I'm creating an API using the 1.10.0 new Rest API. Below are some of the parameters I'm sending:
body.setTransport(createList("http", "https"));
body.setApiDefinition("{\"paths\":{\"/*\":{\"post\":{\"x-auth-type\":\"None\",\"responses\":{\"201\":{\"description\":\"Created\"}},\"x-throttling-tier\":\"Unlimited\"},\"get\":{\"x-auth-type\":\"None\",\"responses\":{\"200\":{\"description\":\"OK\"}},\"x-throttling-tier\":\"Unlimited\"},\"delete\":{\"x-auth-type\":\"None\",\"responses\":{\"200\":{\"description\":\"OK\"}},\"x-throttling-tier\":\"Unlimited\"},\"put\":{\"x-auth-type\":\"None\",\"responses\":{\"200\":{\"description\":\"OK\"}},\"x-throttling-tier\":\"Unlimited\"}}},\"swagger\":\"2.0\",\"info\":{\"title\":\"" + providerApi.getName() + "\",\"version\":\"1.0.0\"}}");
body.setTiers(createList("Unlimited"));
body.setVisibility(VisibilityEnum.PUBLIC);
body.setVisibleRoles(createList());
So the API is created as Unlimited/PUBLIC.
I changed all three default tiers configuration files:
./opt/wso2am-1.10.0/repository/resources/default-tiers/default-res-tiers.xml
./opt/wso2am-1.10.0/repository/resources/default-tiers/default-app-tiers.xml
./opt/wso2am-1.10.0/repository/resources/default-tiers/default-tiers.xml
To allow 10000 requests per minute for Unauthenticated role.
<throttle:ID throttle:type="ROLE">Unauthenticated</throttle:ID>
<wsp:Policy>
<throttle:Control>
<wsp:Policy>
<throttle:MaximumCount>10000</throttle:MaximumCount>
<throttle:UnitTime>60000</throttle:UnitTime>
</wsp:Policy>
</throttle:Control>
</wsp:Policy>
</wsp:Policy>
Yet after sending 60 requests per minute - the API is responded with status code 429 and error log indicate that quota exceeded...
After each change I re-started the APIM gateway and re-created the API's, just in case.
Any idea why the 10000 limit is not honored by the gateway?
API Manager will read those file on the very first up of the server and copied the content to registry, there after, API Manager won't check these files for any updates.
You have to update your policies in the registry.
Use the Registry browser through Management Console and navigate to following location /_system/governance/apimgt/applicationdata. You can see the tier xml file.
Log in to APIM management console (https://:9443/carbon) and select Browse under Resources
Nagigate to /_system/governance/apimgt/applicationdata
You will see app-tiers.xml, res-tiers.xml, tiers.xml.
Related
I was curious how can see the revoke api end point exists.The url configured is
https://localhost:9443/revoke
But I could see the api listed under the started application or under api.
I even tried retrieving the wadl from the url but it did not return anything.
Do we need to explicitly publish it or it gets done automatically when we start the wso2server ? Or Do we need to install something other than the wso2 api manager to get this api?
When I browse the endpoint https://localhost:9443/revoke/?_wadl , I get error
405 - method not allowed
The port should be 8243.
And it's not a SOAP service.
Ref: https://docs.wso2.com/display/AM260/Token+API#TokenAPI-Revokingaccesstokens
I installed the APIM and started the APIM and created a new API. The ApI which i created comprises of a URL which points at our company production server. I gave the URL in the api creation mode to the production endpoint and sandbox Endpoint boxes. Then i set the required parameters under the GET method. Then i try it out at the store but the request does not hit the production server. I want to see the URL output from your api manager which passes to our production server. Because i want to see what is whether there is an error on that as it it doesnot hit our production server.
Can you help me with the issue?
Thanks in advance.
You can enable wire log to see the what are the requests which came to APIM and what are the requests APIM made for backend. Follow the steps in How to get wire logs from WSO2 ESB blog post to enable wire log. Those instructions are given for ESB, but they are valid for APIM as well.
