Securing Rest API in WSO2 ESB - wso2

Can we implement a secured API in WSO2 ESB and can we provide an existing user's credential, (as a header) who is in ESB's use store, to access it?
This scenario can be done in ESB Proxy: Guide by providing a policy file. Can't we do the same in API too, if not what is the reason behind that?

If you are going to secure the APIs using Oauth2 you can use Oauth mediator but if you looking to use basic auth you need to write a class mediator(Here is an old article,you can get brief idea on implementing basic auth class mediator even though details are outdated )

Related

Creating a secure SOAP service proxy with WSO2 API Manager

From what I've read and experienced, the API Manager 1.3.1 only generates proxies. However, I would like to proxy a back-end SOAP service with a SOAP service proxy and have the proxy implement a WS-Policy with a WS-SecurityPolicy.
Is there built-in support for this in API Manager 1.3.1?
Will there be support for this in the next version of API Manager?
If no, then what steps would I take to have the API Publisher and Store apps recognize SOAP proxies?
I hope that API Manager is not the ideal way to start to implement your use case. You should use Enterprise Serivce bus which provides the UI and necessary other tools to implement the scenario.
You can install the required features (Which is pre installed in ESB) to API manager and use those features. But you can just go ahead with WSO2 ESB as it is.
http://docs.wso2.org/wiki/display/ESB402/Secure+Proxy+Template
in wso2esb, itself contains throttling [1]/analytics[2] support.You can check the documentation on how to enable the throttling for proxies. If you like to use APIManager, define a proxy in another instance(like ESB) and provide that as endpoint when you create an API. But that proxy has to handle REST calls..
But from my understanding, you can simply use wso2esb.
[1]http://docs.wso2.org/wiki/pages/viewpage.action?pageId=15471353
[2]http://docs.wso2.org/wiki/display/ESB451/Statistics

WSO2 API Manager Authentication

I have an application that uses Basic Authentication to authenticate and authorize service calls. I am setting up our WSO2 API Manager on a separate server but are unsure how to pass the base64 encryption from the API Manager through to my application to authorize certain service calls.
This information is not readily available in the documentation so I am not sure it is even supported.
Has anyone used this or knows how to achieve this?
If you want to provide your own authentication mechanism you can do this very easily by implementing the org.wso2.carbon.apimgt.gateway.handlers.security.Authenticator and set it in authentication handlers chain.
You can refer the org.wso2.carbon.apimgt.gateway.handlers.security.oauth.OAuthAuthenticator for reference.
You can provide the credentials when you create an API at publisher. You can check the WSO2 documentation about adding an API. At publisher for "Endpoint Type" you have to select Secured and then need to provide username/password.
Authentication occurs in API Manager via the APIAuthenticationHandler, which is among the handlers defined in your API sequence definition (/repository/deployment/server/synapse-configs/default/api). To disable authentication for that particular API (since API Manager handles basic authentication itself), just remove or comment out the handler. Users should then provide the basic authentication required by the back-end service rather than the API Manager token, since they will no longer need it.

WSO2 API Manager with HMAC Authentication

Does anyone know how to add HMAC based authentication for WSO2 API Manager?
Background - We're rolling out WSO2 API Manager 1.3 in front of our publicly available web services and we need JavaScript applications (once authenticated) to be able to consume the services directly (not via a service proxy on their server to handle the OAuth authentication).
Does anyone know the easiest way to get this implemented in WSO2? We've started implementing an AbstractHandler and Authenticator but this seems overkill - someone must have done this or have some pointers on this?
Thank you very much in advance.
You can write your own handler which can implement the AbstractHandler.
Signature verification can be implemented as an API handler similar to the 'APIAuthenticationHandler'. The access token that was provided earlier can be used as the Mac Identifier. The consumer secret can be used as the Mac key, which is a shared secret between the consumer and the provider used to sign the normalized request string.
I do not know if this will help you but we needed our password hashes to be in PBKDF2. So I extended the JDBCUserStoreManager overriding only the preparePassword method. Inside it changed from MessageDigest to SecretKeyFactory for the PBKDF2WithHmacSHA1 algorithm. You can use Mac i guess?
This is possible by implementing a custom mediator and engaging it to the in-flow sequence. The API exposed by API Manager would be OAuth protected, but the actual backend would be HMAC protected. You can find more information on this in the article [1].
[1] https://wso2.com/library/article/2017/10/integrating-wso2-api-manager-with-a-hmac-secured-backend/

Wso2 API MANAGER WSDL security

I have downloaded the new version of API Manager 1.0.0 GA.
I am confused about publishing the WSDLs, since that has not a related API KEY, everyone can access it.
For that reason I have tried to add access token from ESB, but that will not authenticate the API Manager's Users (like Apisubscriber) only the users inside the ESB (even if I have configured an external JDBC db for both APIManager and ESB user-mgt.xml).
So, is there a way to create an API key for WSDLs as well from the API Manager? Or How do I control the access to the published WSDLs in the API store?
Many thanks
EDIT:
From the ESB I have added security to the service by using the built-in security scenarios, in my case I have used "UsernameToken". This authenticates users based on roles defined in the ESB "admin/everyone..." and only accepts users defined in the ESB's user store "admin/admin" (and others you might have created).
I have ESB and AM configured to share the same mysqlDB for user store, but that does not work in my Security Scenario described before: if I create a user "apicreator" inside AP and I create "usertest" inside ESB, they store the users inside the same MySQL db, but under different "tentant", i.e. "apicreator" is not a valid user to authenticate in my Security Scenario (UsernameToken). I hope this description helps to clarify the problem. thanks
With WSO2 API Manager, you couldn't control the access to a published WSDL in API Store.Currently there's no way of creating an API key for WSDLs as well from the API Manager.But that controlling has to be done through your back-end service. How-ever when creating an API from WSO2 API Manager ,giving the Wsdl url as an input is not a required field,but an optional field.
Apart from that I'm not clear about your following phrase."For that reason I have tried to add access token from ESB, but that will not authenticate the API Manager's Users (like Apisubscriber) only the users inside the ESB".Can you explain a bit more what you mean by "add access token from ESB"?
Thanks;
/Lalaji

Use specific system user for wso2 esb service invocation

I am going to have a web portal from which I will be calling services with "UsernameToken" security.
For authentication purposes I would like to create a system user in the wso2 Identity Server, so that I can use it to call the services from the ESB. So basically, I want to request a token for the system user from the WSO2 Identity Server and use it to authenticate infront WSO2 ESB so I can call the services.
I plan to use the AuthenticationAdmin and UserAdmin services for the authentication.
Is this scenario possible? If not what would be a good way to achieve similar scenario?
If I understood your requirement properly, I assume, you're trying to call a set of backend services via WSO2 ESB having "UsernameToken" as the authentication pattern. If that's so, then I don't see any requirement for you to use WSO2 IS for user creation, unless you're planning to do much deeper Identity Management.(You can still use it but I consider it as sort of an overhead given the fact that you just want to create the users there in WSO2 IS). For this, you can use the user management capabilities embedded in the WSO2 ESB (or in any other WSO2 product). What you would simply have to do is, create a user at the ESB level and use those credentials to call the backend services via the ESB.
Hope this helps.
Regards,
Prabath