but it did not return anything.
Do we need to explicitly publish it or it gets done automatically when we start the wso2server ? Or Do we need to install something other than the wso2 api manager to get this api?
When I browse the endpoint https://localhost:9443/revoke/?_wadl , I get error
405 - method not allowed
The port should be 8243.
And it's not a SOAP service.
Ref: https://docs.wso2.com/display/AM260/Token+API#TokenAPI-Revokingaccesstokens

wso2 apim SOAP endpoint with username and password

I have wso2 apim 2.1 and I have request to connect to SOAP endpoint which is secured with username and password.
During add procedure of SOAP endpoint I dont have possibility to enter such credentials nor possiblity to use mediation(eg like for rest api) as I get not authorized before enetring next phase. is there a way how to do this without using ESB ?
how to connect to secured SOAP backend using just apim ?
or Do I have to use ESB and follow similar way as LINK
thank you for any advice
We were not able to parse the backend wsdl from some reason and we have done workaround by donwloading wsdl and manualy pushing it to registry, after that we were able to follow next steps.

Does WSO 2 API Manager prevent to XSS and CRSF security error

I'm researching WSO2 API Manager and I discover that if I use WSO2 API Publisher and API Store, I would meet XSS and CSRF security errors. With XSS, I see that WSO2 didn't encode HTML character input. With CSRF, I see that WSO2 didn't create token when I request from client to server and vise versa.
Does everyone know how to config WSO2 to prevent these security error or how to fix them.
Thanks in advanced.
On our side, there are a few things we do when publishing/consuming APIs via the API Publisher and API Store:
Set the Transports property to just HTTPS so that we can limit API availability to just HTTPS.
For each HTTP method, we set the Auth Type to either Application, Application User or both, but never none. This will force the client to utilize the WSO2 Access Token scheme to invoke the APIs hosted on the API Store.
On the client side, we have been invoking the Token API to generate and renew user and application access token so that we don't have to manually re-generate keys in the API Store.
Utilize API in-sequence to escape special characters.
We fix these type of security issues in our next release AM V 1.7.1. You can expect it in 3rd week of September.

API Manager passing JWT to backend service

A backend service needs to know the user for the service call. Reading through the API 1.6.0 documentation I have configured it to generate JWT and removed and republished my services as stated. Running tests, I am not seeing the JWT being passed to the backed service in the response headers in Fiddler. I am not using the ESB or Identity services from WSO2.
What am I missing?
JWT information should be passed in the header under the parameter X-JWT-Assertion. The Content is been encoded. Use TCPMon to intercept the request and see if the API Manager is actually passing the JWT. This would be a good starting point to debug.