I have various RESTful Web Servicesin App Engine, which are secured Google Account authentication:
<security-constraint>
<web-resource-collection>
<web-resource-name>Authentication required</web-resource-name>
<url-pattern>/api/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>*</role-name>
</auth-constraint>
</security-constraint>
Upon hitting these Web Services via a browser client, I'm redirected to the Google Accounts login screen where I authenticate myself first before proceeding with the REST call.
However I now need to run these web service via a command line scripts as part of automated IC run. Therefore I do not want to be prompted for a browser login every time. Preferably I would like to put the Google username and password in a encrypted file on the IC server and let it call the Web Services without any human intervention. As far as I can see there are several options:
manually logging in via the browser and then saving the access token to be used in the command line script. However when the token expire I would have issues.
obtain a access token via Service Account p12 authentication. This seems to only work for accessing Google APIs such as BigQuery and Cloud Storage, not your own code.
wrap my Web Service within a Remote API which I have yet to experiment with.
Based on my current understanding, it seems there is no way for a Google Account authenticated custom written Web Service to be accessed by a non-human user. Is this correct?
Since you are interested in interacting with RESTful web-services programmatically (without human intervention), we are essentially talking about securing a REST API.
There is a plethora of resources on this matter throughout the internet but the gist of it is:
you should use SSL and sessions or OAuth to secure your endpoints.
Depending on how far you are in the current project, you could consider making use of Cloud Endpoints, there you'll have the option to use OAuth2 (and have DDoS protection), as well.
Hope this helps.
I managed to get this to work in the end by:
Switching off the web.xml security-constraint so that the API doesn't redirect to Google Login.
Modifying my API to take in a Oauth2 token in the Authorization header instead.
Validating the token based on the code sample here: https://github.com/googleplus/gplus-verifytoken-java
I didn't go with Cloud Endpoints, but Jersey + Dropwizard components instead. Dropwizard has built in Oauth2Provider which I simply implemented a Authenticator class and it works.
I am getting the following respose while trying to assess my api endpoint:
<am:fault xmlns:am="http://wso2.org/apimanager">
<am:code>101504</am:code><am:type>Status report</am:type>
<am:message>Runtime Error</am:message>
<am:description>Send timeout</am:description>
</am:fault>
Kindly suggest what went wrong.
Lucas, it is exactly what it says - looks like the backend service is only available intermittently so when it is not available - you get the timeout reported by the gateway.
Just add a header to accept text/xml:
'content-type': 'text/xml'
I had the same issue and the solution was to Increase the Endpoint Timeout from the API Manager as described here :
https://apim.docs.wso2.com/en/latest/design/endpoints/resiliency/endpoint-timeouts/
Sign in to the API Publisher Portal.
https://:9443/publisher
Example: https://localhost:9443/publisher
Use your username and password to sign in.
Click on an API in the API Publisher Portal listing page.
Click Endpoints under API Configurations.
Click on the cogwheel, which is inline with the endpoint that you need to configure, and update the endpoint related configurations as required.
Go to Advanced Endpoint Configurations.
Increase Connection Timeout value
Can I define a new throttling tier like: "unlimited use for 30 days"?
<wsp:Policy>
<throttle:ID throttle:type="ROLE">30-days</throttle:ID>
<wsp:Policy>
<throttle:Control>
<wsp:Policy>
<throttle:MaximumCount> ? </throttle:MaximumCount>
<throttle:UnitTime> ? </throttle:UnitTime>
</wsp:Policy>
</throttle:Control>
</wsp:Policy>
EDIT: the goal is to make "expire" the subscription of a certain API for a certain user after 30 days...is it possible?
You can't specify your requirement with the two parameters MaximumCount and UnitTime in a policy file. The solution as of now for your requirement would be to publish your API using the predefined Unlimited tier in the API Publisher, and manually remove it from the API gateway by changing the life cycle state of the API from Published to Created after a month's time.